Page 1 of 1

routeros hacked again

Posted: Sun Aug 19, 2018 6:56 pm
by popcorrin
The original thread was locked. viewtopic.php?f=2&t=137278

I followed the instructions and yet my routers were compromised again. Running 6.42.6
Not sure what's going on but I would appreciate it if you guys could fix this.

Re: routeros hacked again

Posted: Sun Aug 19, 2018 7:02 pm
by szt
Have you changed your passwords ? The most probable explanation of repeated hack is repeated using of previously leaked password.

Re: routeros hacked again

Posted: Mon Aug 20, 2018 4:41 am
by ckinoto
I have the same issue update to the last bug fix and is still infected changed user and passwords

Re: routeros hacked again

Posted: Mon Aug 20, 2018 5:34 am
by popcorrin
Yes of course. New username and password. Still hacked.

Re: routeros hacked again

Posted: Mon Aug 20, 2018 7:58 am
by Jotne
What has changed in your config?

Re: routeros hacked again

Posted: Mon Aug 20, 2018 8:57 am
by normis
If your device was attacked, then it possibly left some script in your system, that means it's useless to just upgrade and change password. You also should reconfigure the device, or at least inspect it for anomalies, unknown scripts and files. This is why we added such steps to the original information post: https://blog.mikrotik.com

Re: routeros hacked again

Posted: Mon Aug 20, 2018 9:52 pm
by popcorrin
Normis, I was just following your instructions. If there was more that should have been done you should have let me know. And please quit locking threads of unresolved problems.
Also, there was no scripts or anything else that stood out on this device.

Re: routeros hacked again

Posted: Mon Aug 20, 2018 10:11 pm
by Jotne
This would have helped.

viewtopic.php?f=2&t=66427

Re: routeros hacked again

Posted: Wed Aug 22, 2018 6:43 am
by toxicfusion
I will echo these statements. Just had devices with 6.40' & 6.42 hacked. 8291 open to interwebz, but locked with secure password... i guess I need to use longer than 12. sigh

one of the hacked routers; the person setup web proxy rules and caused havok on network - causing machines to redirect and self inject browser with broken ssl or malware.

another one, it locked out admin users.... changed from 'full' to read/write.

all my routers configured have vast firewall rules and drop all input on WAN interface thats not DST'nated (done this for years)

Re: routeros hacked again

Posted: Wed Aug 22, 2018 6:55 am
by mducharme
I will echo these statements. Just had devices with 6.40' & 6.42 hacked. 8291 open to interwebz, but locked with secure password... i guess I need to use longer than 12. sigh
It is not safe to have winbox/ssh/telnet/https/http admin ports on the MikroTik open to the Internet. There's no reason to do so. If you need to allow remote administration, there are two avenues that are more secure:

1. Add an address list for trusted admin IPs, you can use dynamic DNS names in there (ex. IP cloud), besides allowing winbox from the local network, allow it from those trusted IPs.
2. Set up some kind of VPN (ex. L2TP/IPsec) so that when you are elsewhere you can connect via VPN and admin the router

There is never a good reason to open the winbox port to 0.0.0.0/0.

Re: routeros hacked again

Posted: Wed Aug 22, 2018 7:16 am
by toxicfusion
Thank you for reply. I know the general security rule of thumb - to not allow winbox open to web. TO lock it down to a management ISP (IP) or use Radius + AAA, etc. But issue is when I'm on road, or no office with a static IP to have a strict winbox allow whitelist on WAN interface..

I'm small consultant who does work on side with 100+ mikrotiks in field.

I'm thinking about configuring a VM in the cloud as a "JUMP" box for winbox / ssh to customer mikrotiks. Set an obscure admin password and then a secondary login as worst case.

Looking into GenieACS now as well...

Was considering also Splynx and integrate to all CPE Routers.

Re: routeros hacked again

Posted: Wed Aug 22, 2018 7:25 am
by mducharme
I'm thinking about configuring a VM in the cloud as a "JUMP" box for winbox / ssh to customer mikrotiks. Set an obscure admin password and then a secondary login as worst case.

