Mēris botnet information

Jotne · December 11, 2021, 1:32pm

Or remove AVAST. I never have had any problem with built in Microsoft Defender.
Not sure if AVAST is better or worse than MD, but what I know is that many running both and that is not good at all.
So if you pay (there are free version) for AVAST and it does not give any more than MD why pay.
Also MD is created by MS and may work better with Windows than AVAST.

janisbvp · December 11, 2021, 4:06pm

Contemplating on this subject - wouldn’t it be a nice idea for MT or someone outside to create a script, that runs over all public ip’s and builds a list of vulnerable MT routers (or get that list from those cocky “investigators” that are publishing stories about Mikrotik), then a second script that goes over these vulnerable IP’s, adds a rule to reset to defaults after some hours and runs auto upgrade. That should take care of the problem, but probably make MT upgrade server feel some pain. If you are reaching for keyboard to write something about legality of forcefully upgrading OS or changing settings to defaults - don’t! One evil company from Redmond is doing that for maaaaany years and is quite fine and in our case it it serves good, not evil purpose.

Jotne · December 11, 2021, 4:21pm

What if the upgrade on a remote router goes wrong. Who would fix that and who would pay for some to fix it.

deadkat · December 13, 2021, 3:20am

pretty sure (correct me if im wrong) MS has a section about automatic updates from them in their TOS. MT does not.

normis · December 13, 2021, 7:11am

Sounds illegal, I don’t think MikroTik can legitimately access or control other peoples devices.

pe1chl · December 13, 2021, 11:03am

Of course an option (not for the existing situation but for the future) would be to have an auto-update mechanism (enabled by default) in the router that updates the software when a critical vulnerability has been found. Preferably using a separate release channel that only changes in such cases.
Other manufacturers are doing that, so probably it is allowed.

ckonsultor · December 14, 2021, 3:45am

Has anybody tried the Meris detector at
https://github.com/eclypsium/mikrotik_meris_checker#meris-routeros-checker
?
Is there a binary or .rpm version? I’m a network guy and not so good with compiling C++ source code.

deadkat · December 14, 2021, 7:34pm

I’ve looked at that github. its made to be run from a PC on a LAN and will check ip addresses given as arguments when running.
it checks if router is exploitable via CVE-2018-14847 and then if that fails it requests credentials from you so that it can login to your router…

the only thing it checks for is whether any schedulers exist which contain the URLs mentioned here: https://blog.mikrotik.com/security/meris-botnet.html
it doesn’t make any changes to your device as far as I can tell…personally I’d just recommend an update to 6.49.2 where possible to let MT’s own device flagging feature do this for you.

I’ve personally has zero problems with updating to 6.49.x, although I know some others here have had problems with this update…

normis · February 26, 2022, 3:08pm

It does not send your IP anywhere, but there are bots that attempt to connect to all active IP addresses, just by guessing.
Anyway, if you see these logs your firewall is misconfigured. Looks like you need to apply the firwall rules to the interface you use to connect to internet. Possibly PPPoE then?

BartoszP · February 26, 2022, 3:33pm

~~[quote=wongdi post_id=915764 time=1645884948 user_id=198215]~~…The question is, how do they know my router from hundreds of millions of IPs around the world and log in remotely within a few minutes?..[/quote]
They do not know your IP … they are testing every address which is valid. Your router is one from millions “victims” beeing tested against possible vulnerabilities. Check this https://www.abuseipdb.com/

Jotne · February 26, 2022, 3:41pm

@wongdi Telnet/SSH/Winbox should never ever be open to the router from outside IP. Seeing your logs that someone tries to connect from public IP tells us that its open. VPN is nearly to one good way to work on remote routers. Make a new post (not this thread). Post your complete config and ask for assistanse.

pe1chl · February 28, 2022, 1:23pm

Unless you have an enterprise grade router, for which it is expected that a competent admin configures it, the default MikroTik configuration is to block incoming connections from internet.

pe1chl · February 28, 2022, 2:24pm

There usually is a conflict between “easy” and “secure”.

afuchs · February 28, 2022, 3:10pm

If you want it more difficult and minimally safer, have a look here
https://wiki.mikrotik.com/wiki/Port_Knocking
There are some interesting thread in the forum too.

pe1chl · March 19, 2022, 9:25am

I’m afraid there is nothing you can do. The best solution probably is to buy a new one and configure it, ship it there and ask someone to plug it in.

Hominidae · March 19, 2022, 9:57am

~~[quote=AndyBLR post_id=920070 time=1647662259 user_id=187977]~~
I know that the better solution is to reset the router or netinstall new firmware but the problem is that im too far from the device (thousands of miles) and no one have access there. Could you please advise me what can I do in such case?
[/quote]
+1 physically remove and replace/netinstall.

Also, as it is an LTE device, I’d try and disable the SIM/Telco service via the telco provider management. You are risking that the telco will do that anyway, when their IDS/IPS kicks in and thy will terminate/suspend your contract…better be pro-active.

I’d double check if the bot/captured device is generating/sending SMS (generating costs as per your tariff).