Community discussions

MikroTik App
 
creatin
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Sat Nov 23, 2019 2:59 am

Hacked MTiks, any examples?

Sat Jun 27, 2020 3:23 am

Found a lot of topics related to hacking of Mikrotiks.

How do you know or suspect your Mikrotik has been hacked or tampered with?
Any examples of MTIKs which were hacked or tampered with by someone other than local admin?

New scripts were added?
New users created or existing ones modified?
New firewall rules added, existing ones changed?
 
erlinden
Member
Member
Posts: 341
Joined: Wed Jun 12, 2013 1:59 pm

Re: Hacked MTiks, any examples?

Sat Jun 27, 2020 11:29 am

CPU usage?
And of course you can check the ROS version manually and probably you know if there is any service available on the WAN site.
First the problem, then the solution
 
msatter
Forum Guru
Forum Guru
Posts: 1703
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Hacked MTiks, any examples?

Sat Jun 27, 2020 11:59 am

Sorry, removed.
Last edited by msatter on Sat Jun 27, 2020 1:40 pm, edited 2 times in total.
One RB4011 (cooled) and a RB760iGS (hEX S) in series. The 4011 Does PPPoE/IKEv2.
The cooler: viewtopic.php?f=3&t=138613&start=300#p799879
Running:
RouterOS 6.47 / Winbox 3.24 / MikroTik APP 1.3.14
 
creatin
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Sat Nov 23, 2019 2:59 am

Re: Hacked MTiks, any examples?

Sat Jun 27, 2020 12:27 pm

I was thinking of creating a script which would check number of users, their names, number of scripts, when were they created/modified (if possible).
Script would run every 30-60 seconds and if there's a change it would send an email notification.
 
sindy
Forum Guru
Forum Guru
Posts: 5343
Joined: Mon Dec 04, 2017 9:19 pm

Re: Hacked MTiks, any examples?

Sat Jun 27, 2020 1:28 pm

I was thinking of creating a script which would check number of users, their names, number of scripts, when were they created/modified (if possible).
Script would run every 30-60 seconds and if there's a change it would send an email notification.
If you are creating a honeypot to study malware, the above may make sense, but to sniff the Mikrotik's WAN traffic using an external sniffer and analyse it makes more sense.

If you want to detect any intrusion by just a script running on the Mikrotik itself, what will not make you happy is that the fact of the intrusion may not be noticeable in the configuration at all. The configuration is just a front-end to the linux running below, and some vulnerabilities in the past allowed the attackers to retrieve plaintext passwords from the device, so there was no need to create a new user.

Running own scripts, changing the DNS settings etc. are things which are easy to accomplish on machines which are not protected enough (many people keeping the default username admin with no password open for management access from WAN exist in the real world, so it is worth letting a herd of bots crawl the internet and try); more sophisticated attacks are possible too, and people exist who take this more complex way.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
creatin
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Sat Nov 23, 2019 2:59 am

Re: Hacked MTiks, any examples?

Sat Jun 27, 2020 6:28 pm


If you want to detect any intrusion by just a script running on the Mikrotik itself, what will not make you happy is that the fact of the intrusion may not be noticeable in the configuration at all. The configuration is just a front-end to the linux running below, and some vulnerabilities in the past allowed the attackers to retrieve plaintext passwords from the device, so there was no need to create a new user.
Basically, making such script is useless in that case, thanks
 
anav
Forum Guru
Forum Guru
Posts: 4606
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Hacked MTiks, any examples?

Sat Jun 27, 2020 6:57 pm

You wont get hacked if you use common sense and stick to the default firewall rules until one knows what one is doing.
THe obvious is change password and winbox port and limit access to the router admin on the LAN side.
On the wan side only access through VPN tunnel.
Thats about it, then can stop worrying and enjoy the internet.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
creatin
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Sat Nov 23, 2019 2:59 am

Re: Hacked MTiks, any examples?

Tue Jun 30, 2020 12:01 am

Agree with you :)

how big of a risk if user test is created on Mikrotik with read rights only, no password.
Login to this user will be available only from a specific IP (which can be configured in user properties) through ssh from another Mikrotik
 
sindy
Forum Guru
Forum Guru
Posts: 5343
Joined: Mon Dec 04, 2017 9:19 pm

Re: Hacked MTiks, any examples?

Tue Jun 30, 2020 12:11 am

Login to this user will be available only from a specific IP (which can be configured in user properties) through ssh from another Mikrotik
Firewall rules are somewhat less prone to vulnerabilities than the per-user address restrictions as the latter work at application level while the former work at the network stack level. So permitting access to the SSH port only for items on a src-address-list in chain=input of the firewall should be safer than setting the same list of addresses under /ip service ssh or under /user.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
creatin
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Sat Nov 23, 2019 2:59 am

Re: Hacked MTiks, any examples?

Tue Jun 30, 2020 12:52 am

Thanks for the tip, Mikrotik on which on which user test is set and to which I'll be connecting by ssh doesn't have any firewalls enabled,
it's running as AP only.

Who is online

Users browsing this forum: Bing [Bot], eworm, keithy, sindy and 59 guests