6.43.8 vulnerability or hack?

Redmor · Tue Jan 22, 2019 1:58 pm

I have a RB that has been attacked twice in two months.
I don't have an export, but:
1. RB is dst-natted with port 8292 to 8291
2. There's a simple firewall that drops invalid connection, then accepts connections from src-address list, accepts icmp, established, related and drops input.
3. Only winbox, telnet, ssh and api services are enabled (but only 8291 is reachable from Internet).
4. ROS 6.43.8

The RB has been attacked by someone that:
1. Added an user called "admin" with group full
2. redirected port 80 requests to port 8080
3. Set up a Web Proxy
4. Sniffed all interfaces sending file to 185.21.109.18

What can I do to block him?

eddieb · Tue Jan 22, 2019 2:08 pm

Perhaps you should not use the word vulnerability until it is confirmed ...
Until now you can only name it "hacked" ...
And the reason for that is not clear

ps,
send email to support@mikrotik.com for help, this is a user forum, not a support forum

Arcee · Tue Jan 22, 2019 2:15 pm

You should really rename this thread to "I have been hacked" and try to figure out what you did wrong in the configuration.

Why have winbox open to the world?

Sent from my Pixel 2 using Tapatalk

pegasus123 · Tue Jan 22, 2019 2:32 pm

well we know for a fact that in the previous version winbox has vulnerability. opening this to the world is like waiting for this to happen. What you said may or may not be true.

You should setup VPN instead like PPTP, OVPN. etc.much safer

anav · Tue Jan 22, 2019 2:34 pm

I agree, until you know more that title is speculation and unnecessary.
It could be just as accurate to state, IM AN INSECURE ADMIN HELP.

Why would you leave WInbox open to the internet?
Did you at least use Port Knocking techniques?
Why was access not via VPN.

Was the router hacked previously and not reconfigured via netinstall??

Redmor · Tue Jan 22, 2019 3:31 pm

Guys, please.

1. If the reason is unknown, it's not an hack until you spot what's wrong in config
2. I have the same config everywhere
3. Winbox is not open to the world, I have an accept rule with src-address list public IPs that I use to connect (exactly 4) to connect.
4. Everything in input is dropped except for ICMP, port 2000 for bandwidth test, established, related and broadcast connection, DNS only for LAN interfaces.
5. The only port exposed to the Internet is 8291, the RB hasn't got a public IP, plus it has a firewall that should drop everything and accept only 8291 connections from address list.

How can I be hacked? For God's sake, one port opened, with firewall, it's obviously a vulnerability.
Router has been hacked using a vulnerability before 6.43.8, should I NetInstall it?
Edited the title by the way.

Redmor · Tue Jan 22, 2019 3:37 pm

I agree, until you know more that title is speculation and unnecessary.
It could be just as accurate to state, IM AN INSECURE ADMIN HELP.

Why would you leave WInbox open to the internet?
Did you at least use Port Knocking techniques?
Why was access not via VPN.

Was the router hacked previously and not reconfigured via netinstall??

1. Winbox isn't open to the Internet, I have a firewall that accepts only connections from my address list.
2. I don't use port knocking.
3. I don't need VPN access for this, I'm the ISP of the customer.
4. Yes, but I don't know if it's the same vulnerability that has been spotted in April, I already found alexey attacks that blocks that vulnerability with firewall, but this isn't the case.

Tue Jan 22, 2019 4:03 pm

Currently there is no new known winbox port vulnerabilities.
If you are sure that after first hack you reinstalled the router rand changed login credentials, then contact support.
There are cases that routers get "hacked" even after upgrade, because already stolen credentials was not changed.

anav · Tue Jan 22, 2019 5:00 pm

Currently there is no new known winbox port vulnerabilities.
If you are sure that after first hack you reinstalled the route rand changed login credentials, then contact support.
There are cases that routers get "hacked" even after upgrade, because already stolen credentials was not changed.

mrz, are you sure you are MT support LOL. From all my simple readings, a re-install does not cure a properly hacked unit (from the hackers perspective), one needs to do a NET INSTALL (which I gather erases memory that a normal reinstall doesn't touch??)

anav · Tue Jan 22, 2019 5:04 pm

I agree, until you know more that title is speculation and unnecessary.
It could be just as accurate to state, IM AN INSECURE ADMIN HELP.

Why would you leave WInbox open to the internet?
Did you at least use Port Knocking techniques?
Why was access not via VPN.

