Depending on your software version, yes, that is correct. See https://blog.mikrotik.com/security/winb ... ility.htmlSo you mean they have some exploit in the device that they could gain access anytime?
Dang it. Sorry about that. I don't know why I didn't notice you were not the OP. I read your reply from the context of the OP. No wonder it didn't make sense to me.@tippenring: I'm not admin of RB trying to outsmart DNS domain admin, @alli is.
Have you tried Winbox 3.18? There's a potential fix there. I just realized you aren't the OP. The OP tried 3.18, but you haven't said you tried it.I'm not a mikrotik master, but i have enough brains to change my credentials after hacking.
You don't necessarily need to post them. Just load the before and after in notepad++ and do a compare.I'll take a look and post them without sensitive configs. Too bad I can't use the Mikrotik auto remove sensitive on saved backups.
What was different between the two configs? That's an easy thing to look at.Right now we are using the CCR that was causing the issue to pass traffic. The only thing that changed to get it to start working was to restore a config file from before the power outage.
I'll bet he/she was alluding that the OP may have a version susceptible to the credential theft bug, so the OP could simply download their creds from the router in clear text and log in.And how do you log in with a lost password??No. Or "not necessarily" anyway.Yes
Sent from Tapatalk
I'll be waiting to see your findings. Be safe!Waiting for the rain to test the MikroTik LHG 60G over a 1473.16m link... Hurricane LANE will be here in a day or two.
Presumably you or someone else has control of your router and changed the winbox port. Consider changing the credentials. It wouldn't hurt to netinstall and reconfigure, just in case.i noticed that the winbox port has change ...
what can be the reason ?
I expect the rest of the ports getting pinged are dropped further up in the firewall chain, so not being reported.I am not surprised by the number of the attack, but that its >95% on tcp/23.This isn't really a surprise for most people.
I definitely share your frustration with the "Help! Someone please do all my network engineering for free! URGENT!!!"Maybe I have read too many "help! my users are actually making traffic! I want to block block block!" topics...
That seems a bit harsh. This could be an opportunity for the OP to learn about traffic management.Also consider dropping from the business and finding another way to earn money.
I misunderstood your post. My apologies.Tippenring.
I was agreeing with you. The logs were proof that 2 different attackers had the password from before the upgrade