Community discussions

MikroTik App
 
stamatis123
just joined
Topic Author
Posts: 14
Joined: Thu Jan 10, 2013 8:44 pm

Hacked-Rogue DNS?

Fri Jul 20, 2018 3:04 pm

Hi everyone,

This morning I started experiencing problems with the https certificates of various websites such as google, msn etc. In the beginning i thought there is a temporary problem maybe with google but after surfing some more I realised it wasn't just google but other sites as well. After upgrading my routers to 6.42.3 from 6.40.4 (main ones are a 1036 and a 1100 used as a load balancer) I started looking into the devices and I found out that there were two entries in the DNS settings 128.14.6.12 and 13 as DNS servers on the 1100 (load balancing). I removed the entries and all is back to normal. I obviously was hacked. I had all services disabled except www and winbox on which I changed the default ports (www was changed from day one but decided to change it again). My bad that I used the default admin account with an 8 digit password (although letters+symbols+numbers), so I've changed the username and the password as well and disabled the admin account. So my question is

1. What else should I do to further secure my devices and if there is anything else I should look for in them
2. Is there anything I can do about reporting these IPs to someone? From what I found the 128.14.0.0/17 subnet belongs to zenlayer.com (some chinese-usa ISP?)

Thanks everyone!
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: Hacked-Rogue DNS?

Fri Jul 20, 2018 3:11 pm

It seems that one can not be 100% sure about the extent of damage done by hackers.

It also seems that the cure is as follows:
  • take device off-line
  • create full configuration export and copy file off device
  • thoroughly examine the exported configuration script to find any signs of hacked configuration and remove or repair the compromised configuration part
  • do netinstall of device
  • load configuration from sanitized configuration file
  • make sure you rigorously filter any connectivity possibilities to your router from internet. If your really need webfig/winbox/any_other_admin access, limit it to a few known remote IP addresses that you (kind of) have under control
  • put device back on-line
 
easyswiss
just joined
Posts: 13
Joined: Tue Mar 08, 2016 9:49 pm

Re: Hacked-Rogue DNS?

Sat Jul 21, 2018 1:44 pm

I confirm this issue for
- Netcore Routers
- Next Routers

I recommend to blackhole all traffic to 128.14.6.0/24 or the whole /17 block from zenlayer Inc
 
stamatis123
just joined
Topic Author
Posts: 14
Joined: Thu Jan 10, 2013 8:44 pm

Re: Hacked-Rogue DNS?

Tue Jul 24, 2018 3:10 pm

Thanks for the tips!

Checked the script, all is clear, changed default username and hardened my password. Hopefully this will keep them out
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: Hacked-Rogue DNS?

Tue Jul 24, 2018 5:06 pm

You need to:
- keep your RouterOS uptodate
- improve your firewall settings. the default firewall will be OK
 
Van9018
Long time Member
Long time Member
Posts: 558
Joined: Mon Jun 16, 2014 6:26 pm
Location: Canada - Abbotsford

Re: Hacked-Rogue DNS?

Tue Jul 24, 2018 10:22 pm

More options:
- Use Port Knocking for administrative ports
- Use L2TP/IPSec and not expose administrative ports
- Use aggressive firewall. Ban all IPs that try to connect to ports with no services listening.

For the last one, it seems hackers are using distributed port scans. For my routers, about 1000 unique IPs are slowly checking my ports. I ban these IPs. My rule to block banned IPs says about 10,000 TCP/SYN packets are dropped daily. The rule is near the top, so the banned IPs don't get to connect to ports that are actually open.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Hacked-Rogue DNS?

Tue Jul 24, 2018 10:41 pm

- Use aggressive firewall. Ban all IPs that try to connect to ports with no services listening.
How do you do this? Do you have a script?
Will this add much CPU load?

I can see from my log that hacker are hammering on many ports, but mainly on 23 (telnet)
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2865
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Hacked-Rogue DNS?

Tue Jul 24, 2018 11:10 pm

I use this as "first line barrier".
Proper WAN ports should be added to WAN_LIST and port 65432 in the first rule should be set to port which Winbox access is set to
/interface list
add name=WAN_LIST

/ip firewall raw
add action=accept chain=prerouting dst-port=65432 protocol=tcp
add action=add-src-to-address-list address-list=RAWATTACK2 address-list-timeout=27m chain=prerouting comment=RAW2ADD in-interface-list=WAN_LIST log-prefix="RAW2ADD: " src-address-list=RAWATTACK
add action=drop chain=prerouting comment=RAW2 in-interface-list=WAN_LIST log-prefix="RAW2: " src-address-list=RAWATTACK2
add action=add-src-to-address-list address-list=RAWATTACK address-list-timeout=17m chain=prerouting comment=RAW1ADD dst-port=8291,22,23,2000,7547,11211,135,137-139,548,80,8080,81,37215 in-interface-list=WAN_LIST log=yes log-prefix="RAW1: " protocol=tcp
add action=add-src-to-address-list address-list=RAWATTACK address-list-timeout=17m chain=prerouting comment=RAW1ADD dst-port=8291,22,23,2000,7547,11211,135,137-139,548,80,8080,81,37215 in-interface-list=WAN_LIST log=yes log-prefix="RAW1: " protocol=udp
add action=drop chain=prerouting comment=RAW1 in-interface-list=WAN_LIST log-prefix="RAW1: " src-address-list=RAWATTACK
 
Van9018
Long time Member
Long time Member
Posts: 558
Joined: Mon Jun 16, 2014 6:26 pm
Location: Canada - Abbotsford

Re: Hacked-Rogue DNS?