Was the router hacked previously and not reconfigured via netinstall??
1. Winbox isn't open to the Internet, I have a firewall that accepts only connections from my address list.
2. I don't use port knocking.
3. I don't need VPN access for this, I'm the ISP of the customer.
4. Yes, but I don't know if it's the same vulnerability that has been spotted in April, I already found alexey attacks that blocks that vulnerability with firewall, but this isn't the case.

Sorry to hear about your issue Redmond. However, for router access, I wouldnt count on source list protection as being a good security practice. Perhaps with a server of some sort that is isolated from ones LAN, that may be sufficient and assuming that the server has credentials login, BUT to the router NO EFFING WAY.

I just wanted to comment on you seemed to indicate that you made an accept rule for your address list??
You should do that all on the NAT rule.....
ex.
add action=dst-nat chain=dstnat comment=Solar_UDP dst-port=zz \
in-interface-list=WAN log=yes protocol=udp src-address-list=Solar_Panel \
to-addresses=192.168.z.zz

Tue Jan 22, 2019 5:06 pm

Anav ... should mrz explain again and again and step by step what to do when you are hacked or could expect that autor is aware of https://blog.mikrotik.com/

Tue Jan 22, 2019 5:25 pm

Currently there is no new known winbox port vulnerabilities.
If you are sure that after first hack you reinstalled the route rand changed login credentials, then contact support.
There are cases that routers get "hacked" even after upgrade, because already stolen credentials was not changed.
mrz, are you sure you are MT support LOL. From all my simple readings, a re-install does not cure a properly hacked unit (from the hackers perspective), one needs to do a NET INSTALL (which I gather erases memory that a normal reinstall doesn't touch??)

If you are talking about malware, then :
"Simply upgrading RouterOS software deletes the malware, any other 3rd party files and closes the vulnerability"

If you are talking about configuration change then of course those need to be corrected or router should be netinstalled and configured from scratch.

anav · Tue Jan 22, 2019 5:26 pm

Concur Bartoz, of course the OP should have his ....... ......... whacked for not using netinstall after being hacked in the past. This has been documented on almost every thread on the subject and in the blog and and and and and............................ Furthermore relying on source address list protection for the router is cwazee!! At least for {insert your deity of choice} sake use the minimum of port-knock lol. But for the supposed MT support person to be 'loose' with lingo,,,,,,,,, hmmm perhaps he needs remedial training as re-install is not = net install.
No hard feelings mrz, nothing that cannot be solved by a few shots of schapps (probably two for me and i would be under the table).

Redmor · Tue Jan 22, 2019 9:41 pm

I agree, until you know more that title is speculation and unnecessary.
It could be just as accurate to state, IM AN INSECURE ADMIN HELP.

Why would you leave WInbox open to the internet?
Did you at least use Port Knocking techniques?
Why was access not via VPN.

Was the router hacked previously and not reconfigured via netinstall??
1. Winbox isn't open to the Internet, I have a firewall that accepts only connections from my address list.
2. I don't use port knocking.
3. I don't need VPN access for this, I'm the ISP of the customer.
4. Yes, but I don't know if it's the same vulnerability that has been spotted in April, I already found alexey attacks that blocks that vulnerability with firewall, but this isn't the case.
Sorry to hear about your issue Redmond. However, for router access, I wouldnt count on source list protection as being a good security practice. Perhaps with a server of some sort that is isolated from ones LAN, that may be sufficient and assuming that the server has credentials login, BUT to the router NO EFFING WAY.

I just wanted to comment on you seemed to indicate that you made an accept rule for your address list??
You should do that all on the NAT rule.....
ex.
add action=dst-nat chain=dstnat comment=Solar_UDP dst-port=zz \
in-interface-list=WAN log=yes protocol=udp src-address-list=Solar_Panel \
to-addresses=192.168.z.zz

In this particular case I have a dst-nat with dst-port 8292 and to-ports 8291 (for example to-addresses 192.168.88.2) and no other ports forwarded.
Then I have in 192.168.88.2 an address list with my public IP, an accept rule chain input, src address list the one with my IP, action accept (everything that comes from my public IP), then rules like defconf firewall, plus ICMP accept input and TCP 2000 accept for bandwidth tests.
If I set an address list in dst-nat I should avoid the hack, unless the hacker doesn't try to hack the RB that is natting, in that case I have the same problem.
I don't know if adding allowed addresses to local users would solve the problem, I don't know if hacker had got my password or used a vulnerability that avoids login (no log because of hacker's scripts).

