Hi all,
Today all our customers who has puplic ip with Mikrotik device stop working. When we check for understand what happen, we see that the ethernet interfaces of these devices are not working , and some SXT reseted.
So I wonder to ask if is that related with any security vulnerabilities ?
Thanks.
Power outages?
Didnt pay internet bills?
ISP folded?
What is the reason for the failures?
Not enough information.
Version?
… details, formulate an relatory.
Using to easy Passwords on public available not firewalled devices?
Hi anav,
Power outages?
these devices at in different places and there were no Power outages at their place…
Didnt pay internet bills?
devices not working, ether ports not work.
What is the reason for the failures?
I dont know. thats why Im sharing this problem in here. all other cpe’s are working. but who has puplic ip it’s not work. all of them has same problem.
Thanks
Hi BRMateus2,
devices not working so I could not check what version they were. I will try to netinstall them today. nearly 50 device down.
Hi mistry7,
password was not easy and also user name was not admin. winbox port and ssh, telnet, api closed to outside.
Thanks.
I have same problem. There are 10 LHG devices ether down and netinstal not working. Any suggestion how to repair them?
I sent mail to support yesterday but not answerd me yet.
Two possibilities come to mind
a. ISPs changed their setup
b. routers changed their setup - DiD you implement firmware updates at the time of failures?
hi anav,
we are supplying to internet to these customers and we did not change any setup, we did not implement any firmware. there are more than thousand cpe. and only puplic ip assigned mikrotik’s affected.
You say Ethernet interface not working. Can you access the device from the WiFI interface?
Hi Normis,
there is no any wifi signal also, most of them LHG and all of them same problem… bios seems lost. we copy one of LHG bios and transfer it to broken one and it worked. but now the licence has problem,device worked and telling there is no licence. and another problem all mac same with copied one.
Thanks
Just a thought, but perhaps one of your customers gained access and corrupted them all. If you use the same credentials on all of your customer devices, it would not be difficult for someone to do this.
we are denied access to some ports like 22,23,8291,8728,8729..
what advice can you have for like such problems? and what was wrong with these devices, how they delete their bios firmware ?
Thanks
Most people that think they have a “secure” network do not. I see this all the time.
As far as the question of how did this happen, it will be easier to determine once you have done some investigation. Right now, how it happened has many answers. Do you have remote management of the devices at the customer sites? Do you use common passwords across multiple devices? Do you permit remote management from a management subnet? These are just a few questions.
Is it the firmware, or is it the router software (RouterOS) that is removed? I would not expect you to be able to recover if the firmware is missing, but I could be wrong.
yes you are right.. plus for this inexperienced 
no
unfortunately yes same password for multiple device.
yes for management we permit for some special ip’s to accesses
firmware(bios file)
I don’t know how to erase firmware, so I can’t begin to guess what happened.
Perhaps one of your management hosts is/was compromised. Another possibility would be an as-yet-undiscovered vulnerability since it only occurred on routers with public IPs. I have perhaps 100 MT routers with public IPs and haven’t seen any go offline yet.
Please let us know when you discover the cause.
I could not discover the cause but I took help from here and create some firewall rules. and I will set it up to Cpe’s which are they using public IPs.
you may have a look to topic
http://forum.mikrotik.com/t/firewall-advice-to-pppoe-client-customers/117717/11
I would be curious to see your previous firewall rules to see if there is any obvious weakness.