Looking into GenieACS now as well...
Both are very reasonable ideas, you can VPN to your cloud VM and then connect via winbox from that IP. You can use GenieACS to push config changes to a device even if you can't log into it, for instance, adding entries to an address list to allow you to gain access is fairly easy.

Those security precautions are not only what I would take with MikroTik but with any router. Even specialized firewalls like Fortigate and Check Point - it's a very bad idea to open those admin ports. If you have those admin ports open, you are putting your trust in two things: 1) that nobody has already compromised the device and has a way of monitoring your activity to see what your current username/password is, and 2) that the vendor has made absolutely no mistakes in coding where there is no possibility for a buffer overflow attack

Even if you are sure of #1, you can't be sure of #2, even with the most trusted vendors. Everybody makes mistakes, and it pays to be a bit paranoid when it comes to security.

Re: routeros hacked again

Posted: Wed Aug 22, 2018 8:02 am
by Jotne
1. Add an address list for trusted admin IPs, you can use dynamic DNS names in there (ex. IP cloud), besides allowing winbox from the local network, allow it from those trusted IPs.
2. Set up some kind of VPN (ex. L2TP/IPsec) so that when you are elsewhere you can connect via VPN and admin the router
3. You could also use Port knocking. Give the try of right combination of the port and management port will be open for 5 min to connect.
But as mducharme, it is a big security risk of hawing management ports open to internet.

Re: routeros hacked again

Posted: Wed Aug 22, 2018 10:00 am
by mducharme
3. You could also use Port knocking. Give the try of right combination of the port and management port will be open for 5 min to connect.
Yes, port knocking is a perfectly fine alternative. It's not a big deal though in modern RouterOS to set up l2tp over ipsec on all of your clients devices, and then you can vpn to them from anywhere.

Re: routeros hacked again

Posted: Wed Aug 22, 2018 11:05 am
by pe1chl
Of course you should always consider that by using a VPN you shift from trusting the admin service login authentication to trusting the VPN service login authentication.
It could be better because it is more likely to use widely-used and hardened software for that part of the system than for a custom-made admin service, but on the other hand the fact that it is more widely available could mean a weakness is found in some other product and then spreads to MikroTik products.
I sure would prefer using a VPN, and would be more at ease with L2TP/IPsec than e.g. with SSTP or OpenVPN, but still you need to monitor the situation and take action when needed (e.g. quickly update when something is found and an emergency update is released).

Re: routeros hacked again

Posted: Thu Aug 23, 2018 4:16 am
by vecernik87
Yes, port knocking is a perfectly fine alternative.
No, please! Port knocking is dangerous "security-through-obscurity" practice. You should warn against that, not agree that it is "fine alternative". It is not even "obscure" because every MITM can see the ports being knocked. It has exactly same level of security as sending password in plain-text. And today, nobody would send his password in plain-text.

VPN which you mentioned as well is the only secure possibility if access from public network is needed.

Re: routeros hacked again

Posted: Thu Aug 23, 2018 4:40 am
by Sob
@vecernik87: Not necessarily. The simple static port knocking you can easily set up using firewall, it's not very good, that's true. Still, as a basic protection against automated scanners, it can be good enough. But with some inteligent port knocking daemon, you could have unique knock sequence each time, using e.g some time-based code. But you currently can't do that with only RouterOS (it would be possible using some external component to which you'd need to send pre-filtered packets and where the evaluation would be performed and then exception added to RouterOS using API, but it would not be very practical).

Re: routeros hacked again

Posted: Thu Aug 23, 2018 5:07 am
by mducharme
Yes I should have mentioned that - by port knocking I did not mean to endorse a situation where a single packet sent to port 1001 means that port 2012 is now available, because something so simple as that is easy to hack. You would need to set up a more complex port knocking scheme, where you had to access certain ports in a certain unusual order to make the desired port available (a sort of password, based on combination of port numbers in a certain sequence), where it would not occur through normal port scanning algorithms. That's why I suggested VPN again in my reply, because for me it is a lot simpler to set up L2TP/IPsec than some complex port knocking scheme. In current versions of RouterOS, it is complicated to set up an effective port knocking system, and relatively easy to set up functional L2TP/IPsec.