Depending on your software version, yes, that is correct. See https://blog.mikrotik.com/security/winb ... ility.htmlSo you mean they have some exploit in the device that they could gain access anytime?
Dang it. Sorry about that. I don't know why I didn't notice you were not the OP. I read your reply from the context of the OP. No wonder it didn't make sense to me.@tippenring: I'm not admin of RB trying to outsmart DNS domain admin, @alli is.
Have you tried Winbox 3.18? There's a potential fix there. I just realized you aren't the OP. The OP tried 3.18, but you haven't said you tried it.I'm not a mikrotik master, but i have enough brains to change my credentials after hacking.
You don't necessarily need to post them. Just load the before and after in notepad++ and do a compare.I'll take a look and post them without sensitive configs. Too bad I can't use the Mikrotik auto remove sensitive on saved backups.
What was different between the two configs? That's an easy thing to look at.Right now we are using the CCR that was causing the issue to pass traffic. The only thing that changed to get it to start working was to restore a config file from before the power outage.
I'll bet he/she was alluding that the OP may have a version susceptible to the credential theft bug, so the OP could simply download their creds from the router in clear text and log in.And how do you log in with a lost password??No. Or "not necessarily" anyway.Yes
Sent from Tapatalk
I'll be waiting to see your findings. Be safe!Waiting for the rain to test the MikroTik LHG 60G over a 1473.16m link... Hurricane LANE will be here in a day or two.
Presumably you or someone else has control of your router and changed the winbox port. Consider changing the credentials. It wouldn't hurt to netinstall and reconfigure, just in case.i noticed that the winbox port has change ...
what can be the reason ?
I expect the rest of the ports getting pinged are dropped further up in the firewall chain, so not being reported.I am not surprised by the number of the attack, but that its >95% on tcp/23.This isn't really a surprise for most people.
I definitely share your frustration with the "Help! Someone please do all my network engineering for free! URGENT!!!"Maybe I have read too many "help! my users are actually making traffic! I want to block block block!" topics...
That seems a bit harsh. This could be an opportunity for the OP to learn about traffic management.Also consider dropping from the business and finding another way to earn money.
I misunderstood your post. My apologies.Tippenring.
I was agreeing with you. The logs were proof that 2 different attackers had the password from before the upgrade
A search of this forum before yet another post about how "I've been pwned" would do you wonders.why do you say that...? and how can i check?RouterBoard OS 6.35.2
I wonder if your device did not maybe get hacked!
I understand netinstall doesn't work if the device is >50 ft off the ground. Does anyone have the support ticket # for that issue?Have you tried netinstall? Or is the affected box also too high and/or far to do that?
Wow. Although relatively low risk, I can't think of a reason for not verifying the cert but laziness. Good thing I don't upgrade from Winbox I guess.Still no signature checking or HTTPS... man in the middle can easily compromise administrator's PC.
I second this recommendation. I have several in production now. It's a very simple VPN to set up compared to IPSec client-type connections.Look into SSTP VPN, works great for me, very secure and uses certificates
Fully agree with what @CZFan said.@Sob and @sindy, with all due respect, I love watching you guys argue / "interfere" I learn so much from you guys, please continue
Well that totally changes my opinion. I thought you were an ISP.I am not an ISP. I manage a company network with BYOD policy.
I only glanced at the log. I hadn't noticed that. Good catch.According to the log (which for some reason was sorted descending by time), phase 1 has succeeded. That's why I've suggested to remove the lifetime from the ph2 proposal.
MDI/MDIX is no doubt the problem. Make a crossover patch cable and you'll be good.Even if the switch was so very old that it would not automatically choose between MDI and MDI-X,,,,
Good point. ARP only occurs on broadcast interfaces. PPPoE would not be a broadcast. Thanks for the correction.That is not the case. PPPoE does not use ARP, route cache can be leaked from something else. Generate supout file and send to support.
add distance=1 gateway=ether1
/ip dhcp-client option add code=66 name="tftp server" value=0xc0a8040aI use http://paulschou.com/tools/xlate/ to convert between hex, text, base64 and other formats.