Community discussions

MUM Europe 2020
 
popcorrin
Member Candidate
Member Candidate
Topic Author
Posts: 189
Joined: Wed Mar 11, 2009 12:55 am

routeros hacked again

Sun Aug 19, 2018 6:56 pm

The original thread was locked. viewtopic.php?f=2&t=137278

I followed the instructions and yet my routers were compromised again. Running 6.42.6
Not sure what's going on but I would appreciate it if you guys could fix this.
 
szt
just joined
Posts: 19
Joined: Mon Aug 06, 2018 9:43 pm
Location: Olomouc, Czech Republic
Contact:

Re: routeros hacked again

Sun Aug 19, 2018 7:02 pm

Have you changed your passwords ? The most probable explanation of repeated hack is repeated using of previously leaked password.
 
ckinoto
just joined
Posts: 12
Joined: Sat Aug 31, 2013 3:34 pm

Re: routeros hacked again

Mon Aug 20, 2018 4:41 am

I have the same issue update to the last bug fix and is still infected changed user and passwords
 
popcorrin
Member Candidate
Member Candidate
Topic Author
Posts: 189
Joined: Wed Mar 11, 2009 12:55 am

Re: routeros hacked again

Mon Aug 20, 2018 5:34 am

Yes of course. New username and password. Still hacked.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1314
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: routeros hacked again

Mon Aug 20, 2018 7:58 am

What has changed in your config?
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24375
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: routeros hacked again

Mon Aug 20, 2018 8:57 am

If your device was attacked, then it possibly left some script in your system, that means it's useless to just upgrade and change password. You also should reconfigure the device, or at least inspect it for anomalies, unknown scripts and files. This is why we added such steps to the original information post: https://blog.mikrotik.com
No answer to your question? How to write posts
 
popcorrin
Member Candidate
Member Candidate
Topic Author
Posts: 189
Joined: Wed Mar 11, 2009 12:55 am

Re: routeros hacked again

Mon Aug 20, 2018 9:52 pm

Normis, I was just following your instructions. If there was more that should have been done you should have let me know. And please quit locking threads of unresolved problems.
Also, there was no scripts or anything else that stood out on this device.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1314
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: routeros hacked again

Mon Aug 20, 2018 10:11 pm

This would have helped.

viewtopic.php?f=2&t=66427
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
toxicfusion
Member Candidate
Member Candidate
Posts: 138
Joined: Mon Jan 14, 2013 6:02 pm

Re: routeros hacked again

Wed Aug 22, 2018 6:43 am

I will echo these statements. Just had devices with 6.40' & 6.42 hacked. 8291 open to interwebz, but locked with secure password... i guess I need to use longer than 12. sigh

one of the hacked routers; the person setup web proxy rules and caused havok on network - causing machines to redirect and self inject browser with broken ssl or malware.

another one, it locked out admin users.... changed from 'full' to read/write.

all my routers configured have vast firewall rules and drop all input on WAN interface thats not DST'nated (done this for years)
 
mducharme
Trainer
Trainer
Posts: 889
Joined: Tue Jul 19, 2016 6:45 pm

Re: routeros hacked again

Wed Aug 22, 2018 6:55 am

I will echo these statements. Just had devices with 6.40' & 6.42 hacked. 8291 open to interwebz, but locked with secure password... i guess I need to use longer than 12. sigh
It is not safe to have winbox/ssh/telnet/https/http admin ports on the MikroTik open to the Internet. There's no reason to do so. If you need to allow remote administration, there are two avenues that are more secure:

1. Add an address list for trusted admin IPs, you can use dynamic DNS names in there (ex. IP cloud), besides allowing winbox from the local network, allow it from those trusted IPs.
2. Set up some kind of VPN (ex. L2TP/IPsec) so that when you are elsewhere you can connect via VPN and admin the router

There is never a good reason to open the winbox port to 0.0.0.0/0.
 
toxicfusion
Member Candidate
Member Candidate
Posts: 138
Joined: Mon Jan 14, 2013 6:02 pm

Re: routeros hacked again

Wed Aug 22, 2018 7:16 am

Thank you for reply. I know the general security rule of thumb - to not allow winbox open to web. TO lock it down to a management ISP (IP) or use Radius + AAA, etc. But issue is when I'm on road, or no office with a static IP to have a strict winbox allow whitelist on WAN interface..

I'm small consultant who does work on side with 100+ mikrotiks in field.

I'm thinking about configuring a VM in the cloud as a "JUMP" box for winbox / ssh to customer mikrotiks. Set an obscure admin password and then a secondary login as worst case.

Looking into GenieACS now as well...

Was considering also Splynx and integrate to all CPE Routers.
 
mducharme
Trainer
Trainer
Posts: 889
Joined: Tue Jul 19, 2016 6:45 pm

Re: routeros hacked again

Wed Aug 22, 2018 7:25 am

I'm thinking about configuring a VM in the cloud as a "JUMP" box for winbox / ssh to customer mikrotiks. Set an obscure admin password and then a secondary login as worst case.

