Community discussions

 
prozak
just joined
Topic Author
Posts: 24
Joined: Sat Jan 16, 2010 4:01 am

new vulnerability?

Mon Jul 23, 2018 12:55 am

Hello all.

Ive noticed on several routers i have that theres a new vulnerability affecting versions 6.41.3 mostly, im not sure before 6.42.6 though.

The attack involves a creation of a schedule and a script fetching a /mikrotik.php every 30secs under this ip :95.154.216.160
Has anyone noticed the same?
Is Mikrotik aware of this?
 
msatter
Forum Guru
Forum Guru
Posts: 1239
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: new vulnerability?

Mon Jul 23, 2018 1:12 am

Also the same in this topic.

viewtopic.php?f=2&t=137126
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta / Winbox 3.20 / MikroTik APP 1.3.4
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
rjickity
Member Candidate
Member Candidate
Posts: 212
Joined: Sat Jul 17, 2010 10:40 am
Location: Perth, Australia

Re: new vulnerability?

Mon Jul 23, 2018 1:26 am

Yes this is the with box vulnerability from April. You must patch to current as it was fixed in 6.42.1

About 26 hours ago i had a router exploited and it left the same traces (socks enabled, filter rule position 0 allowing winbox, script fetching that PHP file on schedule). it seems very much like someone preparing a botnet
 
msatter
Forum Guru
Forum Guru
Posts: 1239
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: new vulnerability?

Mon Jul 23, 2018 1:46 am

If it is that vulnerability then it is also fixed since RouterOS version: 6.40.8 and 6.43rc4
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta / Winbox 3.20 / MikroTik APP 1.3.4
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
User avatar
vecernik87
Long time Member
Long time Member
Posts: 644
Joined: Fri Nov 10, 2017 8:19 am

Re: new vulnerability?  [SOLVED]

Mon Jul 23, 2018 2:36 am

April vulnerability (or more like person/group/entity mass-misusing it) was typical with downloading "update.aspx" page. If this one use mikrotik.php, it is likely to be different attacker, who is most probably (but not certainly) using same vulnerability.

Thanks for sharing.
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1740
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: new vulnerability?

Mon Jul 23, 2018 2:59 am

Hello all.

Ive noticed on several routers i have that theres a new vulnerability affecting versions 6.41.3 mostly, im not sure before 6.42.6 though.

The attack involves a creation of a schedule and a script fetching a /mikrotik.php every 30secs under this ip :95.154.216.160
Has anyone noticed the same?
Is Mikrotik aware of this?

please dont misinform people with this topics

Who is online

Users browsing this forum: No registered users and 86 guests