Normis et al.,



Just to make it clear:



All of our clients' routers that got hit, they all got hit at virtually the exact same time, and all from the same source IP. They did admittedly all have an "admin" user, and they all obviously had SSH enabled, so that's admittedly a problem. However, they all had different passwords for "admin" user, and some routers that were compromised were running 6.45.6, so it shouldn't have been possible to harvest "admin" password from them while they were running that version.



If I understand what you're saying correctly, it sounds like you are guessing that maybe somebody harvested the "admin" passwords from these routers a long time ago (before they were upgraded to non-vulnerable version), and then didn't do anything with those passwords until a couple of days ago? So if we had changed either username or password between then and now, those routers would not have been affected. If that is what you are saying, the only problem with this theory is that in order for it to make sense, all of the routers that were compromised would also still have to have the same IP addresses that they had when the passwords were originally harvested, because this theory assumes that the attacker would know what specific password to use for a router at a specific IP address.



If it turns out that a sizable number of the routers all have dynamic IPs, and those IPs change frequently, and the router's IP address changed after the upgrade to recent non-vulnerable versions, then this theory cannot be correct. I would guess that this -- routers with dynamic IPs were compromised -- is true in our case, but I will check with others in my organization that dealt with most of the clean-up to see if they can confirm this for me.



As far as "do not use admin user" advice, the problem here is not so much the use of "admin" user, but the use of "admin" with the same password after having previously used a vulnerable version of RouterOS. If someone had deleted "admin" back when the router was running, say, 6.36, and then upgraded after that, it would not have mattered that the router had no account called "admin", because all passwords for all full-access group users would have been harvest-able while the router was running 6.36, not just the one for the account called "admin". Therefore it would have been enough to change *either* the username *or* the password, but only *after* upgrading.



-- Nathan