Today i noticed that my home router (RB962UiGS) was hacked. It was running OS version v6.37.1 and current firmware was 3.29.
The hacker or who ever it was have created a script that is called “7wmp0b4s.rsc” and scheduled to run at every hour.
They have established a IPsec tunnel to my gateway and from what i can see in the logs there has been plenty of diffrent login attempts from diffrent IP’s.
How did this happend?
And what can i do to prevent this from ever happening again?
However, keep in mind i had a strong password.
Since then, despite clear and persistent warnings from security researchers as well as MikroTik, hundreds of thousands of its routers remain unpatched and are being actively targeted by attackers, security researchers say.
A strong password will not protect you in any way against an exploit. A vulnerability let hackers bypass mostly all security mechanisms. (It’s not just a brute force password attack, its bypassing all checks.)
Only netinstall of your device can save the device. Upgrade/downgrade/reset is at the RouterOS layer, the exploit probably is hidden in the unreachable Linux layer.
A number of vulnerabilities, including ones allowing to break in without knowing the password, has been fixed since 6.37.1, so this is the most likely reason - along with firewall rules which did not block access to management services from the internet.
A less likely possibility is cross-platform malware, which you might have downloaded to your PC from an infected web page, which has attacked your router from the LAN side, and may even have keylogged the password as you were typing it in.
Now export (not backup) the current configuration into a file, download the file to your PC, and then netinstall the router with the long-term version of RouterOS. Use the default configuration of that version and only modify it with what is really necessary - your saved export will help you with that. Do not import the file with the export as a whole, just use it as an information source.
The only way how to keep the router secure against attacks from LAN is to manage it only via serial port or to dedicate an Ethernet interface for management, and disable access to management services also from the “regular LAN”.
First thing you need to do is remove the MT from the internet connection.
The next thing you need to do is NET REINSTALL with the latest firmware.
So download the latest firmware from Mikrotik and then conduct the NETINSTALL process.
Once done, then start from scratch to redo your network setup.
If you have saved a config you can use that as a guide to help you reconstruct the config.
Use the default rules provided for now until we can get you sorted.
Typically add a different username from admin and for this use a different password not used before.
Then come back for more help!! to make sure you stay secure.
[joking]
I am using Windows 95, they have been working great for the last 25 years without any updates!
I’ve also been using no firewall, since firewalls are for newbs.
But, today I logged in only to find out that they were hacked!
“Security analysis of recent RouterOS exploits” by Tomas Kirnak (Atris Spol. s r.o., Slovakia)
English presentation given on Mar 08, 2019 at the MikroTik User Meeting (MUM) in Vienna, Austria, March 07 - 08, 2019.
Video (39 minutes) on Vault7 (CIA/NSA) hacking attacks by some botnets to MikroTik routers - about 600,000 to 1 million MikroTik routers were attacked: https://www.youtube.com/watch?v=3aEyqdz7awE
I had that happen to me a few years ago. Thats when I learned to turn off (after I upgraded my package and firmware) pretty much everything including mac telnet, turning off admin user and firewalling port 8291 from the internet.
Since then I get the occasional DNS and port scan attacks but no access…
Somedays I think I need a hardware FW in front of my router…If MT can focus on security with every new release, I will stick with them…if not…will be time to give up on MT after 8 years and move onto something else.
There is no such thing as “a hardware firewall” . Sure there are brands with specifically designed ASIC’s (chips) in them to obtain multi-gigabit full feature performance but that is a completely other league… but still there is software that is running on the hardware.
I’ve been running my RB3011 for quite some years now and never had any security incident, not even a login attempt. Sure I have hundreds “attempts” on a daily basis targeting all classic ports…
Why ? Because I “kinda” know what I am doing, I’ve locked down the box as much as possible in terms of remote access, keep versions up-to-date, have logging & notification etc,etc.
I have an access rule that if anyone tries one port that is not open on the outside, he will be blocked for 24 hour on any port.
This gives me an access list with from 2000 to 15000 IPs at any time.
If this for some reason is me that has been blocked from outside, I can use port knock to whitelist my own IP and get inn to the system.
I do it slightly more relaxed Within a time-frame of several hours, I accept “a few” probes for TCP & UDP. Once exceeded they go on the blacklist
My ACL normally has something like 150-200 IP’s on it at any time.
Others will say this approach makes no sense, why go through all the hassle of doing this : just drop any packet that is not part of a session or targeted towards non DNAT’ed ports and get on with your life and don’t even bother logging this “noise” that exists “by default”
But I do it purely out of interest (just like yourself I guess)
Is there a different mitigation for a “metered” (E.G. 4G subscription) versus an “unmetered” connection (E.G. DSL line, cable modem, FTH, …) ?
The ISP is mostly filtering already quite a lot on mobile connections.
Nobody mentioned “tarpit” as protection: https://wiki.mikrotik.com/wiki/DoS_attack_protection. Recommended mitigation or not ?
That attack traffic is on your ISP connection anyway, and I would like to have that rather minimal. One cannot hold off a DDoS that would eat all of your bandwidth.
Exactly. If your WAN address is a public one, you likely asked for one on purpose, so you run some service which needs to be available from the internet, so the ISP (mobile or not) won’t filter what comes from the world to that address. If your WAN address is a private one, nothing can get in from outside unless you’ve asked for it (possibly indirectly, see how teredo works, same techniques is used by peer to peer networks, but that’s unlikely to work on mobile ISPs’ networks anyway).
And as you say, in SOHO case, your problem may often be not the CPU of your server but the bandwidth of your uplink. The tarpit approach only helps on attackers who target some service, so by sending a SYN,ACK response, you may move them from port scanning mode to application attacking one, but it won’t work on many of them - some will continue sending SYN to other ports even when they got a SYN, ACK on one. Those which just want to load the resources will simply send SYNs no matter whether they get any response.
I don’t use “tarpit”. It will only consume more resources (cpu/mem) on your side with the idea to slow the attacker down by holding the connection, but…
For metered connections, only your upstream ISP can truly provide some useful action. If the packet hits your interface, it consumed already bandwidth & resources.
I’m using Mikrotik purely in SOHO environment with low-bandwidth Internet (100megabits) compared to some users that have multi-gigabits at their disposal.
I saw this in best practices wiki, dont use it but do you see value in adding to the default setup…?
add action=drop chain=forward comment=“Drop tries to reach non-public addresses from LAN” dst-address-list=not_in_internet in-interface=bridge1
(where the list is the usual bogon list - of course with own private subnets excluded)
Reason I ask is that we dont otherwise really filter anything outgoing from lan to internet (with vlans not so concerned about lan to lan traffic)
Let me rephrase my question so it fits the answer…
" What is the purpose of applying the rule above"
Now, lets get back to the question asked…
So you are saying it is worth it, or a waste of time…??.. Yes you will be held liable in a court of law if you give an opinion LOL
I knew I should have made it simpler for the experts to keep them roped into a small circle - would you have this rule on your own router
why and why not!!
Within a time-frame of several hours, I accept “a few” probes for TCP & UDP. Once exceeded they go on the blacklist 