unknown admin with unknown IP address loges in my mikrotik router via API

kosvision · June 25, 2018, 1:56pm

Hi guys,

Recently i have been facing problems with pptp.
So one day pptp stopped working and there were no way to fix it but only by resetting the router and restoring the backup.
Same thing happens everyday.
When it happened today i went into mikrotik logs and i see "user admin logged in from “static ip address” via api.
Than a lot of config changes happens and that user logs out automatically.
See pic attached.

How is this possible i have strong password.
How can i block any attempt to log via api.

Thank you,

Sob · June 25, 2018, 2:07pm

Do you have up to date RouterOS? Because if not, and you’d also happen to have WinBox port accessible from outside, then strong password is not enough:

http://forum.mikrotik.com/t/advisory-vulnerability-exploiting-the-winbox-port-solved/118771/1

And about blocking API, do you use it yourself? If not, simply disable the whole thing in IP->Services. If you need it, then limit access to selected IP addresses or networks, either in IP->Services or using firewall.

R1CH · June 25, 2018, 5:14pm

You should also change all passwords after updating, since all user accounts are exposed.

Revelation · June 25, 2018, 10:45pm

I would also change the “username” of the admin account. Make them have to guess what your account username is in addition to the password.

kosvision · June 26, 2018, 12:30pm

Thank you.
Your answer helped me.
I vent into IP->Services and i disabled everything except winbox because i connect to it only with it.
Also at winbox “available form” i let only my LAN static IP addresses.

Regards,

hgonzale · June 27, 2018, 1:18am

IS not secure the winbox conection.

Please, activate VPN (l2tp + ipsec), connect to the VPN and after, to the winbox (not opened in the wan)

Sob · June 27, 2018, 1:35am

It should be secure with current fixed version. But how much is everyone going to trust it, it’s up to them.