Community discussions

MikroTik App
 
danno99503
just joined
Topic Author
Posts: 11
Joined: Thu Aug 30, 2018 9:45 am

TWO CCRs FULLY UPGRADED AND STILL EXPLOITED (ROOTED)

Wed Nov 14, 2018 1:54 pm

I have two CCR routers that have been upgraded fully to 6.43.4 and have the routerboard firmware upgraded also. Both units are still exploited. The are no config changes to the router, this is all transparent and going on the background. The way to spot this particular one is to look for people targeting your router port 64312. If your router is hacked with this, port 64312 will be OPEN. It is used as a proxy from the traffic I can see, SMTP and HTTP(S) and other stuff. I can watch with torch and see all the activity.

Is it true that I'm stuck with doing a local in place NETINSTALL to get the router clean?
One unit is 500 Miles away 8(.

Thanks,

- Dan
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26293
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: TWO CCRs FULLY UPGRADED AND STILL EXPLOITED (ROOTED)

Wed Nov 14, 2018 2:03 pm

Most likely the password was retrieved before you did the upgrade, or some file was planted before, that was still there after upgrade. This is why it's recommended to change password and inspect files + configuration, even if you have upgraded.
 
allstarcomps
newbie
Posts: 36
Joined: Sat Jul 08, 2017 10:36 pm
Location: San Diego, CA, USA
Contact:

Re: TWO CCRs FULLY UPGRADED AND STILL EXPLOITED (ROOTED)

Wed Nov 14, 2018 6:23 pm

Check system-scheduler and system-scripts.

Change the user credentials.

Also change the default winbox port under ip-services. Example 8292

Connect to winbox (IP address):8292
 
uldis
MikroTik Support
MikroTik Support
Posts: 3446
Joined: Mon May 31, 2004 2:55 pm

Re: TWO CCRs FULLY UPGRADED AND STILL EXPLOITED (ROOTED)

Wed Nov 14, 2018 6:39 pm

check the "IP Socks" configuration if it is enabled on that port.
 
danno99503
just joined
Topic Author
Posts: 11
Joined: Thu Aug 30, 2018 9:45 am

Re: TWO CCRs FULLY UPGRADED AND STILL EXPLOITED (ROOTED)

Wed Nov 14, 2018 11:03 pm

As I said there is not configuration changes to the router at all. Nothing is visible in the config what so ever with this. The passwords were change and the config has been checked. This completely exploits the router and make not changes to the configuration at all, that is the point. There is no FILE being left behind or an addition to the config, nor any script. The traffic was immediately present after upgrading the firmware. The exploit survives the firmware upgrade just fine of both the OS and the routerboard firmware. No config changes to the router at all, everything that is happening is transparent to winbox and can only witnessed going out of the router with Torch. It looks like the OS has been rooted so to speak.


Running the most current firmware and completely exploited. Has anyone seen this?
 
eddieb
Member
Member
Posts: 305
Joined: Thu Aug 28, 2014 10:53 am
Location: Netherlands

Re: TWO CCRs FULLY UPGRADED AND STILL EXPLOITED (ROOTED)

Wed Nov 14, 2018 11:15 pm

Yes,

it must have been exploited before the upgrades.
upgrading does not remove the exploits, it just fixes the holes.
IF your device is exploited, the only thing you can do is netinstall
 
tippenring
Member
Member
Posts: 304
Joined: Thu Oct 02, 2014 8:54 pm
Location: St Louis MO
Contact:

Re: TWO CCRs FULLY UPGRADED AND STILL EXPLOITED (ROOTED)

Thu Nov 15, 2018 12:43 am

If you're correct, this would be new exploit code that I haven't yet seen. It isn't a surprise to me that firmware and RouterOS updates don't remove it. I personally find it a little hard to believe that you have what you think you have because you haven't provided anything concrete except a belief that your router is listening on a port that you don't expect it to. However, I'll be the first to admit it isn't outside the realm of possibility either.

If your router is listening on port 64312, when you connect to it do you get anything? A header, text, or some other data? That might help in identifying what is going on. It would be awesome to get a packet capture of that traffic.
 
tippenring
Member
Member
Posts: 304
Joined: Thu Oct 02, 2014 8:54 pm
Location: St Louis MO
Contact:

Re: TWO CCRs FULLY UPGRADED AND STILL EXPLOITED (ROOTED)

Thu Nov 15, 2018 12:53 am

I just checked Shodan. Shodan only lists 7 devices on the internet listening on port 64312. 6 of them are Torrent DHT nodes.
 
