Hi, last few days we are receiving abuse messages for our two MT routers. We have checked all of our servers behind router but we found nothing sending spam messages. Today during a checkout of the configuration, I noticed on one of the router SMTP traffic from public interface.
I disabled all the interfaces except public interface, disabled L2TP server, then I checked the output of the public interface and the spam traffic is still present. It looks like spam has been sent from MT router itself !?
This is happening on two of our routers which were affected with the latest vulnerability which involved creating a script and a schedule entry. We did an upgrade to 6.42.6 version and changed passwords.
I hope this is not another vulnerability or remains of the previous, and that I’m not seeing the obvious.
Any advice or suggestion would be appreciated. Thanks!
Even with all the local interfaces disabled the emails are being sent. How is that possible?
SYN packets with TCP 25 port are visible only coming out from my public interface. I have set several mangle rules and nothing comes to the router on this port, just goes out…
This is why I said you need to go trough the config. They could have scripts/schedulers and other things running that don’t require them to make an incoming request anymore. They have compromised you, the router can now send email (and probably other requests) from itself now.
Get it via Terminal and export your config to see what is in it.
You should really use the firewall to protect your management ports. Yes, there is a very bad bug in old routeros versions, but it’s only exploitable if you f*cked up your firewall rules.
That is the problem!
IP socks service is enabled and default port is changed to 4145. I got incoming connections to this port and MT is acting as a relay for spam messages. I suppose SOCKS service was enabled during recent botnet action (when script and scheduler rules were created) because I see this anomaly only on router exposed directly to Internet.
Of course I did that first. No scripts, no unusual entries in configuration. SOCKS is the functionality I have never used, that’s why I haven’t noticed it is enabled. Actually, I didn’t know it is enabled or disabled by default.
Only port accessible from the outside is the Winbox port and SSH custom port.
But why are these accessible from outside?
It’s probably only a matter of time until the next (currently unknown) vulnerability in Winbox gets exploited and ssh is everyone’s favorite scan target.
Do you really need to have these ports accessible from the whole internet? Can’t you use a VPN for remote management or at least require some complicated port-knocking pattern? Leaving them open without additional protection is basically asking to be hacked again.
Its 10 times better you setup some VPN (ipsec/l2tp) so you can access your admin function in a secure way,
If that is not possible, use port knocking. (you need to test some secrets port within a time frame to open your port)
If you need to have Winbox open or SSH open, use a random high port and a long username and a long password.
