Have received notes from my ISP that some of my Mikrotik units seems to be infected by Conficker. All the reported IP addresses are Mikrotiks running as wireless clients in bridge mode. Connected to these bridges are Mikrotik routers with different IP-addresses that are NOT reported. All units are running RouterOS version 6.34.4. All IP services, except winbox are turned off. Log files does not show any activity.
Question: Could the Mikrotik bridge be infected? If so - how to detect, clean and how to protect?
Are you sure it’s not a customer machine downstream somewhere that is infected? If you are NATting, your ISP is just going to see it coming from your MikroTik device, and he will have no way to realize that it’s coming from somewhere else inside your network.
Why are you running an old version of RouterOS that has known vulnerabilities, yet still are asking this question? Please immediately upgrade to anything above 6.39
Normis.
Can’t tell why I have been running the old version. Wasn’t aware that there have been issues with the old version, and the units have just worked well…
I have now upgraded almost all my 30 units to the latest software, and also upgraded to the latest firmware. The process has been going well without a lot of downtime of the system.
Not sure if this is the right place, but a few of my units seems to have lost the admin access after upgrade. Traffic flows normally, however. Tried to access via MAC Telnet… Enter the user name and the password, but doesn’t get logged in. No answer on ping or MAC ping. Is there another way to get access to these units? It is hard to get physical access to them, Any suggestions?
Two of them (one RB SXT G-HPnD r2 and one RB SXT 5HPnD) came to live after approx. 4 hours and seems to work normally now.
The third, a Sextant, RB711-5HnD is still not accessible, but passes traffic normally. Have tried MAC login and MAC ping from wireless and Ethernet side. Still no access (but I get the telnet login prompt.
The IP/Neighbor list shows that the version is upgraded.
short update:
After more than 6 hours after the software upgrade, the Sextant mentioned above, suddenly became accessible from winbox.
Don’t know why it waited so long after the software upgrade. Did a routerboard firmware upgrade afterwards, and it worked normally.
Can’t tell why I have been running the old version. Wasn’t aware that there have been issues with the old version, and the units have just worked well…
If you have management services enabled on public facing devices its not even a question as to if one should stay up to date. If you aggressively firewall the access to the management services you may survive to some degree. Its important to stay up to date with the current threat landscape. If you don’t have much time you can always create a Google Alert for “Mikrotik Vulnerability” that will notify you when it finds new results for that topic.