I notice in my webserver logs that a scan has started that does "GET /webfig/roteros.info HTTP/1.1" always from the IP address 188.92.74.189
Note the "typo". However, when this is done on a MikroTik with RouterOS, it does return a JSON file with some info about the router, most notably the version of RouterOS installed!
The first scan I have seen used "Wget(linux)" as the user-agent (May 1st), but later scans (today, May 3rd) use "python-requests/2.18.4".
Maybe the first was a shellscript as proof-of-concept and they now switched to a python program.

Is this the indication of the next vulnerability? Or maybe just a project to investigate all the MikroTik installations to later launch the existing or new exploits?
Interesting enough, the 188.92.74.189 IP adress is registered in Latvia:
Is it just MikroTik doing some investigation? Or maybe people who know more than average?
For now, it is a mystery. Of course I don't allow access to the router from outside and have now put that address on a general blocklist to stop such idiocy.

At least it doesn't return passwords.

If you have http server enabled on router, version is also shown on title page (I don't know if there's a way to hide it), so this doesn't reveal anything new. And the returned info seems to be for http://<router>/webfig/roteros.jg, which is text file with definitions used by WebFig and WinBox (instead of previous dll files).

It should not be THAT easy to get a ROS version ... without authentication

I notice the same IP sending syn packets to me too for the past 7 days at least ...

Looking a bit closer, I now see that the "wget" was done from a different IP address: 187.181.91.23 This is registered in Brazil.
As I do not see other references to this URL path in my earlier logs, we can only assume that something has been found and this is the starting point.
Let's try to make this file available on a webserver and see how they proceed when it can be downloaded... (for now they just got 404)

Returning a valid info file with a low version number does not seem to make the scanner try something. Yet.

Give them some honey.

Hi,

known exploit for Chimay-Red needs to known some info about the device architecture and ROS version to prepare attack against web server code (where to place code on stack which will run the shell). If the attacker knows the version of ROS it can download proper ROS package, extract WEB server code from it and scan it for required information. Then it knows how to attack the device.

Of course that is clear, however it does not appear it is an attack ready to go, they are just investigating what is around.
I serve them a valid roteros.info but they are not immediately proceeding to the next step of downloading something else or POSTing something.

Hi
i noticed this over the past week scans for this file coming from loads of different ip addresses, should we be worried?

179.209.16.53 - - [28/May/2018:09:58:05 +0000] "GET /webfig/roteros.info HTTP/1.1" 404 476 "-" "Wget(linux)"

It should not be THAT easy to get a ROS version ... without authentication

Hope you aren't running any wireless networks then, since Mikrotik products broadcast the board name, radio name and RouterOS version number in every beacon!

Hi
i noticed this over the past week scans for this file coming from loads of different ip addresses, should we be worried?

179.209.16.53 - - [28/May/2018:09:58:05 +0000] "GET /webfig/roteros.info HTTP/1.1" 404 476 "-" "Wget(linux)"

That is from Brazil as well, just like the wget I saw.
As long as you don't allow web access (and the other admin methods, API, telnet, ssh, webfig) to the router from internet you yourself
do not need to be worried. Of course in general MikroTIk would have to be worried because such scanning and resulting hacking of
badly configured devices invariably leads to bad publicity.