Community discussions

 
omersiar
just joined
Topic Author
Posts: 19
Joined: Mon Apr 16, 2018 2:34 pm

[Security] Attackers changed DNS servers

Thu May 24, 2018 2:24 pm

Hello All,

I have CRS125-24G-1S routerboard with firmware 6.41.4. Last night attackers were able to change DNS settings on Mikrotik router via web interface, so the clients were directed to attacker's servers, as you can no doubt of guess SSL secured services immediately warned about certificate issue on clients' browsers. DNS was the only setting that was changed, so we did not have any other issue, changed to DNS servers and closed web service after that, just the winbox service is left for the only management protocol of the router.

192.200.110.106 > is set as DNS server by the attacker.

Router's log revealed some information:
04:20:48 ipsec,info respond new phase 1 (Identity Protection): XX.XX.XX.XX[500]<=>216.218.206.122[32233] 
04:20:48 ipsec,error 216.218.206.122 failed to get valid proposal. 
04:20:48 ipsec,error 216.218.206.122 failed to pre-process ph1 packet (side: 1, status 1). 
04:20:48 ipsec,error 216.218.206.122 phase1 negotiation failed. 


04:51:46 ipsec,info respond new phase 1 (Identity Protection): XX.XX.XX.XX[500]<=>216.218.206.66[1503] 
04:51:46 ipsec,error 216.218.206.66 failed to get valid proposal. 
04:51:46 ipsec,error 216.218.206.66 failed to pre-process ph1 packet (side: 1, status 1). 
04:51:46 ipsec,error 216.218.206.66 phase1 negotiation failed. 

05:54:22 system,error,critical login failure for user admin from 42.177.206.6 via web 
05:54:27 system,info,account user admin logged in from 42.177.206.6 via web 
05:54:49 system,info,account user admin logged in from 42.177.206.6 via web 
05:54:51 system,info dns changed by admin 
05:54:56 system,info,account user admin logged in from 42.87.96.170 via web 
05:54:59 system,info dns changed by admin 
05:55:35 system,info,account user admin logged out from 42.177.206.6 via web 
05:56:05 system,info,account user admin logged out from 42.177.206.6 via web 
05:56:05 system,info,account user admin logged out from 42.87.96.170 via web 

05:59:26 system,error,critical login failure for user admin from 42.87.96.170 via web
I do not understand how they were able to guess password as it was a complex password.

Is there a known security issue? Can ipsec phase1 negotiation leak some information?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24217
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: [Security] Attackers changed DNS servers

Thu May 24, 2018 2:28 pm

Was your device protected by firewall? Web/Winbox should not be left unprotected on the public interface. Please follow this guide to protect your device:
https://wiki.mikrotik.com/wiki/Manual:S ... our_Router

There was a known issue where unprotected web/winbox port could be exploited, it was fixed already, please upgrade your device. You are not running a recent version.
No answer to your question? How to write posts
 
omersiar
just joined
Topic Author
Posts: 19
Joined: Mon Apr 16, 2018 2:34 pm

Re: [Security] Attackers changed DNS servers

Thu May 24, 2018 3:03 pm

Thank you @normis,

How to get security alerts from MikroTik? Is there a mailing list?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24217
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: [Security] Attackers changed DNS servers

Thu May 24, 2018 3:09 pm

Follow updates in the forum announcement section:
viewforum.php?f=21

And changelog:
https://mikrotik.com/download/changelogs

We are also working on a blog.
No answer to your question? How to write posts
 
msatter
Forum Guru
Forum Guru
Posts: 1241
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: [Security] Attackers changed DNS servers

Thu May 24, 2018 3:54 pm

.
.
We are also working on a blog.
That is excellent news and will make information easier accessible and questions/discussion can be done in the forum linked to from the blog.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta / Winbox 3.20 / MikroTik APP 1.3.4
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
hikky
just joined
Posts: 9
Joined: Tue Jan 20, 2015 5:36 am

Re: [Security] Attackers changed DNS servers

Thu May 24, 2018 7:09 pm

Please investigate this issue!
I have the same issue on many MT in my hand. This issue just happen in last 2 days.
The attacker can login to my MT by using any users in MT. Even I change my password, the attacker can still login just a few try.
I don't understand why they can know (guess) my password.
Many Thanks!
 
R1CH
Forum Veteran
Forum Veteran
Posts: 897
Joined: Sun Oct 01, 2006 11:44 pm

Re: [Security] Attackers changed DNS servers

Thu May 24, 2018 7:41 pm

Because you run old version of RouterOS. Update and change all passwords.
 
vmarkovsky
just joined
Posts: 8
Joined: Mon Nov 06, 2017 5:58 am

Re: [Security] Attackers changed DNS servers

Fri May 25, 2018 6:42 pm

I have the same issue. This issue happen in last 2 days.
What firmware versions are vulnerable?
In which version is the bug fixed?
 
User avatar
k6ccc
Member
Member
Posts: 479
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)

Re: [Security] Attackers changed DNS servers

Fri May 25, 2018 6:57 pm

Simple answer - upgrade to the current release.

Took me about 3 seconds to find it in the Announcements section:
viewtopic.php?f=21&t=133533
RB750Gr3, RB750r2, CRS326-24G-2S (in SwitchOS), CSS326-24G-2S, CSS106-5G-1S, RB260GS
Not sure if I beat them in submission, or they beat me into submission


Jim

Who is online

Users browsing this forum: MSN [Bot] and 101 guests