Community discussions

MUM Europe 2020
 
popcorrin
Member Candidate
Member Candidate
Topic Author
Posts: 189
Joined: Wed Mar 11, 2009 12:55 am

Filter rule mysteriously created and keeps showing up after I delete

Thu Jul 26, 2018 2:17 am

I don't know if my router was hacked or what but I have an dstnat accept rule that keeps showing up in my filter rules. the port number seems random. 16291 was the latest . The first time I seen it I deleted it but it returns. Looks the same but everytime it returns it has a different port number. I've changed my username and password. All services expcept winbox and web are disabled. The default port for web access has been changed. The router is an RB493G running very new software. Not the latest but close(I don't like to be the one finding bugs in the latest software)

Not sure what is going on. I don't see any funny connections to the router when I run torch. Not sure what else I should be looking for.
 
andyrosen
just joined
Posts: 2
Joined: Tue Apr 26, 2016 9:29 pm

Re: Filter rule mysteriously created and keeps showing up after I delete

Thu Jul 26, 2018 5:04 am

It sounds like your router has been compromised. :-(

I suggest you limit access to Winbox and the web interface to only your management IP and see if the rule recreation stops.

You can limit access by going to IP to Services and opening each service and adding your management IP(s) to the “Available From”
 
User avatar
vecernik87
Long time Member
Long time Member
Posts: 649
Joined: Fri Nov 10, 2017 8:19 am

Re: Filter rule mysteriously created and keeps showing up after I delete

Thu Jul 26, 2018 5:43 am

1) what version of RouterOS are you running? (You need at least 6.40.8 in Bugfix tree or 6.42.1 in Current tree. You also need to change password if you were compromised in past)
2) can you export the rule and show us?
3) any weird files or log entries?

First thing in my mind was enabled UPnP with "dummy rule", but that creates clear comment with every rule...
 
popcorrin
Member Candidate
Member Candidate
Topic Author
Posts: 189
Joined: Wed Mar 11, 2009 12:55 am

Re: Filter rule mysteriously created and keeps showing up after I delete

Thu Jul 26, 2018 8:35 am

We were running 6.39.2 . Are you saying there is an exploit?
 
popcorrin
Member Candidate
Member Candidate
Topic Author
Posts: 189
Joined: Wed Mar 11, 2009 12:55 am

Re: Filter rule mysteriously created and keeps showing up after I delete

Thu Jul 26, 2018 8:39 am

I'm checking more of our routers and they are compromised as well. Gosh dang it!
Is there a thread I should reference on the best practice on how to deal with this issue?
 
User avatar
vecernik87
Long time Member
Long time Member
Posts: 649
Joined: Fri Nov 10, 2017 8:19 am

Re: Filter rule mysteriously created and keeps showing up after I delete

Thu Jul 26, 2018 8:50 am

Exploits are everywhere in IT, including Cisco. So yes, there is/was big vulnerability, misused massively. It is already fixed for several months and you can read more on forum or shortly summarized on blog: https://blog.mikrotik.com/
There are many topics all around. I am really surprised you were able to miss them :D I really cant point one specific topic because there are bits and pieces in many and i already lost track of them. Main topic is viewtopic.php?f=21&t=133533
make sure to disconnect your device from any non-trusted network before you start proceeding. Safest method will be always Netinstall as it completely wipe the storage and config so nothing can survive, however, I strongly recommend you to read more about different ways to clean your device.
 
popcorrin
Member Candidate
Member Candidate
Topic Author
Posts: 189
Joined: Wed Mar 11, 2009 12:55 am

Re: Filter rule mysteriously created and keeps showing up after I delete

Thu Jul 26, 2018 6:20 pm

It's kind of a damned if you damned if you don't with mikrotik. We try to keep our software current but the last few upgrades have bricked a number of our 493G so forgive me if I am hesitant to slap the latest software on there so I can drive 50 miles in the middle of the night to replace a junk router.
Don't really care that cisco has exploits, I don't use them. I use mikrotik. The fact that cisco has exploits doesn't make it ok that mikrotik screwed up here bigtime.

Nothing we can do now but fix the issues. I'd like to see something more specific on how we fix when issues like this happen. Support is kind of lacking with mikrotik.
 
msatter
Forum Guru
Forum Guru
Posts: 1354
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Filter rule mysteriously created and keeps showing up after I delete

Thu Jul 26, 2018 9:06 pm

The blog is since two days active and one brick in the steps that are taken to improve security. If security problems are know with Mikrotik they will also inform us through that channel and the already earlier used channels.

Of course owners can be faster and please inform Mikrotik and post in the forum.

You could make a schedule for updating routers in way that it works with you normal maintenance schedule for the routers. So when a update goes bad that you are not that far away and have one or more replacements on hand.

Try to keep a good sensible mix of routers from revisions on hand so you will know in advance if a revision is not happy with the new firmware.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46.1 / Winbox 3.20 / MikroTik APP 1.3.9
Android device owners, use https://github.com/M66B/NetGuard/releases (no root required)
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1553
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: Filter rule mysteriously created and keeps showing up after I delete

Thu Jul 26, 2018 10:24 pm

Security will always be a "Reactive" process
MTCNA, MTCTCE, MTCRE & MTCINE
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24383
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Filter rule mysteriously created and keeps showing up after I delete

Fri Jul 27, 2018 9:23 am

1. Use Input Firewall on all interfaces: https://wiki.mikrotik.com/wiki/Manual:S ... our_Router
2. Upgrade RouterOS, with button "Check for updates"
3. Change your password after upgrading
No answer to your question? How to write posts

Who is online

Users browsing this forum: Bing [Bot] and 47 guests