A I have written before, number of routers on one location have started acting strange in way that throughput falls dramatically about 1-5 minutes after they boot up and connect to capsman. All of them were running v6.49.15 Problem started in May 2024. MIPS and ARM had trouble flashing to v7, but some of them were x86 that could not be update due to old CPU (Alix boards). All of them were behind some other firewall, but exposed to (windows and mobile phones) users.
I just found out that on another location v6.49.8 router also slows down traffic to a point it is no longer usable.
So I took it down, and run torch on the port it was connected to. After boot up, it accesses two addresses:
45.129.132.135 (located in Amsterdam, Hostplace datacenters ltd), and 52.0.252.110 (Amazon, Virgina, ec2-52-0-252-110.compute-1.amazonaws.com )
My conclusion is that normal Miktotik does have no bussines contacting these addresses, and that they are under somebody else’s control. What should I do? Would it be of any help if I send the routers or at least CF cards to Mikrotik? Would sending the .rif file be of any use?
Most likely sending CFs or RIFs zo MT wouldn’t help much to anybody. Most probably there is/was a hoke in firewall configuration of those devices which allowed atackers to get them under their control.
What should be done (by you or some knowledgeable person) is zo analyze configuration with fovus being put on desired functionality. Then they should be netinstaled (to wipe off al traces of inadequate and malicious configuration) and configured anew … based on default config (which is pretty secure). One thing that default config is not good for is when devices offer public internet access … default config assumes that LAN side is safe and allows full access to router.
Simply upgrading ROS doesn’t help in such situation as upgrade doesn’t fix errors and omissions in configuration.
Thanx for the answer. I already wiped and reinstalled other devices, with new config. As you said, routers were basically operating in LAN, but that is not good enough anymore. Both were protected by two distinct firewalls (one mikrotik, other some corporate one). Besides, firewall penetration is not so hard, and techniques for that are old (remember Skype?).
I was hoping this info might be useful in finding out how were those routers penetrated or to prevent that from happening on other devices. There are still many many devices running v6.
Edit: I have tracked a device in that network, made by Hunan FN-LINK Tech. also trying to contact the same addresses. Not that I know what that means.