Community discussions

MikroTik App
 
User avatar
danjde
newbie
Topic Author
Posts: 25
Joined: Thu Jun 06, 2019 10:36 am
Location: Italy
Contact:

Tips to understand if router hacked

Fri Jan 08, 2021 12:01 am

Hi Friends!
By pure chance, I verified that my public IP Address was present in "The Spamhaus",
so how I could verify if the router is hacked?
Note that I bought the router a couple of years ago and immediately disabled the web interface, now i log in via ssh.

Here the resource information:
               build-time: Nov/14/2018 15:04:25
         factory-software: 6.41.3
              free-memory: 42.2MiB
             total-memory: 64.0MiB
                      cpu: MIPS 24Kc V7.4
                cpu-count: 1
            cpu-frequency: 650MHz
                 cpu-load: 2%
           free-hdd-space: 4708.0KiB
          total-hdd-space: 16.0MiB
  write-sect-since-reboot: 78
         write-sect-total: 67742
               bad-blocks: 0%
        architecture-name: mipsbe
               board-name: RBSXTR
                 platform: MikroTik

Thanks!

Davide
cosmogoniA
n o p r o v a r e n o f a r e o n o n f a r e n o n c e p r o v a r e
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6133
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Tips to understand if router hacked

Fri Jan 08, 2021 4:21 pm

Dont bother wondering............ Netinstall with the latest long term firmware and get on with life.
If in doubt netinstall!!
Thanks not necessary just send me some coffee!
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
User avatar
danjde
newbie
Topic Author
Posts: 25
Joined: Thu Jun 06, 2019 10:36 am
Location: Italy
Contact:

Re: Tips to understand if router hacked

Fri Jan 08, 2021 11:02 pm

Thanks @anav for the useful tips!
But is it possible to understand if the router is hacked?
I've rebooted the device and the second day, scan again the new public ip with spamhaus that put it to PBL1722199 - https://www.spamhaus.org/pbl/query/PBL1722199
So, should I think to have an unknown smtp server into my Mikrotik?


Thanks again!


Davide
cosmogoniA
n o p r o v a r e n o f a r e o n o n f a r e n o n c e p r o v a r e
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1906
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Tips to understand if router hacked

Fri Jan 08, 2021 11:15 pm

37.160.0.0/12 means circa 10^6 addresses so there is a chance that it is not your router infected :-)
Real admins use real keyboards.
To quote or not to quote, there is the topic: viewtopic.php?f=2&t=168474
 
User avatar
danjde
newbie
Topic Author
Posts: 25
Joined: Thu Jun 06, 2019 10:36 am
Location: Italy
Contact:

Re: Tips to understand if router hacked

Fri Jan 08, 2021 11:48 pm

Thanks @BartoszP,
but Spamhaus show me the exact IP address of mine not a class of 10^6 IPs.... :-(
cosmogoniA
n o p r o v a r e n o f a r e o n o n f a r e n o n c e p r o v a r e
 
Sob
Forum Guru
Forum Guru
Posts: 6517
Joined: Mon Apr 20, 2009 9:11 pm

Re: Tips to understand if router hacked

Sat Jan 09, 2021 12:14 am

If it's spam, it's far more likely that it's some infected device behind the router than the router itself. If you're not running mailserver, you can block access from LAN to SMTP port (tcp 25), because nothing should need it (clients should use other ports to access mailservers). You can also log connections and see what device does it.
Excessive quoting is useless and annoying. If you use it, please consider if you could do without it.
 
User avatar
danjde
newbie
Topic Author
Posts: 25
Joined: Thu Jun 06, 2019 10:36 am
Location: Italy
Contact:

Re: Tips to understand if router hacked

Sun Jan 10, 2021 3:56 pm

If it's spam, it's far more likely that it's some infected device behind the router than the router itself.
I'm using only Linux SO behind the router.
If you're not running mailserver, you can block access from LAN to SMTP port (tcp 25), because nothing should need it (clients should use other ports to access mailservers).
Yes, I've blocked port 25:
ip firewall filter
add chain=input protocol=tcp dst-port=25 action=drop
You can also log connections and see what device does it.
Please, could you give me a very specific example for this situation that is not the common "/log> print "?

Thanks!
cosmogoniA
n o p r o v a r e n o f a r e o n o n f a r e n o n c e p r o v a r e
 
Sob
Forum Guru
Forum Guru
Posts: 6517
Joined: Mon Apr 20, 2009 9:11 pm

Re: Tips to understand if router hacked  [SOLVED]

Sun Jan 10, 2021 5:51 pm

Your rule will stop connections to router itself, but that's useless, because there's no smtp server on router. What I meant is:
/ip firewall filter
add chain=forward protocol=tcp dst-port=25 action=reject reject-with=tcp-reset log=yes log-prefix=smtp
It will stop smtp connections through router and log all attempts.
Excessive quoting is useless and annoying. If you use it, please consider if you could do without it.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 6133
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Tips to understand if router hacked

