Likely unrelated to the issue with the rogue gateway servers, please note that this weekend an exploit was launched that affects MikroTik routers running RouterOS older than 6.38.5 and that has its webservice (WebFig) open to the outside network. These get infected via the webservice and start a worm that scans for other routers to infect. Once it is inside your network it may propagate to other devices. It will scan for the usual MikroTik configuration interfaces, of which port 8291 (winbox) is most easily identified. (the others, 23, 80 etc are already scanned so often that it is difficult to identify the source) I did a trace of about 10 hours on the 44.137.0.0/16 network and over that period it was scanned by over 345.000 unique IP addresses on the internet, and randomly connecting back to a few of them returns an old version RouterOS every time... Disturbingly, there are also a couple of AMPRnet IP addresses on that list!  They are mainly in two different networks.  Unfortunately they do not appear in ampr.org reverse-DNS. wlan1.w7hr-sunnyslope.hamwan.net[44.24.240.110] wlan.kd7tqn.hamwan.net[44.24.240.221] wlan1.baldi.we7x.hamwan.net[44.24.240.222] poe.haystack.hamwan.net[44.24.241.41] 44-25-128-124.ip.hamwan.net[44.25.128.124] r1.crystal.hamwan.net[44.25.128.169] lan.r1.beacon.hamwan.net[44.25.64.65] ether1.ap.beacon.hamwan.net[44.25.64.73] 44.34.128.100 44.34.128.101 vrrp.hil.memhamwan.net[44.34.128.102] 44.34.128.103 ptpsco.leb.memhamwan.net[44.34.128.163] ptpazo.leb.memhamwan.net[44.34.128.184] 44.34.128.34 44.34.128.35 44.34.128.36 44.34.128.39 44.34.128.62 44.34.128.94 44.34.128.99 44.34.129.114 44.34.129.117 r2.mno.memhamwan.net[44.34.129.35] ptphil.mno.memhamwan.net[44.34.129.38] sec1.mno.memhamwan.net[44.34.129.40] sec2.mno.memhamwan.net[44.34.129.41] 44.34.129.42 44.34.129.66 44.34.129.67 44.34.129.73 44.34.131.144 AP-120.StPete.flscg.org[44.98.249.67] AP-240.StPete.flscg.org[44.98.249.68] AP-A-250.tampa.flscg.org[44.98.249.7] W9CR-Mgmt.StPete.flscg.org[44.98.249.76] AP-B-330.tampa.flscg.org[44.98.249.8] AP-C-110.tampa.flscg.org[44.98.249.9] 44.103.35.26 44.140.129.12 When you know who owns one of the above systems, please advise them that their router is compromised and that they have to update it. As it seems now, updating will also remove the worm, but in my opinion it is safer to cleanly re-install it using netinstall and restore your backed-up configuration. (you make backups, don't you??) When you run a MikroTik router and have not updated RouterOS, please update it to at least 6.40.6 (select bugfix-only in the updater) or the current version 6.41.3.   In the latter case, be aware of the issues around updating from 6.40 to 6.41 in complicated switched configurations. And of course, always configure a firewall that disallows access to the configuration interfaces from the internet, as always for devices like this. Rob