I obviously can't NetInstall every RB that I have around and updating RBs that are more than 100km far away it's always a risk, so I can't do that for 3000+ RBs at the same time and then run to change them in case of bootloop or something else.

I need to be sure what vulnerability has been used (as I said, it has been attacked before 6.43.8, didn't know until today) and then modify my firewall to prevent.

So I'm asking if someone experienced an hack like this and all informations about it.
I've also found schedulers that on startup and everyday fetch again hacker's files and there was also a packet sniffer.

Redmor · Tue Jan 22, 2019 9:43 pm

Currently there is no new known winbox port vulnerabilities.
If you are sure that after first hack you reinstalled the route rand changed login credentials, then contact support.
There are cases that routers get "hacked" even after upgrade, because already stolen credentials was not changed.
mrz, are you sure you are MT support LOL. From all my simple readings, a re-install does not cure a properly hacked unit (from the hackers perspective), one needs to do a NET INSTALL (which I gather erases memory that a normal reinstall doesn't touch??)

The best thing to do is to take the RB, burn it and use another one updated.

Redmor · Tue Jan 22, 2019 9:48 pm

Anav ... should mrz explain again and again and step by step what to do when you are hacked or could expect that autor is aware of https://blog.mikrotik.com/

"Regardless of version used, all RouterOS versions that have the default firewall enabled, are not vulnerable"

I want to know what makes defconf firewall secure and not mine, but if someone from support said that defconf firewall is secure and this one has everything that makes it as secure as defconf one, then if defconf firewall is secure things are two:

1. Defconf firewall isn't secure
2. There's a new vulnerability

I have been attacked twice in this RB and some others from another hacker (alexey), every RB has got this firewall:

/ip firewall filter
add action=drop chain=input comment=INVALID connection-state=invalid disabled=no
add action=accept chain=input comment="ADMIN" disabled=no src-address-list=admin
add action=accept chain=input comment="Bandwidth Test" disabled=no dst-port=2000 protocol=tcp
add action=accept chain=input comment=ICMP disabled=no protocol=icmp
add action=accept chain=input comment=DNS disabled=no dst-port=53 in-interface=ether1 protocol=tcp
add action=accept chain=input comment=DNS disabled=no dst-port=53 in-interface=ether1 protocol=udp
add action=accept chain=input comment=ESTABLISHED connection-state=established disabled=no
add action=accept chain=input comment=RELATED connection-state=related disabled=no
add action=accept chain=input comment=BROADCAST disabled=no dst-address=255.255.255.255
add action=drop chain=input disabled=no

In code ether1 is LAN interface.
admin address list has got some public and private IPs that are used for API, my Winbox connection and Dude monitoring.
If you have any suggestions please post as config.

trace323 · Wed Jan 23, 2019 1:57 am

You might want to change your username and password.. Only way they are infecting the Mikrotik again.

I have over 5000 Mikrotiks in 6.43.8 no issues at all with getting infected..

Wed Jan 23, 2019 8:27 am

1) Defconf protects only the public interface.
2) Defconf doesn't protect device from within. If you were hacked a year ago, cleared the config but left one script in the device, it could have reconfigured itself even after you installed a better firewall and upgraded.

Redmor · Wed Jan 23, 2019 3:39 pm

normis

https://blog.mikrotik.com/security/new- ... ility.html there's a point that says: "Regardless of version used, all RouterOS versions that have the default firewall enabled, are not vulnerable"

Is my firewall as sure as denconf? Please tell me what do you think.

Replies

1) I set the firewall on the public interface
2) The device has got the firewall I've posted, even if it's behind NAT.
3) I've found other RBs hacked, after removing all unusual config and updated they have been hacked again.

In all cases, I have this firewall, it's very similar to defconf one, so if the thing written in blog.mikrotik.com it's true, there's another problem.
Just tell me if this firewall is as secure as defconf one, remember that src-address-list admin contains only 3 public IPs that I use.

