How To Blocked Meris Botnet - Mikrotik Script RouterOS

How To Blocked Meris Botnet?

Overcoming Meris Botnet that infiltrates Mikrotik Routers where your router will be turned into a zombie to carry out DDOS attacks.

Best course of action: 

Keep your MikroTik device up to date with regular upgrades.
Do not open access to your device from the internet side to everyone, if you need remote access, only open a secure VPN service, like IPsec.
Use a strong password and even if you do, change it now!
Don't assume your local network can be trusted. Malware can attempt to connect to your router if you have a weak password or no password.
Inspect your RouterOS configuration for unknown settings (see below).
In collaboration with independent security researchers, we have found that there exists malware that attempts to reconfigure your MikroTik device from a Windows computer inside your network. This is why it's important to set a better password now (to avoid passwordless login or a dictionary attack by this malware) and to keep your MikroTik router upgraded (since this malware also attempts to exploit the mentioned CVE-2018-14847 vulnerabiliity which has long been fixed). 

Configuration to look out for and remove: 

System -> Scheduler rules that execute a Fetch script. Remove these. 
IP -> Socks proxy. If you don't use this feature or don't know what it does, it must be disabled. 
L2TP client named "lvpn" or any L2TP client that you don't recognize. 
Input firewall rule that allows access for port 5678. 
You can also work with your ISPs to block the following addresses, which these malicious scripts are connecting to.

copy paste this script to terminal

/system scheduler remove [find where on-event~"script3_"]
/system script remove [find where name~"script3_"]
/file remove [find name~"mikrotik.php"]
/ip socks set enabled=no
/ip socks set port=1080


or you can use address list for block him

/ip firewall filter 
add action=drop chain=input comment="BLOCK MERIS BOTNET" dst-address-list=blocked-meris-botnet
add action=drop chain=forward dst-address-list=blocked-meris-botnet

/ip firewall address-list
add list=blocked-meris-botnet add=eeongous.com
add list=blocked-meris-botnet add=leappoach.info
add list=blocked-meris-botnet add=mythtime.xyz
add list=blocked-meris-botnet add=1abcnews.xyz
add list=blocked-meris-botnet add=1awesome.net
add list=blocked-meris-botnet add=7standby.com
add list=blocked-meris-botnet add=audiomain.website
add list=blocked-meris-botnet add=bestony.club
add list=blocked-meris-botnet add=ciskotik.com
add list=blocked-meris-botnet add=cloudsond.me
add list=blocked-meris-botnet add=dartspeak.xyz 
add list=blocked-meris-botnet add=fanmusic.xyz
add list=blocked-meris-botnet add=gamedate.xyz
add list=blocked-meris-botnet add=globalmoby.xyz
add list=blocked-meris-botnet add=hitsmoby.com
add list=blocked-meris-botnet add=massgames.space
add list=blocked-meris-botnet add=mobstore.xyz
add list=blocked-meris-botnet add=motinkon.com
add list=blocked-meris-botnet add=my1story.xyz
add list=blocked-meris-botnet add=myfrance.xyz
add list=blocked-meris-botnet add=phonemus.net
add list=blocked-meris-botnet add=portgame.website
add list=blocked-meris-botnet add=senourth.com
add list=blocked-meris-botnet add=sitestory.xyz
add list=blocked-meris-botnet add=spacewb.tech
add list=blocked-meris-botnet add=specialword.xyz
add list=blocked-meris-botnet add=spgames.site
add list=blocked-meris-botnet add=strtbiz.site
add list=blocked-meris-botnet add=takebad1.com
add list=blocked-meris-botnet add=tryphptoday.com
add list=blocked-meris-botnet add=wchampmuse.pw
add list=blocked-meris-botnet add=oddgames.info
add list=blocked-meris-botnet add=widechanges.best
add list=blocked-meris-botnet add=zancetom.com

Credit: https://blog.mikrotik.com/security/meris-botnet.html