Hello

Today i noticed that my home router (RB962UiGS) was hacked. It was running OS version v6.37.1 and current firmware was 3.29.
The hacker or who ever it was have created a script that is called "7wmp0b4s.rsc" and scheduled to run at every hour.

They have established a IPsec tunnel to my gateway and from what i can see in the logs there has been plenty of diffrent login attempts from diffrent IP's.

How did this happend?
And what can i do to prevent this from ever happening again?
However, keep in mind i had a strong password.

Screenshots below


Thanks
Defraged

RouterOS 6.37.1 is from nov 2016 almost 4 years old.
The Mikrotiks were hacked worldwide several times since then: https://www.bankinfosecurity.com/crypto ... rs-a-11627
The hackers keep taking over unpatched Mikrotik routers.
Get your software up to date.

Since then, despite clear and persistent warnings from security researchers as well as MikroTik, hundreds of thousands of its routers remain unpatched and are being actively targeted by attackers, security researchers say.


A strong password will not protect you in any way against an exploit. A vulnerability let hackers bypass mostly all security mechanisms. (It's not just a brute force password attack, its bypassing all checks.)

Only netinstall of your device can save the device. Upgrade/downgrade/reset is at the RouterOS layer, the exploit probably is hidden in the unreachable Linux layer.

It was running OS version v6.37.1 and current firmware was 3.29.
...
How did this happend?
...
However, keep in mind i had a strong password.

A number of vulnerabilities, including ones allowing to break in without knowing the password, has been fixed since 6.37.1, so this is the most likely reason - along with firewall rules which did not block access to management services from the internet.

A less likely possibility is cross-platform malware, which you might have downloaded to your PC from an infected web page, which has attacked your router from the LAN side, and may even have keylogged the password as you were typing it in.

And what can i do to prevent this from ever happening again?

Now export (not backup) the current configuration into a file, download the file to your PC, and then netinstall the router with the long-term version of RouterOS. Use the default configuration of that version and only modify it with what is really necessary - your saved export will help you with that. Do not import the file with the export as a whole, just use it as an information source.

The only way how to keep the router secure against attacks from LAN is to manage it only via serial port or to dedicate an Ethernet interface for management, and disable access to management services also from the "regular LAN".

First thing you need to do is remove the MT from the internet connection.
The next thing you need to do is NET REINSTALL with the latest firmware.
So download the latest firmware from Mikrotik and then conduct the NETINSTALL process.

Once done, then start from scratch to redo your network setup.
If you have saved a config you can use that as a guide to help you reconstruct the config.

Use the default rules provided for now until we can get you sorted.

Typically add a different username from admin and for this use a different password not used before.

Then come back for more help!! to make sure you stay secure.

The CIA hacks many routers, incl. MikroTik routers.
And: the CIA tools have been stolen and now blackhat hackers worldwide use them.
Search for details of CVE-2018-14847 and CVE-2019-3943
S.a.
https://wikileaks.org/ciav7p1/
viewtopic.php?t=119308
viewtopic.php?t=119255

You should allow access to the device only from LAN, or even only from a single LAN-IP, or just a few LAN-IPs.
And keep only secure services, and disable unsecure ones like telnet.
See
https://wiki.mikrotik.com/wiki/Manual:S ... our_Router
https://help.mikrotik.com/docs/display/ ... our+router

Are you sure i need to do a clean netinstall to save the device?
According to MikroTik i should

1. Upgrade
2. Change Password
3. Make sure winbox is only accessed from my network

I just want to make my information right, thanks for all replys and i've already learned alot.

Are you sure i need to do a clean netinstall to save the device?
According to MikroTik i should

1. Upgrade
2. Change Password
3. Make sure winbox is only accessed from my network

I just want to make my information right, thanks for all replys and i've already learned alot.

See the youtube presentation as mentioned in here. (The whole Vault7 thread might also interest you)
viewtopic.php?t=119308#p721918

If you don't have time to watch:
- There was no authorisation needed for the exploit (no username/password needed)
- Netinstall is the only way to remove exploits
- Start with the default firewall, which is blocking access from interfaces in the WAN interface list.
.....as a beginning ....