Wed Jul 25, 2018 2:07 am

- Use aggressive firewall. Ban all IPs that try to connect to ports with no services listening.
How do you do this? Do you have a script?
Will this add much CPU load?
Rule 1: Chain=Input, in-interface=ether1, src-add-list=BANNED, action=drop
Rule 2: Chain=Input, in-interface=ether1, proto=tcp, dst-ports=1-79,81-442,444-65535, connection-type=New, action=add-src-ip-to-list, list=BANNED
Rule 3: Chain=input, in-interface=ether1, proto=udp, dst-ports=1-65535, action=add-src-ip-to-list, list=BANNED

Rule 1 is straight forward, drop packets that are in banned list. I put this under my L2TP/IPSec input rule in case I ban myself, I can VPN in and remove myself.
Rule 2 applies to TCP connections with the SYN flag set and applies to all ports except my services.
Rule 3 is the same but for UDP, in my example above I'm expecting no inbound UDP packets.

I thought if since i was using the INPUT filter, that inbound NAT forwarded packets would be excluded from this rule but it seems they're not. So I explicitly define the ports that this rule applies.

With default config, a rule to allow established and related already exists. I move this up between Rule 1 and 2. Not sure if this is required.

CPU doesn't get impacted much my clients aren't load demanding. If you host a busy website you may want to do your own tests.

My banned address list sits at 15,000 entries on a HEX router. If you're concerned about memory, set the entries to use dynamic timeouts. If your device becomes unstable, just reboot it and the address list is cleared.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Hacked-Rogue DNS?

Wed Jul 25, 2018 10:20 am

Thanks for the reply.

For me these looks like three static Rules.
What I do not understand is where the IP and the BANNED list came from.
Or is there some I do understand with this?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: Hacked-Rogue DNS?

Wed Jul 25, 2018 10:32 am

Ban all IPs that try to connect to ports with no services listening.
That is a nice exercise to see what is possible with the firewall, but for actual protection of the router it is of course completely useless.
As it also increases the risk (memory overflowing, or locking yourself out because you are behind the same NAT as some kiddie doing a portscan)
I would advise against that. The other options mentioned are good.
 
User avatar
amt
Long time Member
Long time Member
Posts: 529
Joined: Fri Jan 16, 2015 2:05 pm

Re: Hacked-Rogue DNS?

Wed Jul 25, 2018 2:00 pm

- Use aggressive firewall. Ban all IPs that try to connect to ports with no services listening.
How do you do this? Do you have a script?
Will this add much CPU load?
Rule 1: Chain=Input, in-interface=ether1, src-add-list=BANNED, action=drop
Rule 2: Chain=Input, in-interface=ether1, proto=tcp, dst-ports=1-79,81-442,444-65535, connection-type=New, action=add-src-ip-to-list, list=BANNED
Rule 3: Chain=input, in-interface=ether1, proto=udp, dst-ports=1-65535, action=add-src-ip-to-list, list=BANNED

Rule 1 is straight forward, drop packets that are in banned list. I put this under my L2TP/IPSec input rule in case I ban myself, I can VPN in and remove myself.
Rule 2 applies to TCP connections with the SYN flag set and applies to all ports except my services.
Rule 3 is the same but for UDP, in my example above I'm expecting no inbound UDP packets.

I thought if since i was using the INPUT filter, that inbound NAT forwarded packets would be excluded from this rule but it seems they're not. So I explicitly define the ports that this rule applies.

With default config, a rule to allow established and related already exists. I move this up between Rule 1 and 2. Not sure if this is required.

CPU doesn't get impacted much my clients aren't load demanding. If you host a busy website you may want to do your own tests.

My banned address list sits at 15,000 entries on a HEX router. If you're concerned about memory, set the entries to use dynamic timeouts. If your device becomes unstable, just reboot it and the address list is cleared.
Hi,
is this rules block only port scanners ? or blocking 1-79,81-442,444-65535 port range _?
thanks
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2865
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Hacked-Rogue DNS?

Wed Jul 25, 2018 2:12 pm

Port scanner is a device/person/entity which checks ports in a router so these rules block ports from being discovered and services identified.

Who is online

Users browsing this forum: Amazon [Bot], karlisi, VinceKalloe and 103 guests