Community discussions

MikroTik App

Search found 25 matches

by jabberd
Mon Nov 04, 2019 4:07 pm
Forum: General
Topic: flash hack mikrotik
Replies: 4
Views: 925

Re: flash hack mikrotik

Just try to use the "set tracefile" bug to gain a root shell and look inside what's going on.
by jabberd
Sun May 20, 2018 11:18 pm
Forum: General
Topic: Is there a way to restore config from hijacked mikrotik router?
Replies: 32
Views: 3999

Re: Is there a way to restore config from hijacked mikrotik router?

There was the only user at the device with a subnet 199.0.0.0/8 added as allowed one. It's rather easy then to find a proxy host within this range. Luckily, the vulnerability worked still, and in combination with the working pptp server it has become possible to find inside the OP's network an anoth...
by jabberd
Sun May 20, 2018 1:07 pm
Forum: General
Topic: Is there a way to restore config from hijacked mikrotik router?
Replies: 32
Views: 3999

Re: Is there a way to restore config from hijacked mikrotik router?


I have the telegram account, yes.
Ok, I'm @jabberd there.
by jabberd
Sun May 20, 2018 12:56 pm
Forum: General
Topic: Is there a way to restore config from hijacked mikrotik router?
Replies: 32
Views: 3999

Re: Is there a way to restore config from hijacked mikrotik router?


Yes, it's open. Winbox tells login incorrect when trying to connect
Do you have Telegram/Jabber/Twitter to directly contact me? I have an idea...
by jabberd
Sun May 20, 2018 4:54 am
Forum: General
Topic: Is there a way to restore config from hijacked mikrotik router?
Replies: 32
Views: 3999

Re: Is there a way to restore config from hijacked mikrotik router?

Yes, I tried with clear vulnerable router, this version is working and shows the admin password but not on the hijacked routers. Seems that they did something to close this exploit...
Is 8291 port open at the hijacked devices?
by jabberd
Sun May 20, 2018 2:40 am
Forum: General
Topic: Is there a way to restore config from hijacked mikrotik router?
Replies: 32
Views: 3999

Re: Is there a way to restore config from hijacked mikrotik router?

Yes, I got this 2.60 Beta. Entered IPs, started scan (added port 8291 also), each router listed twice, detected ROS version, total results found 7, good results - 0. In the lines with port numbers 8291 is written status Can't load main page. When trying to connect from winbox it still reports incor...
by jabberd
Sun May 20, 2018 2:25 am
Forum: General
Topic: Is there a way to restore config from hijacked mikrotik router?
Replies: 32
Views: 3999

Re: Is there a way to restore config from hijacked mikrotik router?

Seems that Router Scan do not help, not sure I got correct router scan... It only shows that my hijacked routers has 6.41 and 6.40.6 versions... The main problem is that one of the hijacked routers is 250 km away from me, please any other advice welcome The version should be beta, right from there:...
by jabberd
Sun May 20, 2018 12:32 am
Forum: General
Topic: Is there a way to restore config from hijacked mikrotik router?
Replies: 32
Views: 3999

Re: Is there a way to restore config from hijacked mikrotik router?

Doesn't Router Scan have vulnerabilities itself, or did I mistake it for a another tool... Forgive me if I'm speaking out of school here. I don't know, but there's the default setting to automatically send out the results to the server, so it has to be configured properly first. It's just a tool th...
by jabberd
Sat May 19, 2018 4:09 pm
Forum: General
Topic: Is there a way to restore config from hijacked mikrotik router?
Replies: 32
Views: 3999

Re: Is there a way to restore config from hijacked mikrotik router?

Both winbox and web are open, but all passwords are changed or locked. There's a tool called Router Scan, which recently got the winbox exploit implemented. I think, you'd give it a try. Probably, this tool was used by someone to hijack your devices. And if RouterOS versions aren't updated now, you...
by jabberd
Sat May 19, 2018 3:12 pm
Forum: General
Topic: Is there a way to restore config from hijacked mikrotik router?
Replies: 32
Views: 3999

Re: Is there a way to restore config from hijacked mikrotik router?

some VPN works with previous passwords. which other services should I try? Are there open winbox/web services at these devices? For example, if there the winbox service was open before, and after the hijacking it's remaining open, you've got a chance to get the device back if there's a vulnerable R...
by jabberd
Sat May 19, 2018 7:09 am
Forum: General
Topic: Is there a way to restore config from hijacked mikrotik router?
Replies: 32
Views: 3999

Re: Is there a way to restore config from hijacked mikrotik router?

