Suspicious behaviour in SMB config

RouterOS General
1

Hi all,

I monitor all my Mikrotik devices and have automated config versioning by using Oxidized (https://github.com/ytti/oxidized).

Those configs are pushed to a git-server, were I get notifications when something has changed. Surprisingly I received one of these notifications, while there wasn’t any change last week (no updates, no config changes).

+ /ip smb shares
+ add comment="default share" directory=/pub name=pub
+ /ip smb users
+ add name=guest

Quickly followed by:

  /ip smb shares
  add comment="default share" directory=/pub name=pub
+ add comment="default share" directory=/pub name=pub
  /ip smb users
  add name=guest
+ add name=guest

And;

  /ip smb shares
  add comment="default share" directory=/pub name=pub
  add comment="default share" directory=/pub name=pub
+ add comment="default share" directory=/pub name=pub
  /ip smb users
  add name=guest
  add name=guest
+ add name=guest

Which is, in my opinion strange/suspicious, due to the fact;

  • I have not changed the config myself
  • I have not updated the Mikrotik prior this behaviour
  • Removing this part of config, results in “coming back” later
  • Updating to the latest RouterOS and Firmware, does not resolve this behaviour (currently 7.1.5)
  • I do not use the IP->SMB-service at all
  • I do not see any login attempts, nor successful logins prior these changes (remote syslog, etc.)
  • Rebooting does not help

Resulting;

I’m unable to remove these “default looking” SMB-shares and SMB-users via the WebGUI, but it’s possible to remove them by using WinBox or SSH.

These events started around the same time when some national newspapers where reporting about botnets (used for/against the conflict in RU/UA). With this in mind, this could be a hint of (failed?) attempts, an abused vulnerability or just simply a bug in RouterOS.

Personally, I highly doubt this is a bug, as the software is running longer without showing this behaviour.

I’m wondering; are there other Mikrotik users with spontaneous extra “default looking” SMB-shares and/or SMB-users? (Please check/verify by hand)

With “no config”;




- /ip smb shares
- add comment="default share" directory=/pub name=pub
- add comment="default share" directory=/pub name=pub
- add comment="default share" directory=/pub name=pub
- /ip smb users
- add name=guest
- add name=guest
- add name=guest
2

My RBD52G (hAP ac2) running 6.49.3 acting as WAN router has only one of default shares:

[user@router] > /ip smb print
       enabled: no
        domain: MSHOME
       comment: MikrotikSMB
  allow-guests: yes
    interfaces: all
[user@router] > /ip smb shares print
Flags: X - disabled, I - inactive, * - default
 #    NAME                                          DIRECTORY                                          MAX-SESSIONS
 0  * ;;; default share
      pub                                           /flash/pub                                                   10

Similarly RBD25G (audience) running 7.2rc5 acting as WiFi AP:

[user@ap] > /ip/smb/print
       enabled: no
        domain: MSHOME
       comment: MikrotikSMB
  allow-guests: yes
    interfaces: all
[user@ap] > /ip/smb/shares/print
Flags: * - DEFAULT
Columns: NAME, DIRECTORY, MAX-SESSIONS
#   NAME  DIRECTORY  MAX-SESSIONS
;;; default share
0 * pub   /pub                 10

I’ve never configured any SMB (because I detest the thought of running something so stupid on my router or AP) and it looks pretty default to me.

It is weird that your device suddenly started to multiply the config though.

3

Same! I’ve never configed this part, and “default” means → nothing setted with the config (read; empty part).

4

Simply looking at the SMB menu creates this share, it’s one of those RouterOS quirks.

5

I’m literally not touching the system… So this is an known bug?

6

Same issue here with an rb5009. In my case, this is happening within 10 minutes of netinstall (following its suspected compromise). Until today, I have never noticed a “default” SMB share.

7

default SMB share exist everytime, you can not “not have it”
you simply do not notice that

and about duplicete lines of OP, on 4000+ devices and from RouterOS 2.x to 7.x on all possible old and new architecture, never happen anywhere.