Sun Jan 10, 2021 6:32 pm

Nice so you will get to see which machine is causing the issues.........
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
User avatar
danjde
newbie
Topic Author
Posts: 25
Joined: Thu Jun 06, 2019 10:36 am
Location: Italy
Contact:

Re: Tips to understand if router hacked

Sun Jan 10, 2021 11:37 pm

...because there's no smtp server on router
One of the hypotheses was that the router was compromised and that there was software installed that could send mail.
But your guess is as entitled to consider too.
Thanks for your tips, I will try...
cosmogoniA
n o p r o v a r e n o f a r e o n o n f a r e n o n c e p r o v a r e
 
Sob
Forum Guru
Forum Guru
Posts: 6517
Joined: Mon Apr 20, 2009 9:11 pm

Re: Tips to understand if router hacked

Mon Jan 11, 2021 12:17 am

Send and receive are two different things, you don't need anything listening on smtp port to send mail. Of course if anyone would be able to hack the router enough to install own software, they could install smtp server if they wanted to. I just don't see any reasonable explanation what it would be good for. It would be better to stay hidden and don't advertise own presence so obviously.
Excessive quoting is useless and annoying. If you use it, please consider if you could do without it.
 
User avatar
danjde
newbie
Topic Author
Posts: 25
Joined: Thu Jun 06, 2019 10:36 am
Location: Italy
Contact:

Re: Tips to understand if router hacked

Mon Jan 11, 2021 7:30 pm

[..]
/ip firewall filter
add chain=forward protocol=tcp dst-port=25 action=reject reject-with=tcp-reset log=yes log-prefix=smtp
[..]
Done!
To see the "smtp" logs now, all I need to do is launch the "/log print" command?

Anyway I think the problem is upstream and depends on the provider who has dirty addresses. I rebooted and immediately after, checking if the new address was in Spamhaus and to my surprise it was present!

Thanks again!
cosmogoniA
n o p r o v a r e n o f a r e o n o n f a r e n o n c e p r o v a r e
 
Sob
Forum Guru
Forum Guru
Posts: 6517
Joined: Mon Apr 20, 2009 9:11 pm

Re: Tips to understand if router hacked

Mon Jan 11, 2021 10:09 pm

Yes, "/log print" is one way, or use WinBox or WebFig to view log, whatever you like most.

If you are getting already blacklisted addresses, there's not much you can do with it, other than convincing ISP to give you new static address that's not blacklisted.
Excessive quoting is useless and annoying. If you use it, please consider if you could do without it.
 
User avatar
danjde
newbie
Topic Author
Posts: 25
Joined: Thu Jun 06, 2019 10:36 am
Location: Italy
Contact:

Re: Tips to understand if router hacked

Mon Jan 11, 2021 10:20 pm

Yes, "/log print" is one way, [....]

[...] other than convincing ISP to give you new static address that's not blacklisted.
Many thanks!
cosmogoniA
n o p r o v a r e n o f a r e o n o n f a r e n o n c e p r o v a r e
 
twixt3and20
just joined
Posts: 5
Joined: Wed Jan 20, 2021 9:50 pm

Re: Tips to understand if router hacked

Sat Jan 30, 2021 8:23 am

Spamhaus tends to reckon many home ISP's IP addresses as spammy because the vast majority of email from them is indeed spam from hacked devices. So it lists the ISP's entire range, excluding the addresses used by the ISP's own mail servers.

As I have my own email server hosted on a VPS elsewhere, and it does 'is this IP address spammy' checks when receiving email, I have to tell it that my home IP address is OK so that I can send outgoing email via it! Fortunately, that only changes when I change router.

If I look at the mail server logs, a great deal of spam would be coming from home ISP address ranges, so I can fully understand why Spamhaus does it.
 
User avatar
danjde
newbie
Topic Author
Posts: 25
Joined: Thu Jun 06, 2019 10:36 am
Location: Italy
Contact:

Re: Tips to understand if router hacked

Sat Jan 30, 2021 11:59 am

Spamhaus tends to reckon many home ISP's IP addresses as spammy because the vast majority of email from them is indeed spam from hacked devices. [...]
If I look at the mail server logs, a great deal of spam would be coming from home ISP address ranges, so I can fully understand why Spamhaus does it.

Yes, this is a great truth!

The most of the problems on the internet come from (home user) Microsoft systems, always insecure, also due to the inexperience of the users and not only due to the inability of Microsoft technicians (even if in this they have made great contributions..).
Microsoft systems should be declared simply illegal or at least not usable in "home user" conditions, but Microsoft's enormous economic and financial power (now also in the pharmaceutical field) will prevent this because he can afford to buy politicians at will.
Apple from this point of view, thanks to the theft of the GNU-Hurd code, is certainly in an advantageous position, even if it creates problems of another kind ...
Then there is the question of proprietary software that cannot be inspected, but here we really go further.
That said, I don't think we'll get out of this...
cosmogoniA
n o p r o v a r e n o f a r e o n o n f a r e n o n c e p r o v a r e

Who is online

Users browsing this forum: No registered users and 39 guests