Community discussions

MikroTik App
  4. RouterOS
  5. General

[Security] Attackers changed DNS servers

Post Reply
 
omersiar
just joined
Topic Author
Posts: 21
Joined: Mon Apr 16, 2018 2:34 pm

[Security] Attackers changed DNS servers

Thu May 24, 2018 2:24 pm

Hello All,

I have CRS125-24G-1S routerboard with firmware 6.41.4. Last night attackers were able to change DNS settings on Mikrotik router via web interface, so the clients were directed to attacker's servers, as you can no doubt of guess SSL secured services immediately warned about certificate issue on clients' browsers. DNS was the only setting that was changed, so we did not have any other issue, changed to DNS servers and closed web service after that, just the winbox service is left for the only management protocol of the router.

192.200.110.106 > is set as DNS server by the attacker.

Router's log revealed some information:
Code: Select all
04:20:48 ipsec,info respond new phase 1 (Identity Protection): XX.XX.XX.XX[500]<=>216.218.206.122[32233] 
04:20:48 ipsec,error 216.218.206.122 failed to get valid proposal. 
04:20:48 ipsec,error 216.218.206.122 failed to pre-process ph1 packet (side: 1, status 1). 
04:20:48 ipsec,error 216.218.206.122 phase1 negotiation failed. 


04:51:46 ipsec,info respond new phase 1 (Identity Protection): XX.XX.XX.XX[500]<=>216.218.206.66[1503] 
04:51:46 ipsec,error 216.218.206.66 failed to get valid proposal. 
04:51:46 ipsec,error 216.218.206.66 failed to pre-process ph1 packet (side: 1, status 1). 
04:51:46 ipsec,error 216.218.206.66 phase1 negotiation failed. 

05:54:22 system,error,critical login failure for user admin from 42.177.206.6 via web 
05:54:27 system,info,account user admin logged in from 42.177.206.6 via web 
05:54:49 system,info,account user admin logged in from 42.177.206.6 via web 
05:54:51 system,info dns changed by admin 
05:54:56 system,info,account user admin logged in from 42.87.96.170 via web 
05:54:59 system,info dns changed by admin 
05:55:35 system,info,account user admin logged out from 42.177.206.6 via web 
05:56:05 system,info,account user admin logged out from 42.177.206.6 via web 
05:56:05 system,info,account user admin logged out from 42.87.96.170 via web 

05:59:26 system,error,critical login failure for user admin from 42.87.96.170 via web
I do not understand how they were able to guess password as it was a complex password.

Is there a known security issue? Can ipsec phase1 negotiation leak some information?
Top
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26611
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:
Contact normis

Re: [Security] Attackers changed DNS servers

Thu May 24, 2018 2:28 pm

Was your device protected by firewall? Web/Winbox should not be left unprotected on the public interface. Please follow this guide to protect your device:
https://wiki.mikrotik.com/wiki/Manual:S ... our_Router

There was a known issue where unprotected web/winbox port could be exploited, it was fixed already, please upgrade your device. You are not running a recent version.
Top
 
omersiar
just joined
Topic Author
Posts: 21
Joined: Mon Apr 16, 2018 2:34 pm

Re: [Security] Attackers changed DNS servers

Thu May 24, 2018 3:03 pm

Thank you @normis,

How to get security alerts from MikroTik? Is there a mailing list?
Top
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26611
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:
Contact normis

Re: [Security] Attackers changed DNS servers

Thu May 24, 2018 3:09 pm

Follow updates in the forum announcement section:
viewforum.php?f=21

And changelog:
https://mikrotik.com/download/changelogs

We are also working on a blog.
Top
 
msatter
Forum Guru
Forum Guru
Posts: 2929
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: [Security] Attackers changed DNS servers

Thu May 24, 2018 3:54 pm

.
.
We are also working on a blog.
That is excellent news and will make information easier accessible and questions/discussion can be done in the forum linked to from the blog.
Top
 
hikky
just joined
Posts: 9
Joined: Tue Jan 20, 2015 5:36 am

Re: [Security] Attackers changed DNS servers

Thu May 24, 2018 7:09 pm

Please investigate this issue!
I have the same issue on many MT in my hand. This issue just happen in last 2 days.
The attacker can login to my MT by using any users in MT. Even I change my password, the attacker can still login just a few try.
I don't understand why they can know (guess) my password.
Many Thanks!
Top
 
R1CH
Forum Guru
Forum Guru
Posts: 1107
Joined: Sun Oct 01, 2006 11:44 pm

Re: [Security] Attackers changed DNS servers

Thu May 24, 2018 7:41 pm

Because you run old version of RouterOS. Update and change all passwords.
Top
 
vmarkovsky
just joined
Posts: 8
Joined: Mon Nov 06, 2017 5:58 am

Re: [Security] Attackers changed DNS servers

Fri May 25, 2018 6:42 pm

I have the same issue. This issue happen in last 2 days.
What firmware versions are vulnerable?
In which version is the bug fixed?
Top
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1546
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:
Contact k6ccc

Re: [Security] Attackers changed DNS servers

Fri May 25, 2018 6:57 pm

Simple answer - upgrade to the current release.

Took me about 3 seconds to find it in the Announcements section:
viewtopic.php?f=21&t=133533
Top
Post Reply

Who is online

Users browsing this forum: amcrs, Bing [Bot] and 33 guests
  4. RouterOS
  5. General