Looking into GenieACS now as well...
Both are very reasonable ideas, you can VPN to your cloud VM and then connect via winbox from that IP. You can use GenieACS to push config changes to a device even if you can't log into it, for instance, adding entries to an address list to allow you to gain access is fairly easy.

Those security precautions are not only what I would take with MikroTik but with any router. Even specialized firewalls like Fortigate and Check Point - it's a very bad idea to open those admin ports. If you have those admin ports open, you are putting your trust in two things: 1) that nobody has already compromised the device and has a way of monitoring your activity to see what your current username/password is, and 2) that the vendor has made absolutely no mistakes in coding where there is no possibility for a buffer overflow attack

Even if you are sure of #1, you can't be sure of #2, even with the most trusted vendors. Everybody makes mistakes, and it pays to be a bit paranoid when it comes to security.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1314
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: routeros hacked again

Wed Aug 22, 2018 8:02 am

1. Add an address list for trusted admin IPs, you can use dynamic DNS names in there (ex. IP cloud), besides allowing winbox from the local network, allow it from those trusted IPs.
2. Set up some kind of VPN (ex. L2TP/IPsec) so that when you are elsewhere you can connect via VPN and admin the router
3. You could also use Port knocking. Give the try of right combination of the port and management port will be open for 5 min to connect.
But as mducharme, it is a big security risk of hawing management ports open to internet.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
mducharme
Trainer
Trainer
Posts: 889
Joined: Tue Jul 19, 2016 6:45 pm

Re: routeros hacked again

Wed Aug 22, 2018 10:00 am

3. You could also use Port knocking. Give the try of right combination of the port and management port will be open for 5 min to connect.
Yes, port knocking is a perfectly fine alternative. It's not a big deal though in modern RouterOS to set up l2tp over ipsec on all of your clients devices, and then you can vpn to them from anywhere.
 
pe1chl
Forum Guru
Forum Guru
Posts: 6143
Joined: Mon Jun 08, 2015 12:09 pm

Re: routeros hacked again

Wed Aug 22, 2018 11:05 am

Of course you should always consider that by using a VPN you shift from trusting the admin service login authentication to trusting the VPN service login authentication.
It could be better because it is more likely to use widely-used and hardened software for that part of the system than for a custom-made admin service, but on the other hand the fact that it is more widely available could mean a weakness is found in some other product and then spreads to MikroTik products.
I sure would prefer using a VPN, and would be more at ease with L2TP/IPsec than e.g. with SSTP or OpenVPN, but still you need to monitor the situation and take action when needed (e.g. quickly update when something is found and an emergency update is released).
 
User avatar
vecernik87
Long time Member
Long time Member
Posts: 648
Joined: Fri Nov 10, 2017 8:19 am

Re: routeros hacked again

Thu Aug 23, 2018 4:16 am

Yes, port knocking is a perfectly fine alternative.
No, please! Port knocking is dangerous "security-through-obscurity" practice. You should warn against that, not agree that it is "fine alternative". It is not even "obscure" because every MITM can see the ports being knocked. It has exactly same level of security as sending password in plain-text. And today, nobody would send his password in plain-text.

VPN which you mentioned as well is the only secure possibility if access from public network is needed.
 
Sob
Forum Guru
Forum Guru
Posts: 4998
Joined: Mon Apr 20, 2009 9:11 pm

Re: routeros hacked again

Thu Aug 23, 2018 4:40 am

@vecernik87: Not necessarily. The simple static port knocking you can easily set up using firewall, it's not very good, that's true. Still, as a basic protection against automated scanners, it can be good enough. But with some inteligent port knocking daemon, you could have unique knock sequence each time, using e.g some time-based code. But you currently can't do that with only RouterOS (it would be possible using some external component to which you'd need to send pre-filtered packets and where the evaluation would be performed and then exception added to RouterOS using API, but it would not be very practical).
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
mducharme
Trainer
Trainer
Posts: 889
Joined: Tue Jul 19, 2016 6:45 pm

Re: routeros hacked again

Thu Aug 23, 2018 5:07 am

Yes I should have mentioned that - by port knocking I did not mean to endorse a situation where a single packet sent to port 1001 means that port 2012 is now available, because something so simple as that is easy to hack. You would need to set up a more complex port knocking scheme, where you had to access certain ports in a certain unusual order to make the desired port available (a sort of password, based on combination of port numbers in a certain sequence), where it would not occur through normal port scanning algorithms. That's why I suggested VPN again in my reply, because for me it is a lot simpler to set up L2TP/IPsec than some complex port knocking scheme. In current versions of RouterOS, it is complicated to set up an effective port knocking system, and relatively easy to set up functional L2TP/IPsec.

Who is online

Users browsing this forum: barracuda, Bing [Bot], bukanbondan, EdPa, lambert, lilpri, Tarun, Tuktron and 134 guests