/ip firewall filter
add action=drop chain=input comment=INVALID connection-state=invalid disabled=no
add action=accept chain=input comment="ADMIN" disabled=no src-address-list=admin
add action=accept chain=input comment="Bandwidth Test" disabled=no dst-port=2000 protocol=tcp
add action=accept chain=input comment=ICMP disabled=no protocol=icmp
add action=accept chain=input comment=DNS disabled=no dst-port=53 in-interface=ether1 protocol=tcp
add action=accept chain=input comment=DNS disabled=no dst-port=53 in-interface=ether1 protocol=udp
add action=accept chain=input comment=ESTABLISHED connection-state=established disabled=no
add action=accept chain=input comment=RELATED connection-state=related disabled=no
add action=accept chain=input comment=BROADCAST disabled=no dst-address=255.255.255.255
add action=drop chain=input disabled=no

anav · Wed Jan 23, 2019 4:52 pm

Are you hard of hearing........?

Normis has made it quite clear that a router out of the box is good to go regarding security from the public interface.
In other words, it can be used without concern of hacking from external sources.

If the admin then changes the rules and for examples ADDS external access in an unsafe manner, then the router could be hackable. From my readings this was one of the major problems with many of the MT reported hacks.
If the admin does not secure access to the router internally and a device behind the router is hacked due to phishing, going to unsafe sites etc, then
the router could be vulnerable from the inside but I am not sure how that happens. There are easy ways to mitigate this.........
Most people only allow specific LAN IPs to winbox. They use a different username and password from the default etc........

Finally and this is the point you keep missing, if the router has been hacked in the past, changing the config, re-setting to defaults, updating to the latest firmware WILL PROBABLY NOT WORK to remove the hack.

You need to use NET INSTALL which wipes internal memory not touched by all the other methods.

In summary, your FW can be the most elegant setup in the world, the safest and most secure setup ever, but its completely useless if NET INSTALL was not used, as the bad guy has a backdoor into your router sitting there waiting for you to turn the unit on and connect to the net.

WeWiNet · Wed Jan 23, 2019 5:15 pm

Side remark/question here:

1.)
instead of netinstall (need to press that button, set IP on the computer), is a down grade and then an upgrade
of ROS equivalent to netinstall and erases all internal memory safely?

2.)
I assume once you have a clean router, if you use a "backup" taken on an infected router, could hidden SW/memory be installed
again? (I am not talking about the normal settings a hacker could have injected like additional users, scripts etc.)

Redmor · Wed Jan 23, 2019 5:27 pm

1) I ALWAYS said that this hacked RB, even if behind dst-nat, has got the firewall that I've posted, so it isn't opened to the internet, access is restricted.
2) I don't use default username admin
3) I don't use backup files or exports to reconfigure, I have exports but I rewrite whole configuration by hand.

I only want to know, now, why my firewall isn't secure for April 18 vulnerability while someone from support wrote in blog.mikrotik.com that defconf firewall prevents attacks regardless ROS version.
I know that using Net Install is the best thing in this case, but I want to know if my firewall is secure enough or I have to update 3K+ RBs.

AlainCasault · Wed Jan 23, 2019 5:38 pm

Side remark/question here:

1.)
instead of netinstall (need to press that button, set IP on the computer), is a down grade and then an upgrade
of ROS equivalent to netinstall and erases all internal memory safely?

2.)
I assume once you have a clean router, if you use a "backup" taken on an infected router, could hidden SW/memory be installed
again? (I am not talking about the normal settings a hacker could have injected like additional users, scripts etc.)

#1: I don't think so. Netinstall does a low level format where as downgrade / upgrade is only an extra step to a ROS version change. I'd go with Netinstall.
#2: I'm willing to bet on "no". If netinstall is required to flush hidden stuff, I'd think that backup/restore, asides from what you've mentionned, would not bring the hidden hacks back. But i'd like to have MT's opinion on this.

Cheers,

mkx · Wed Jan 23, 2019 6:35 pm

#2: I'm willing to bet on "no". If netinstall is required to flush hidden stuff, I'd think that backup/restore, asides from what you've mentionned, would not bring the hidden hacks back.

While you might be right about hidden backdoors not being stored in backup file, the problem is that backup files are binary and it's hard to be sure there aren't some scripts in it that would re-instate the hidden backdoor. Who knows, deeply hidden backdoor might change behaviour of /system backup ...

So when one goes to level of precaution to netinstall the device, it would be paranoia of the same level not to use configuration backup which one can not verify for malicious contents.

anav · Wed Jan 23, 2019 8:32 pm

#2: I'm willing to bet on "no". If netinstall is required to flush hidden stuff, I'd think that backup/restore, asides from what you've mentionned, would not bring the hidden hacks back.
While you might be right about hidden backdoors not being stored in backup file, the problem is that backup files are binary and it's hard to be sure there aren't some scripts in it that would re-instate the hidden backdoor. Who knows, deeply hidden backdoor might change behaviour of /system backup ...

