May i ask, how is it possible to attacker to load up the know scripts and modify firewall, sock proxy, etc.
if in IP/Services only winbox and ssh is allowed,but they are limited to connect from known prefixes?
It’s even happened in 6.42.1 or 6.42.3
I have understood that even if you limit the connections in the IP/Services to specific addresses that it still allows the attacker close enough to execute the exploit. I have created firewall rules for the default 8291 and also for the port that I changed my Winbox access to. This is the only sure way in my mind that they won’t be able to even reach IP/Services.
Anyone please correct me if I am wrong on these points.
https://www.rdw.nl/particulier/nieuws/2018/controle-op-echtheid-van-een-rijbewijs
The internet is full of news items about Rutte rijbewijs
Without knowing exactly what you had configured on it, it is hard to know what was and wasn’t possibly.
Also if you didn’t change your password after upgrading, anyone that may have exploited your router before you upgraded might still have access.
I suggest you email support@****mikrotik.com (see), they will be able to look through your configuration and see if it is a configuration issue or a software bug.
Even if he knows the password BUT the service is LIMITED to my ip prefixes, how the hell he can control my device?!
The only way is this possible, if Mikrotik made the service check connecting IP address AFTER authentication.
If the services does NOT allow connection from anybut but listed IPs, the packets from unlisted source should not access the application. I think.
Please fixme, or accept that there is another piece of sh!t found in the pancake…
Did you always have the IP SERVICES limitation? The hack could have happened last year. Is it correctly set up, and was it always?
Yes! 95% of those routers had ip/services limitation since installation! (other 5% is customer radio turned to router from bridge, due customer router issue)
90% of those 95% devices has remote syslog as well - but momentary had no time to lookup them. probably i will found something, becuase hacker set logging limit to 1 line 
How about possibility of a staff member, that used the attack script from the allowed IP range?
IP services works well, there is zero evidence that this limit can be overcome in some way.
Check your logs to see where the attacker accessed from, it could be a compromised machine from a trusted IP-address range. We can’t really help you here without more information.
Maybe better if you make a new thread and post your configuration (passwords and IPs obscured of course) so we can see what might be wrong and help you there. Instead of polluting this thread with baseless accusations and misinformation.
I would however suggest to email support@****mikrotik.com, since if it is a real issue then they can escalate it to the right department. This would however not satisfy my curiosity.
in some cases it was reported that device got infected from other infected device from the same (trusted) network.
CHR was hacked. I got new password from disk image and password recovery tools.
Now i change hacker’s configuration, remove socks, change password again, but didn’t clear disk image and license.
See screenshot of winbox interface : http://prntscr.com/kt6f9y
1 . Whis is this “job” on image? It is hacker’s job, or system (like osfp)?
There is no such task in the my usual configuration
here is full export command (little obfuscated)
/export
# sep/11/2018 17:50:21 by RouterOS 6.43
# software id =
#
#
#
/interface gre
add !keepalive local-address=185.31.1.2 name=to_Sremote-address=46.0.1.1
add !keepalive local-address=185.31.1.2 name=to_X remote-address=178.215.1.1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/routing ospf instance
set [ find default=yes ] router-id=192.168.123.0
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0 name=public4444
/ip address
add address=185.31.1.2/24 interface=ether1 network=185.31.1.0
add address=192.168.123.254/24 interface=ether2 network=192.168.123.0
add address=10.10.10.26/30 interface=to_Xl network=10.10.10.24
add address=20.20.20.1/30 interface=to_Y network=20.20.20.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related
add action=accept chain=input connection-state=established,related
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=netmap chain=dstnat comment="HTTPS Nginx" dst-port=443 in-interface=ether1 protocol=tcp to-addresses=192.168.123.1 to-ports=443
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add distance=1 gateway=185.31.1.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2001
set api disabled=yes
set api-ssl disabled=yes
/routing ospf network
add area=backbone network=10.10.10.24/30
add area=backbone network=192.168.123.0/24
add area=backbone network=20.20.20.0/30
/system clock
set time-zone-name=Europe/Moscow
/system ntp client
set enabled=yes primary-ntp=216.229.0.179 secondary-ntp=80.240.216.155
Can hackers also put backdoors to linux?
- How I can I reinstall CHR license on new disk image?
Yeah, that configuration is not secure. Wide open to the internet and attackers.
At least missing a couple block rules in the firewall filter. For example:
/ip firewall filter
add action=accept chain=forward in-interface=ether1 connection-state=established,related
add action=accept chain=input in-interface=ether1 connection-state=established,related
add action=drop chain=forward in-interface=ether1
add action=drop chain=input in-interface=ether1
But suggest you read the manual page about securing your router: https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router
No they can not access the linux operating system of the router, unless you have rooted the router yourself already. Which you really should not do.
Unless you were running a version of RouterOS that is older than v6.38.5, see: http://forum.mikrotik.com/t/urgent-security-advisory/117944/1
I suggest you email support@mikrotik.com with your license issue.
Yeah, that configuration is not secure. Wide open to the internet and attackers.
Yes. And this is fine. Everyone has his own vision of comfort and safety.
What about my question? who starts this job?
- How I can I reinstall CHR license on new disk image?
I suggest you email > support@mikrotik.com > with your license issue.
I haven’t access to email or account. Only disk image with self-updated license.
Any other suggestion?
Email support@mikrotik.com, they can help you with all your questions.
Hello everybody,
If somebody will need, I just created a Windows App for showing passwords for impacted MK versions based on the original Python script (https://github.com/BasuCert/WinboxPoC):
https://github.com/msterusky/WinboxExploit/releases
It’s a one-time application, and don’t plan any extensions and next versions.
The app doesn’t contain an implementation with mac-winbox, and works only on IP layer.
Please, feel free to reuse it or adjust as you need.
Thanks,
Martin
You got hacked and started asking questions. Then when someone gives you a sensible answer and tells you where you went wrong, you disagree with them and stick your head in the sand.
You ARE a fool.
If this is a reasonable answer, then I invite you to go to Western Siberia in the winter to restore access to the router.
Just answer me, what kind of job is running on this configuration?
Let me understand this.
- You have an open router with no firewall
- You ask why somebody connected to it
Correct?
Even better reason to have it secure, and a plan for how to access it remotely when you finally do secure it correctly.
The manual page I linked you to has examples on how to do all of that. I urge you to give it a read if you haven’t already, but even so reading it again is a good idea. I might need to read it all again myself.
From the picture and config you supplied us, we can’t tell you.
That is why I told you to email support@mikrotik.com instead. Maybe they can see what it is doing if you make a supout?
I guess that it could be an infinity looped mischievous script that wakes up every specific interval and changes the configuration somehow or sends out mischievous traffic. The log could give some hints as to what it is doing, or maybe the System->History.
But if you are running RouterOS v6.43, I don’t even see how this is related to this topic at all. Change your password so people that may have hacked your router before can’t access it again, and clean up any possible mischievous configuration or scripts. Then implement a more secure firewall and more secure remote access.
Either way, us sitting here and guessing doesn’t help anyone. Best not to go too off-topic in this thread with assumptions and speculations. Email support@mikrotik.com and they will be able to help you more closely, or make a new thread so we can all discuss your issue better.
No. Read everything from the beginning
I ask what kind of job running without any config on scheduler or watchdog.