[joking]
I am using Windows 95, they have been working great for the last 25 years without any updates!
I've also been using no firewall, since firewalls are for newbs.

But, today I logged in only to find out that they were hacked!

How could this have happened???
[/joking]

However, keep in mind i had a strong password.

Strong password is not enough if this was used to administrate the box from outside (internet).

Use VPN for administrate your box. If you can not use VPN, use:

1. Use another port than default.
2. Use port knocking. This prevents someone from seeing open ports.
3. Use a long and good password.
4. Use access list to prevent any random internet from accessing your router.
5. Log everything. (See my signature for example.)
6. If possible setup the remote router to connect using VPN to an admin site.
7.++++

"Security analysis of recent RouterOS exploits" by Tomas Kirnak (Atris Spol. s r.o., Slovakia)
English presentation given on Mar 08, 2019 at the MikroTik User Meeting (MUM) in Vienna, Austria, March 07 - 08, 2019.
Video (39 minutes) on Vault7 (CIA/NSA) hacking attacks by some botnets to MikroTik routers - about 600,000 to 1 million MikroTik routers were attacked:
https://www.youtube.com/watch?v=3aEyqdz7awE

And here's another talk of the author some months later; this one is about 50 minutes long:
https://www.youtube.com/watch?v=c2JxTHgxsqg

I had that happen to me a few years ago. Thats when I learned to turn off (after I upgraded my package and firmware) pretty much everything including mac telnet, turning off admin user and firewalling port 8291 from the internet.

Since then I get the occasional DNS and port scan attacks but no access....

Somedays I think I need a hardware FW in front of my router...If MT can focus on security with every new release, I will stick with them...if not...will be time to give up on MT after 8 years and move onto something else.

Somedays I think I need a hardware FW in front of my router...If MT can focus on security with every new release, I will stick with them...if not...will be time to give up on MT after 8 years and move onto something else.

There is no such thing as "a hardware firewall" . Sure there are brands with specifically designed ASIC's (chips) in them to obtain multi-gigabit full feature performance but that is a completely other league... but still there is software that is running on the hardware.

I've been running my RB3011 for quite some years now and never had any security incident, not even a login attempt. Sure I have hundreds "attempts" on a daily basis targeting all classic ports...
Why ? Because I "kinda" know what I am doing, I've locked down the box as much as possible in terms of remote access, keep versions up-to-date, have logging & notification etc,etc.

I have an access rule that if anyone tries one port that is not open on the outside, he will be blocked for 24 hour on any port.
This gives me an access list with from 2000 to 15000 IPs at any time.

If this for some reason is me that has been blocked from outside, I can use port knock to whitelist my own IP and get inn to the system.

I have an access rule that if anyone tries one port that is not open on the outside, he will be blocked for 24 hour on any port.
This gives me an access list with from 2000 to 15000 IPs at any time.

If this for some reason is me that has been blocked from outside, I can use port knock to whitelist my own IP and get inn to the system.

I do it slightly more relaxed Within a time-frame of several hours, I accept "a few" probes for TCP & UDP. Once exceeded they go on the blacklist
My ACL normally has something like 150-200 IP's on it at any time.
Others will say this approach makes no sense, why go through all the hassle of doing this : just drop any packet that is not part of a session or targeted towards non DNAT'ed ports and get on with your life and don't even bother logging this "noise" that exists "by default"

But I do it purely out of interest (just like yourself I guess)

But I do it purely out of interest (just like yourself I guess)

Is there a different mitigation for a "metered" (E.G. 4G subscription) versus an "unmetered" connection (E.G. DSL line, cable modem, FTH, ...) ?
The ISP is mostly filtering already quite a lot on mobile connections.
Nobody mentioned "tarpit" as protection: https://wiki.mikrotik.com/wiki/DoS_attack_protection. Recommended mitigation or not ?
That attack traffic is on your ISP connection anyway, and I would like to have that rather minimal. One cannot hold off a DDoS that would eat all of your bandwidth.