No, I lost access to about 10 routers, all there routers had a vulnerable versions, like described here viewtopic.php?f=2&t=132368
Are they accessible in any way? I mean any open services there.
by jabberd
Mon Apr 02, 2018 1:26 am
Forum: Announcements
Topic: Urgent security advisory
Replies: 110
Views: 102560

Re: Urgent security advisory

In addition, there's a new Mirai variant available spreading over. Dropbear ssh server listens at port 62508/tcp, an instance of busybox+tcpdump+libpcap and a startup script for dropbear are in the file system.
by jabberd
Wed Mar 07, 2018 12:02 am
Forum: General
Topic: After upgrade firmware 6.40.5, Can't change admin's group to full
Replies: 43
Views: 6165

Re: After upgrade firmware 6.40.5, Can't change admin's group to full

And what is the solution?
The solution is to use the winbox email tool bug, which I had reported to the support. I don't want to share the details here, sorry.
by jabberd
Tue Mar 06, 2018 4:13 am
Forum: General
Topic: After upgrade firmware 6.40.5, Can't change admin's group to full
Replies: 43
Views: 6165

Re: After upgrade firmware 6.40.5, Can't change admin's group to full

Did it
Still nothing. What's your username there?
by jabberd
Mon Mar 05, 2018 11:23 pm
Forum: General
Topic: After upgrade firmware 6.40.5, Can't change admin's group to full
Replies: 43
Views: 6165

Re: After upgrade firmware 6.40.5, Can't change admin's group to full

I have tweeted you. Please find the solution.
Please tweet me again, I haven't got anything yet.
by jabberd
Mon Mar 05, 2018 10:33 am
Forum: General
Topic: After upgrade firmware 6.40.5, Can't change admin's group to full
Replies: 43
Views: 6165

Re: After upgrade firmware 6.40.5, Can't change admin's group to full

Same problem as yours and this is the full scrip.
Can you contact me directly at Twitter/Telegram (@jabberd), please? Just before removing the NAND :)
by jabberd
Mon Mar 05, 2018 10:29 am
Forum: General
Topic: After upgrade firmware 6.40.5, Can't change admin's group to full
Replies: 43
Views: 6165

Re: After upgrade firmware 6.40.5, Can't change admin's group to full

The process of NAND Gate removal
OMG, I thought you're gonna contact me directly to get a hint on removing that script, but now I see you've chosen a hard(ware) way for resolution of the problem :)
by jabberd
Sun Feb 25, 2018 12:29 pm
Forum: General
Topic: After upgrade firmware 6.40.5, Can't change admin's group to full
Replies: 43
Views: 6165

Re: After upgrade firmware 6.40.5, Can't change admin's group to full

For now I can still access with my "admin" account with limited priviledges. I can only see but can't config anything. I tried to copy script to *.txt file but it can't copy to clipboard thay why I posted screenshot here Can you contact me directly in Telegram or Twitter? (@jabberd). I have an idea...
by jabberd
Sun Feb 25, 2018 10:09 am
Forum: General
Topic: After upgrade firmware 6.40.5, Can't change admin's group to full
Replies: 43
Views: 6165

Re: After upgrade firmware 6.40.5, Can't change admin's group to full

I can't do anything just say RIP to this Router
You posted the screenshot from there above, so do you have any access to the router? Or you had it once and have lost finally?
by jabberd
Sat Feb 24, 2018 9:31 am
Forum: General
Topic: After upgrade firmware 6.40.5, Can't change admin's group to full
Replies: 43
Views: 6165

Re: After upgrade firmware 6.40.5, Can't change admin's group to full

In the Users section, It has another account "sys" which is set to group "full"
Anyone here knows the password of "sys" account , please tell me. So I will change the group of "admin" to "full"

Thanks
Have you resolved your issue?
If not yet, what actions are you able to do with your device?
by jabberd
Sat Feb 24, 2018 9:22 am
Forum: General
Topic: Possible security breach
Replies: 12
Views: 6104

Re: Possible security breach

OK, I should've reported this "feature" to the support. I thought that mentioning it here was enough for things to get fixed :-)
by jabberd
Sat May 06, 2017 12:08 am
Forum: General
Topic: [Possible virus/bug] Terminal, User and many other settings became unavailable (Terminal not allowed (9))
Replies: 9
Views: 3162

Re: [Possible virus/bug] Terminal, User and many other settings became unavailable (Terminal not allowed (9))

Any way I could avoid doing a factory reset for this?
Yes. You could use a Netwatch trick to gain full privileges and then remove the rogue user.
by jabberd
Wed Mar 22, 2017 1:39 pm
Forum: General
Topic: Possible security breach
Replies: 12
Views: 6104

Re: Possible security breach

If you have the "router" user with full privileges, and have your "admin" set to "admin" group with reduced set of privileges (ssh, telnet, policy are disabled), you may try to log in with admin and add a netwatch up rule for 127.0.0.1 with something like this: /user set admin group=full So there'll...
by jabberd
Wed Mar 22, 2017 1:10 am
Forum: General
Topic: Possible security breach
Replies: 12
Views: 6104

Re: Possible security breach

Any recommendation? Have you seen this before? Is there other investigation I can do? To figure out if anything has been changed I've seen this before on some devices: there was also the user "router" with full privileges (with unknown password), and "admin" with newly created "admin" group with re...
by jabberd
Tue Feb 28, 2017 2:17 pm
Forum: Wireless Networking
Topic: wireless sniffer streaming to a server
Replies: 5
Views: 3681

Re: wireless sniffer streaming to a server

The gist mentioned above has been updated (e.g. listening to UDP 37008 explicitly, not all the interface traffic, and a note on Ethernet TZSP conversion).