IP blocked

Hi. Experiencing strange thing here. Probably it is not the router, but I figured I would ask.

Recently I’ve started experiencing strange things. Browsing to certain cites suddenly require verification that I am human. That verification is done by cloudflare.com.
Also, some services stop working: I transfer name of songs and album pic to my website, as well as song names to twitter and tunein.com
That stops working with a message: connection closed gracefully or timed out.

The second I go to DHCP client and renew IP, all becomes normal for a few days, and then all starts again.

It is clearly something going on down the road and my IP becomes blacklisted. The question is WHY? I would like to fix this but do not know how. Verizon does not help much. All they can offer is to renew ip address, which solves it for a short period of time 4-7 days.

I was thinking perhaps there is something in the router settings that could cause this???

I would very much appreciate if you could suggest anything that can be checked.

READ here more: https://community.spiceworks.com/topic/313970-access-restriction-due-to-cloudflare

That sounds like some device using your WAN IP address is doing nasty things to some internet servers/networks. There a few possibilities:

• somebody else is doing it, spoofing its address (using your). IMO not very probable. If this was happening, then probably whole ISP’s IP subnet would be compromised and ISP would have to react somehow already.
• your router doing it. If it got hacked, then the attacker could install some malware. Or open up proxy and using it to attack some other target.
• some device in your LAN doing it. Somehow it caught some virus or malware and is now doing bad things.

You should definitely check the last two options (nothing you can do about the first one other than changing WAN IP address now and then).

oH, BOY!
Thanks very much for your reply.

Would you PLEASE help me figure out where do I check for 2 and 3???


this problem affects ALL devices on the network including phones, ipads etc.

I had transparent proxy enabled and I checked connections there, there were quite a few. So I disabled proxy, NAT redirection to 8080 and firewall rule to drop connections to 8080

I changed password to router user name, disabled default user name.

Where else should I check?

To make sure it’s not your router, you have to fully inspect every single configuration item, understand it and see if it makes sense in your environment. It’s easier to do it by reading exported config (to text). If you don’t understand some config, then you must assume it’s malicious. And in this case you should netinstall router and adjust the default config according to your needs keeping changes to bare minimum not to open exploitable holes (again).

If it’s some of your gadgets doing it … well, it’s hard to catch that without extensive logging of outgoing connections and analyzing the logs.

Of course it affects all of them, as all of them reach the world via that single public IP address of your router. So it is enough if one of them sends spam or does anything else which causes someone out there to report that IP address as a source of malicious traffic to the public block lists.

The fastest, but not really fast, way to find the culprit is to sniff the traffic at the LAN side, where individual private addresses are still available, and use Wireshark to look for unexpected connections - outgoing SMTP connections to many different servers are the first thing to come to my mind, but the actual malicious activity may be a different one. So you’d filter out the expected connections, one by one, and what remains may be the malicious traffic.

If the router itself is infected, exporting the configuration, netinstalling the router and re-importing the configuration manually, checking the purpose of every line, is the only way to be sure that you’ve got rid of the malware.

Before doing that, I’d recommend to post the configuration for a review - your firewall rules may be leaky so you could get back where you started short after completing the above procedure.

Sindy, thank you for such thorough explanation. I remember the torture of setting up the router. It was nightmare.
I see all your suggestions, however I don’t even know from which side approach this. I saved the configuration file. I opened it, but I have no idea what I am looking at and what to look for…
If you could help, I d really appreciate

That’s what I’ve suggested - take the exported file, do the steps suggested in my automatic signature, and post the result here.

The file should only contain what you’ve configured yourself. If you haven’t added any scripts and there are some, the device has been hacked. If you haven’t configured UPnP and it is configured, the device has been hacked. If you haven’t set up web proxy and it is set up, the device has been hacked.

The export contains the same information you can obtain from Winbox or WebFig, but in a more concise form.

Sindy,

I am sorry, but I do not fully understand from your signature what needs to be done.

Well, creating such a complex configuration using mouse clicking really isn’t easy.

Looking at your configuration, I’ve found

• no scripts
• no upnp
• nothing strange about the /ip proxy and /ip smb

But allowing http management (not even https one!) via WAN, without restriction to some limited set of source addresses, was not a good idea. In the older RouterOS versions, user credentials were stored in plaintext, and could be retrieved from the device without previous knowledge of any of the username:password pairs, making use of some vulnerability (I don’t remember the details, but it has been discussed here on the forum). The fact that you run the web service on a non-standard port doesn’t actually help much. Even Winbox has been proven insecure in the past, so as the rule is there and is only disabled, I suspect Winbox access from the whole internet was open for at least some time in the past.

Other that these serious issues, the firewall rules, although they could be optimized a bit, don’t seem more leaky than the default ones to me.

As there is no restriction of access to the router from the LAN side (which is no difference as compared to the default firewall), a cross-platform malware could also infect it.

So this gives us no clue on whether the router itself has been infected or some device on the LAN.

So removing the two rules I’ve mentioned from the configration exported without hide-sensitive, netinstalling the router, and importing that configuration back should make sure that the router itself is malware-free, but it doesn’t prevent it from getting infected again from LAN side.