So when one goes to level of precaution to netinstall the device, it would be prudent to also not use the configuration backup which one can not verify for malicious contents.

Thank you Sir!
A breath of fresh air in a stale room! (fixed one word for you though)

mkx · Wed Jan 23, 2019 8:42 pm

... fixed one word for you though

Easy for you to fix language slips ... even for a Canadian one can assume with high level of confidence that he is an English native speaker. Whereas for resident of continental Europe one can hardly do the same.

anav · Wed Jan 23, 2019 9:52 pm

... fixed one word for you though
Easy for you to fix language slips ... even for a Canadian one can assume with high level of confidence that he is an English native speaker. Whereas for resident of continental Europe one can hardly do the same.

I am sure your spoken and written English is far superior to my basic French writing and speaking and my basic Spanish speaking. Mein namma ist Anav is all the German I know besides the usual, milch and German Football clubs LOL. As for the rest, I'm only interested when those of the opposite gender speak english with a native accent...... So sizzling hot!!!

Thu Jan 24, 2019 12:34 pm

RouterOS can’t know which config is added by you, which added by rogue user, so either you check the config by hand or clear all of it. RouterOS can remove tools and scripts and such

R1CH · Thu Jan 24, 2019 7:00 pm

You should setup VPN instead like PPTP, OVPN. etc.much safer

This is just as unsafe (if not worse) as opening Winbox. PPTP, OpenVPN, IPsec etc are all custom Mikrotik implementations of protocols just like Winbox, except with much more complexity. I have no doubts serious security flaws exist in them, just no one has taken the time to look for them yet.

Redmor · Thu Jan 24, 2019 9:45 pm

RouterOS can’t know which config is added by you, which added by rogue user, so either you check the config by hand or clear all of it. RouterOS can remove tools and scripts and such

But in /export it's easy to see what a rogue user did.

mkx · Thu Jan 24, 2019 11:08 pm

RouterOS can’t know which config is added by you, which added by rogue user, so either you check the config by hand or clear all of it. RouterOS can remove tools and scripts and such

But in /export it's easy to see what a rogue user did.

It is. And it's up to router's legitimate administrator to decide which part of configuration is legitimate and which part is not. That's not something to be done by upgrade procedure prepared by MT for unknown device with unknown purpose.

R1CH · Fri Jan 25, 2019 1:06 am

If you are talking about malware, then :
"Simply upgrading RouterOS software deletes the malware, any other 3rd party files and closes the vulnerability"

With old versions having root exploits then it's entirely possible for the malware to protect itself and persist after an upgrade. Any compromised device should be netinstalled for security (until we end up with malware that persists in the bootloader...)

6.43.8 vulnerability or hack?

6.43.8 vulnerability or hack?

Re: 6.43.8 vulnerability

Re: 6.43.8 vulnerability

Re: 6.43.8 vulnerability

Re: 6.43.8 vulnerability

Re: 6.43.8 vulnerability

Re: 6.43.8 vulnerability

Re: 6.43.8 vulnerability or hack?

Re: 6.43.8 vulnerability or hack?

Re: 6.43.8 vulnerability

Re: 6.43.8 vulnerability or hack?

Re: 6.43.8 vulnerability or hack?

Re: 6.43.8 vulnerability or hack?

Re: 6.43.8 vulnerability

Re: 6.43.8 vulnerability or hack?

Re: 6.43.8 vulnerability or hack?

Re: 6.43.8 vulnerability or hack?

Re: 6.43.8 vulnerability or hack?

Re: 6.43.8 vulnerability or hack?

Re: 6.43.8 vulnerability or hack?

Re: 6.43.8 vulnerability or hack?

Re: 6.43.8 vulnerability or hack?

Re: 6.43.8 vulnerability or hack?

Re: 6.43.8 vulnerability or hack?

Re: 6.43.8 vulnerability or hack?

Re: 6.43.8 vulnerability or hack?

Re: 6.43.8 vulnerability or hack?

Re: 6.43.8 vulnerability or hack?

Re: 6.43.8 vulnerability

Re: 6.43.8 vulnerability or hack?

Re: 6.43.8 vulnerability or hack?

Re: 6.43.8 vulnerability or hack?

Who is online