Attack on port 45678

gargalatas · September 12, 2018, 12:01pm

Hello people,

I just mitigated a DDoS attack which starts from outside to my router port 45678/tcp and the router floods the upload connection sending data from that port to many other IPs on random ports!

Does anyone have idea what service is that port 45678/tcp on the mikrotik router? It’s an RB2011 with routerOS 6.43 (latest).

When i telnet the router on port 45678/tcp I get connected but nothing happens. It just read my data without answering anything and without disconnecting me!

Thanks in advance

Haris

mkx · September 12, 2018, 1:22pm

My guess: on your hacked router socks proxy listens on port 45678.

Port 45678 is closed on my (so far) un-hacked RB.

Sob · September 12, 2018, 1:45pm

There’s nothing on port 45678 by default. If you don’t want to click through Winbox/WebFig, just export configuration in file and look for “45678” in there.

gargalatas · September 12, 2018, 2:28pm

Thank you very much.

Indeed I found that it was proxy enabled! But I never enabled any proxy. Probably a hacked router? How can I tell if it has been compromised?

R1CH · September 12, 2018, 10:20pm

Probably if it ran an old version and didn’t patch in time, it fell to this: https://blog.mikrotik.com/security/winbox-vulnerability.html

Safest way forward is to netinstall. Don’t forget to change all passwords.