I have a CCR1016 and it has been running 6.48.1 - now updated to 6.48.3
I have noticed two identical entries entries appearing on the input chain at the top: add action=accept chain=input disabled=no dst-port=5678 protocol=tcp
I also have two mikrotik CRS switches on the network. Any reason for this? Should I be concerned?
If the second is not udp, someone do incomplete work.
Please could you elaborate?
Please do not use “Reply with quote” without any reason, use “Post Reply” instead.
Accept incoming Neighbor Discovery protocol, but the protocol use UDP not TCP.
You can delete the rules without problems.
I had been hacked - same as here http://forum.mikrotik.com/t/what-is-ip-socks-i-got-hacked-and-they-open-this/146488/1
Although My router OS was more up to date. Big concern - Reset Time
Use the same port for Neighbor Discovery protocol, a perfect legit service use between RouterBOARD to mask the traffic…
Probably your router is “compromised” some time ago…
Thanks. I am aware 5678 UDP is legit.
Someone was adding 5678 TCP at the top of my input chain and had set up L2TP client as documented in the aforementioned post.
Router OS has been kept up to date. I run a L2TP server so maybe compromised that way?
Probably, but is hard to say.
Better make backup, NOT backup, EXPORT.
Netinstall the device, and import back the export, section by section, for search other strange thing, if any…
As the rextended stated, the only safe course of action is to a neintsall and put back the old confg exported back in bits, without the offending bits and especially any scripts (even if you made them they may have been modified!)
Do not use the same userID (edit: and password thank rextended) and use a different winbox port too if using winbox.
P.S.: Do not use same password and change ALL your password used till now!!!..
Thanks all. Netinstall completed with new credentials
Well done, most people take a few times to get the hang of netinstall, seems like it worked well for you first go!
The first time nothing happened and the reboot button did not appear. Second attempt all worked as per the instructions on the wiki.