If you can use a pair of usb-to-serial converters to manage the router via serial terminal (which requires use of command line), you can disable other ways of management from the LAN too. If you cannot, dedicating one Ethernet interface for management by a trusted device is the next most secure option - the weakest point here is how much you can actually trust that device.

As you can see there is no easy way to find out what’s going on there. The sniffing remains the most reliable way, but if the router itself is infected, even that may be questionnable, as the malware may affect even the sniffing process.

Dear Sindy,

UPNP is enabled

/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge1 type=internal
add interface=bridge2 type=internal
add interface=ether1 type=external

Oops, I’ve missed that. UPNP is actually only dangerous when the malware is already present on a LAN device, but if the OP did not enable it intentionally, it would be a sign of malware activity.

If it has been configured intentionally, it doesn’t change much on the overall picture.

Sindy,
Thank you very much for such a detailed expertise!

I wrote about changing some features:

I had transparent proxy enabled and I checked connections there, there were quite a few. So I disabled proxy, NAT redirection to 8080 and firewall rule to drop connections to 8080
I changed password to router user name, disabled default user name.
If modifying abovementioned does not make any difference (in a couple of more days I will see if the problem returns), then my next step would be to restore the back up from JUNE2020 when everything was working well.

I have a question. I have a backup file from JUNE 2020, them I did not experience any problems, yet it does not have certain settings, but I can set them up again. Is Restoring that back synonymous to complete resetting router and then loading the back up?

Unfortunately it is not. Restoring a backup only restores the configuration, and to be sure that a malware doesn’t survive, you need to set every file in the system to the state intended by the vendor. A netinstall is the only way to do that, as it erases the whole flash memory and installs only what comes from the vendor. You cannot inspect the contents of a binary backup file, so there is a potential for the malware to hide there; export is a text file you can inspect before importing it so it is much harder for the malware to hide there. Blindly copy-pasted scripts you don’t understand are one place where a malware could hide in an export, but you don’t have any scripts; a static DNS server address of a malicious server could be another place but that’s easy to spot.

And again, it is not clear yet whether the malware is in the router or in one (or more) of your LAN devices.

Even worse, some malware can even confuse Wireshark, which is why you should never run Wireshark itself with administrator privileges.

But hey, the activity which makes your address fall on an anti-spam list must be annoying someone, so it must be quite an easily noticeable, and thus distinguishable, one. Hence sniffing the traffic should be sufficient.

Or maybe a good first step before even venturing into sniffing and analyzing the sniffs could be just to use the firewall to log suspicious outbound traffic from LAN:

• log attempts of devices in the LAN subnet to connect to SMTP port (25 on TCP) on public addresses, and of course reconfigure everything on the LAN devices that needs to use SMTP to send mails to use port 587 (on which only secure and authenticated connections are normally accepted by servers).
• log attempts of devices in the LAN subnet from connecting to DNS port (53 on both UDP and TCP) other than the router’s own one

Thank you.
My brain is boiling

I have 10 meg file of sniffed data. Bunch of ips and stuff going on and that bunch of numbers means nothing to me - I am not a network specialist unfortunately.
netinstall - I read about it just now… so many steps that I don’t understand… and then, the router will become the way it was out of the box.
and it will take me a year to bring everything back to normal since for 2 years I forgot all the parts that need to be setup.

There are 2 computers that are constantly ON: radio broadcast PC and my regular PC. I checked all the startup items on both, did not find any strange programs running - all is normal. What would be the easiest way in my case to deal with this ? I honestly don’t know what to do

The netinstall will place the router into an out-of-the-box state with an up-to-date RouterOS version. Importing of the export taken and stored outside the router before the netinstall, and sanitized (by removing the rule allowing http access from outside), will restore the configuration on the netinstalled router without the need to re-invent it from scratch.

It doesn’t seem you use certificates, but if you do, you have to export them separately (using /certificate export-certificate command, and providing a passphrase as otherwise the private key will not be exported).

Before or after that, you can add the logging rules to the firewall, as I’ve suggested in my previous post.

I know it doesn’t sound relieving but a 10 megabyte file is nothing for this analysis.

And the fact that some PCs are constantly on and some are not is not really important, it is enough if the infected one is up for a couple of minutes per week.

If it is above your head, finding a local consultant is the best solution.

What you mean by “broadcasting PC”? Is it used to listen to internet radios or is it used to send your own stream to the world?

Sindy,
Yes, I have an internet radio station here.
So, this whole deal is terrifying!

The netinstall will place the router into an out-of-the-box state with an up-to-date RouterOS version. Importing of the export taken and stored outside the router before the netinstall, and sanitized (by removing the rule allowing http access from outside), will restore the configuration on the netinstalled router without the need to re-invent it from scratch.

Sindy,
I disabled rules for web access to router. Exported settings.

All the backups, export etc is on the external flash drive that is plugged into router. Is it safe to keep drive plugged in while netinstall?

So, after all is done, I can import that file, and the router will gain all the settings that were before netinstal?

restoring from back up is not an option, right?
How do I restore everything from myconfig.cfg.rsc
Is it done thru terminal also?
Is it “import file=myconfig.cfg” ???

