I don’t know if my router was hacked or what but I have an dstnat accept rule that keeps showing up in my filter rules. the port number seems random. 16291 was the latest . The first time I seen it I deleted it but it returns. Looks the same but everytime it returns it has a different port number. I’ve changed my username and password. All services expcept winbox and web are disabled. The default port for web access has been changed. The router is an RB493G running very new software. Not the latest but close(I don’t like to be the one finding bugs in the latest software)
Not sure what is going on. I don’t see any funny connections to the router when I run torch. Not sure what else I should be looking for.
what version of RouterOS are you running? (You need at least 6.40.8 in Bugfix tree or 6.42.1 in Current tree. You also need to change password if you were compromised in past)
can you export the rule and show us?
any weird files or log entries?
First thing in my mind was enabled UPnP with “dummy rule”, but that creates clear comment with every rule…
I’m checking more of our routers and they are compromised as well. Gosh dang it!
Is there a thread I should reference on the best practice on how to deal with this issue?
Exploits are everywhere in IT, including Cisco. So yes, there is/was big vulnerability, misused massively. It is already fixed for several months and you can read more on forum or shortly summarized on blog: https://blog.mikrotik.com/
There are many topics all around. I am really surprised you were able to miss them I really cant point one specific topic because there are bits and pieces in many and i already lost track of them. Main topic is http://forum.mikrotik.com/t/advisory-vulnerability-exploiting-the-winbox-port-solved/118771/1 make sure to disconnect your device from any non-trusted network before you start proceeding. Safest method will be always Netinstall as it completely wipe the storage and config so nothing can survive, however, I strongly recommend you to read more about different ways to clean your device.
It’s kind of a damned if you damned if you don’t with mikrotik. We try to keep our software current but the last few upgrades have bricked a number of our 493G so forgive me if I am hesitant to slap the latest software on there so I can drive 50 miles in the middle of the night to replace a junk router.
Don’t really care that cisco has exploits, I don’t use them. I use mikrotik. The fact that cisco has exploits doesn’t make it ok that mikrotik screwed up here bigtime.
Nothing we can do now but fix the issues. I’d like to see something more specific on how we fix when issues like this happen. Support is kind of lacking with mikrotik.
The blog is since two days active and one brick in the steps that are taken to improve security. If security problems are know with Mikrotik they will also inform us through that channel and the already earlier used channels.
Of course owners can be faster and please inform Mikrotik and post in the forum.
You could make a schedule for updating routers in way that it works with you normal maintenance schedule for the routers. So when a update goes bad that you are not that far away and have one or more replacements on hand.
Try to keep a good sensible mix of routers from revisions on hand so you will know in advance if a revision is not happy with the new firmware.
I really cant point one specific topic because there are bits and pieces in many and i already lost track of them. Main topic is