Is there a different mitigation for a "metered" (E.G. 4G subscription) versus an "unmetered" connection (E.G. DSL line, cable modem, FTH, ...) ?
The ISP is mostly filtering already quite a lot on mobile connections.
Nobody mentioned "tarpit" as protection: https://wiki.mikrotik.com/wiki/DoS_attack_protection. Recommended mitigation or not ?
That attack traffic is on your ISP connection anyway, and I would like to have that rather minimal. One cannot hold off a DDoS that would eat all of your bandwidth.

Exactly. If your WAN address is a public one, you likely asked for one on purpose, so you run some service which needs to be available from the internet, so the ISP (mobile or not) won't filter what comes from the world to that address. If your WAN address is a private one, nothing can get in from outside unless you've asked for it (possibly indirectly, see how teredo works, same techniques is used by peer to peer networks, but that's unlikely to work on mobile ISPs' networks anyway).

And as you say, in SOHO case, your problem may often be not the CPU of your server but the bandwidth of your uplink. The tarpit approach only helps on attackers who target some service, so by sending a SYN,ACK response, you may move them from port scanning mode to application attacking one, but it won't work on many of them - some will continue sending SYN to other ports even when they got a SYN, ACK on one. Those which just want to load the resources will simply send SYNs no matter whether they get any response.

I don't use "tarpit". It will only consume more resources (cpu/mem) on your side with the idea to slow the attacker down by holding the connection, but...
For metered connections, only your upstream ISP can truly provide some useful action. If the packet hits your interface, it consumed already bandwidth & resources.
I'm using Mikrotik purely in SOHO environment with low-bandwidth Internet (100megabits) compared to some users that have multi-gigabits at their disposal.

I saw this in best practices wiki, dont use it but do you see value in adding to the default setup..........?

add action=drop chain=forward comment="Drop tries to reach non-public addresses from LAN" dst-address-list=not_in_internet in-interface=bridge1
(where the list is the usual bogon list - of course with own private subnets excluded)

Reason I ask is that we dont otherwise really filter anything outgoing from lan to internet (with vlans not so concerned about lan to lan traffic)

I saw this in best practices wiki, dont use it but do you see value in adding to the default setup..........?

This rule just prevents your uplink bandwidth from being wasted by ill-configured software or malware running on devices in your LAN.

I saw this in best practices wiki, dont use it but do you see value in adding to the default setup..........?

This rule just prevents your uplink bandwidth from being wasted by ill-configured software or malware running on devices in your LAN.

Let me rephrase my question so it fits the answer...
" What is the purpose of applying the rule above"

Now, lets get back to the question asked........ ;-P
So you are saying it is worth it, or a waste of time......??.... Yes you will be held liable in a court of law if you give an opinion LOL

I knew I should have made it simpler for the experts to keep them roped into a small circle - would you have this rule on your own router
why and why not!!

This is too much fun, I think I need coffee

Others will say this approach makes no sense, why go through all the hassle of doing this : just drop any packet that is not part of a session or targeted towards non DNAT'ed ports and get on with your life and don't even bother logging this "noise" that exists "by default"

99.999% of these attacks are machine scan, so if they test one port, the possibility are large for that they tries more ports later and since I do have some port open, its better to block them so my open port will not be attacked.

Now, lets get back to the question asked........ ;-P
So you are saying it is worth it, or a waste of time......??....

OK, if you put it this way, then no, I don't see much value in using it. Most malware will attack public addresses anyway. Out of curiosity, you may add it an let it log, to see whether some stupid malware is running in your LAN.

Ahh okay, i see a log, to know if........... that makes sense.
Then the follow is also valid,
Detect, then block lanip.
Then find out who is pissed off that their internet doesnt work anymore.
I like it!!!

Or you can keep the IPSec open but add QoS and give then a very slow connection, like 1kbps.
Also logg all their traffic and see where they go.
You can also redirect port 80/443 to a specific web server, so same web page opens all the time.