There is generally a script or two, sometimes they're scheduled. The API and API-SSL services might have an IP block set to them. Services you had disabled might be enabled now. There might be a RADIUS server setup and in System-Users, on the AAA button, use RADIUS could be checked for login to authenticate non-local accounts to access the router. There could also be SSH or SSH Private Keys installed. Logging might be changed from the default (specifically, to not show API or login entries).
On 6/18/18 2:52 PM, Scott Reed via Mikrotik-users wrote: > While we are getting everything on a network upgraded to avert the > infection threat on RouterOS, is there anything we can see to know that > the device is infected? > _______________________________________________ Mikrotik-users mailing list Mikrotik-users@wispa.org http://lists.wispa.org/mailman/listinfo/mikrotik-users