To confirm:

1 on PC create static address
2 connect cable to port on router
3 start netinstall64.exe

Configure Net booting settings. What ip is this?

4 unplug router then press and hold reset while plugging router on and waiting until router appears in netinstall
5 select the package (already downloaded “routeros-mipsbe-6.47.8.npk”) and start Install.

Then I am not sure…

No idea, never tried that, but as the tear and wear of the USB connector on a single disconnection and re-insertion is negligible, I’d definitely disconnect the USB before netinstalling. Plus I’d also download the file to some PC, just for the case.

Yes.

I don’t know what’s the internal structure of the backup file, so I cannot be 100% sure that the malware cannot make it to the file. So better safe than sorry.

Well… this way, there would be some conflicts with the default configuration, so the safe way is to

1. edit the .rsc file (which probably cannot be done on the router itself due to its size, so you’ll have to edit it on a PC) and add :delay 1m as the very first line
2. place the edited file to a place in the file system where it survives a reboot (if the flash directory is present, the .rsc file has to be placed there),
3. issue the following command: /system reset-configuration keep-users=yes run-after-reset=the-file-name.rsc (or flash/the-file-name.rsc if appropriate)
   
   
   

Any IP in the same subnet as the address you gave to the PC (so I’d recommend following the manual literally, 192.168.88.2/24 to the PC and 192.168.88.3 as the net booting address)

The progress bar should grow but not too fast - if it says “done” in less than 2 seconds, nothing has actually happened. If it takes more than 10 seconds and finishes, you’ve succeeded and you can reboot the router and connect to its default 192.168.88.1 address (the 192.168.88.3 is only used for flashing the software).

Netinstall may surprise you in many ways, so get ready to spending more than two minutes on it (optimists never experience pleasant surprises). E.g. on my previous laptop, I had to let netinstall discover the device, then exit netinstall and run it again so that the upload would succeed. Not the case with the current laptop, but it also wasn’t the same netinstall version.

If your radio broadcasting is a round the clock one, I’d recommend to use another Mikrotik device to train on first (and then to use it as a temporary one while you fiddle with the main one).

The good news is that if the netinstall doesn’t succeed, nothing is overwritten.

With every reply from you, I get more confident LOL Seriously!

edit the .rsc file (which probably cannot be done on the router itself due to its size, so you’ll have to edit it on a PC) and add :delay 1m as the very first line
place the edited file to a place in the file system where it survives a reboot (if the flash directory is present, the .rsc file has to be placed there),
issue the following command: /system reset-configuration keep-users=yes run-after-reset=the-file-name.rsc (or flash/the-file-name.rsc if appropriate)

Let me repeat
So after the process is complete, I will log into router the normal way and place the config file in the root of FILES?

then in terminal paste this: /system reset-configuration keep-users=yes run-after-reset=the-file-name.rsc

and it will while rebooting install all the settings?

Yes. I’ve realized in the meantime that it is a 3011, so the flash directory is not used in your case.

Correct. It will ask you whether you are really sure, and if you confirm, it will execute the reboot. To avoid typos, I recommend to type in the first few letters of the file name and then press [Tab] so that the machine would complete the file name on its own. If it doesn’t, there’s a typo already in the first few letters.

Or you can do the same from Winbox or Webfig: system->reset configuration, and check the settings and choose the file from the list in a GUI window.

BTW, I’ve noticed another dangerous rule in the export:
action=accept chain=input comment=“BFM - ACCEPT API REQUEST” disabled=yes in-interface-list=WAN

I know it is disabled now, but if enabled, it checks nothing at all (no address-list, no protocol, no port) so it completely opens access to the machine from WAN.

Other points:

• don’t panic when you lose access after one of the steps, as there is no “one fits all” network configuration of the PC:
  • for netinstall, you need to set up a static address on the PC
    to connect to the 3011
  • after the netinstall, but before importing the configuration, you need that the static address of the PC was 192.168.88.(anything between 2-254 included) or that the PC was asking for a dynamic address
  • to connect to the 3011 after the configuration gets imported, you need that the static address of the PC was 192.168.1.(anything between 2-254 included) or that the PC was asking for a dynamic address
• don’t forget to copy somewhere else the contents of the /FAXES directory (if still in use) before doing the netinstall . If you don’t use it any more, disable the whole SMB subsystem, as it is also a terribly complex piece of software which potentially still can contain some vulnerabilities.
• netinstall will purge all user accounts, so you have to recreate them. Do not use the same passwords, and preferably even user names, like before. And once you add an account with administrator privileges (group=full) for yourself and set its password, log in as that user and remove (or at least disable) the admin account.
• before netinstalling, disconnect all Ethernet cables from the machine, and do not connect them back until you disable the admin account. The default firewall blocks any access from outside, but if the whole trouble is caused by a cross-platform malware which sits waiting there on one of your PCs or phones, having the admin account with no password, or any other account with the old credentials, would be really bad. Of course, if it’s the PC from which you do the netinstall and configuration, you’re doomed