R1CH
Forum Guru
Forum Guru
Posts: 1098
Joined: Sun Oct 01, 2006 11:44 pm

Re: TWO CCRs FULLY UPGRADED AND STILL EXPLOITED (ROOTED)

Thu Nov 15, 2018 1:23 am

You should always netinstall after a compromise. Mikrotik have stated that there are ways to get OS root access once you have winbox access, so processes at that point aren't visible to RouterOS - even after upgrading there may be a persistent backdoor. Formatting / netinstall is the only safe way (until hackers also start compromising the Routerboot firmware...)
 
hammer185
just joined
Posts: 19
Joined: Wed Sep 13, 2006 8:28 am

Re: TWO CCRs FULLY UPGRADED AND STILL EXPLOITED (ROOTED)

Thu Nov 15, 2018 3:23 am

Consider not helping destroy evidence in evaluating suggestions.
 
danno99503
just joined
Topic Author
Posts: 11
Joined: Thu Aug 30, 2018 9:45 am

Re: TWO CCRs FULLY UPGRADED AND STILL EXPLOITED (ROOTED)

Fri Nov 16, 2018 8:10 am

I have already submitted supout files for both routers and the response I got back from them says they didn't read my message in the first place. "Check the proxy, config, etc". The only way I know it's active is the output traffic from it's preferred IP address, and the fact that port 64312 is open. I can telnet to it and connect but it doesn't say anything and disconnects when you send a line. I have two IP addresses on the router, the exploit only talks on the preferred IP. I have that blocked via the output chain in the firewall but can still reach the device and verify the port via the second IP address. If I remove the blocks connections pour in over 64312 and the router initiates a bunch of HTTP, HTTPS, IMAPS, and SMTP connections. The routers does not NAT any user traffic except for DNS port 53. So it shouldn't have any of this traffic. It's blocked via the output chain when it shouldn't be there at all.

Both routers run a satellite connection for a rural ISP, that critter has got to go.

I tried using reset to force a netinstall on one of the yesterday. When reset is held in the unit will not BOOT, it had to be power cycled for it to become active again. This did erase the config. Once setup again the unwanted traffic was still active.

torch.gif
torch2.gif
You do not have the required permissions to view the files attached to this post.
 
danno99503
just joined
Topic Author
Posts: 11
Joined: Thu Aug 30, 2018 9:45 am

Re: TWO CCRs FULLY UPGRADED AND STILL EXPLOITED (ROOTED)

Fri Nov 16, 2018 10:11 am

I am in a dialog with support and they are not reading what I typed in regard to the router and it's symptoms. They are simply not reading or interpreting English correctly in this case. It's frustrating then I tell him there are no configuration changes and he tells me to look on my network for the device making the traffic. This is after telling them that the traffic able to be blocked in the output chain of the router. I can talk till I'm blue in the face he is either ignoring what I'm typing or language is the problem.

I'm going to NETINSTALL and wipe them both out in the next couple of days, I can't communicate with them ( MIKROTIK SUPPORT Ticket#2018111422008078) well enough to their attention in spite of giving them everything and more.

I would like to have more confidence that they can handle issue like this more aptly, I mean they did get hacked repeatedly just recently right? You would think they would pay better attention to issues like this when reported and support files are provided..
 
danno99503
just joined
Topic Author
Posts: 11
Joined: Thu Aug 30, 2018 9:45 am

Re: TWO CCRs FULLY UPGRADED AND STILL EXPLOITED (ROOTED)

Fri Nov 16, 2018 10:17 am

Yes,

it must have been exploited before the upgrades.
upgrading does not remove the exploits, it just fixes the holes.
IF your device is exploited, the only thing you can do is netinstall
Last edited by danno99503 on Fri Nov 16, 2018 11:51 am, edited 1 time in total.
 
User avatar
strods
MikroTik Support
MikroTik Support
Posts: 1616
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: TWO CCRs FULLY UPGRADED AND STILL EXPLOITED (ROOTED)

Fri Nov 16, 2018 11:16 am

We have received your complaint and replied to your message.

Your router is not hacked. Your router does not have firewall protection. Not only 64312 port is open but also many others.

Seems that you have tried to protect your router, however, firewall rule that you added is configured on forward chain, not for incoming traffic.

I will not post your firewall rules or list other ports that are opened for anyone to access here. Please follow the steps that my colleague has provided to you as an answer to your support ticket.

NOTE: Traffic showed on Torch is traffic "before" firewall. Torch shows all the traffic received on this interface. If someone tries to send traffic to a closed port, then it will still show up in Torch.
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 882
Joined: Fri Nov 10, 2017 8:19 am

Re: TWO CCRs FULLY UPGRADED AND STILL EXPLOITED (ROOTED)

Fri Nov 16, 2018 12:04 pm

THIS:
NOTE: Traffic showed on Torch is traffic "before" firewall. Torch shows all the traffic received on this interface. If someone tries to send traffic to a closed port, then it will still show up in Torch.
is probably most valuable statement I have heard since all those vulnerabilities outrage. Please, could you put that on wiki?Or maybe even better - update the packet flow image so it is clear, where the torch and packet sniffer are applied.
 
danno99503
just joined
Topic Author
Posts: 11
Joined: Thu Aug 30, 2018 9:45 am

Re: TWO CCRs FULLY UPGRADED AND STILL EXPLOITED (ROOTED)  [SOLVED]

Fri Nov 16, 2018 12:19 pm

Mikrotik support is correct. If I had followed their instructions fully I would caught the configuration change that I overlooked. They were spot on, it was my mistake.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26293
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: TWO CCRs FULLY UPGRADED AND STILL EXPLOITED (ROOTED)

Fri Nov 16, 2018 1:32 pm

Thank you for the update. Yes, the info about Torch will be added to the manual

Who is online

Users browsing this forum: baragoon, FranMercedesG, GoogleOther [Bot], Soleous75 and 86 guests