Multiple winbox logins

dzendo · December 1, 2020, 7:58pm

When I log in via winbox, there are multiple logins for the same user visible in logs and immediately the same number of jobs running is created where the owner is the account which was used to access the device (IMG1). What I find disturbing is that the telnet service is disabled and the additional logs seem to use telnet nonetheless. There are no existing scripts visible in the scripts section, neither is there a script name next to the job. When I delete the jobs, the additional logins are logged out at the same time according to logs (IMG2). The job detail is visible on IMG3. Is this usual behavior or is the device infected? I did a netinstall with format but the additional logins are persisting.

eggersd · September 2, 2021, 3:35pm

Hi dzendo,
I’ve noticed the same thing when I log-into one of several RouterOS devices with Winbox. Have you found an explanation for this?
Sincerely,

dzendo · September 7, 2021, 12:11pm

Hi Eggersd,

unfortunately not, i have no explanation yet.

eggersd · September 7, 2021, 12:21pm

Thanks for the reply Dzendo.

I wonder if we can get this post noticed by someone who knows. One thought is that I’m running CAPSMAN and wonder if a telnet session is used to pass info by to CAPS. Another thought that concerns me is if one, or more of my RouterOS have an old leftover security breach with scripts running in the background. I think I remember reading about a security issue where a hidden script was placed on the system.

When running the latest version of winbox (3.29) each telnet session shows up on the lower left panel as a window so it’s easier to notice the issue.

Sincerely,

sindy · September 7, 2021, 1:11pm

Do you hapen to have command line windows (Terminal) open in the winbox sessions in question?

k6ccc · September 7, 2021, 3:10pm

I don’t use Capsman, but recall reading here on the forum that what you are seeing is normal for a Capsman installation.

eggersd · September 9, 2021, 10:47pm

Hi Sindy,
Actually, yes. …and I think you solved the issue. I noticed the issue before using WinBox 3.29, but now that I’m running 3.29 the Terminal appears to be associated with the additional admin user login and script job. I thought I had closed the Terminal Windows, exited, then re-launched WinBox to find that the user was logged in and script job running again. After your post I saved the session after closing Terminal Windows, exited, and now the additional log-ins, script Jobs and Terminal Windows to not appear. Seems simple now, but was driving me nuts. Thanks for your help.
Sincerely,

dzendo · September 10, 2021, 12:37pm

Great, i can confirm too that the script appears only when the terminal is open

g1ftb4sk3t · October 27, 2021, 10:02pm

THANK YOU

I seen this in another router and changed passwords and and and closed all windows and power cycled… THEN seen it happen today on another router and did the same things and had two at once pop up, found this and sure enough had two terminals opened and as I closed them, closed the open jobs in my scripts.

Very odd behavior, Thanks again for posting this everyone, saved me more headache.