Community discussions

MikroTik App
 
Wyz4k
Member Candidate
Member Candidate
Topic Author
Posts: 240
Joined: Fri Jul 10, 2009 10:23 am

potential vulnerability: error unknown msg on OVPN server

Tue Aug 04, 2020 8:06 am

11:12:25 ovpn,info TCP connection established from 192.35.169.80
11:12:25 ovpn,debug,error,63032,14304,12812,12240,31696,40220,14232,12808,l2tp,info,12812,debug,79,65535,critical,64600,15944,21392,79,40
1928,40220,37872,40220,error unknown msg!
11:12:26 ovpn,info TCP connection established from 192.35.169.80
11:12:30 ovpn,info TCP connection established from 192.35.169.80
https://www.abuseipdb.com/check/192.35.169.80

The IP has been blacklisted, but based on the error message and the source IP it could be that they are probing for a vulnerability to some or other exploit.

I have provided a supout to Mikrotik.
 
naskoblg
just joined
Posts: 6
Joined: Sun Apr 03, 2011 11:57 pm

Re: potential vulnerability: error unknown msg on OVPN server

Sun Aug 09, 2020 11:45 am

I have noticed same messages in the logs for my routers. RouterOS is 6.47
09:18:01 ovpn,info TCP connection established from 192.35.168.249
09:18:01 ovpn,debug,error,64828,40456,40460,39584,22512,25020,39248,40456,l2tp,info,40460,debug,79,65535,critical,64968,3500,912,79,25096,3480,3648,4043,24420,25020,17424,25020,warning unknown msg!
09:18:01 ovpn,info TCP connection established from 192.35.168.249
09:18:01 ovpn,info TCP connection established from 192.35.168.249
 
Wyz4k
Member Candidate
Member Candidate
Topic Author
Posts: 240
Joined: Fri Jul 10, 2009 10:23 am

Re: potential vulnerability: error unknown msg on OVPN server

Mon Aug 10, 2020 4:44 am

The IP is nearly identical too. Would be good if you could submit a supout as well to them. My ticket number is SUP-23883
 
tippenring
Member
Member
Posts: 304
Joined: Thu Oct 02, 2014 8:54 pm
Location: St Louis MO
Contact:

Re: potential vulnerability: error unknown msg on OVPN server

Tue Aug 11, 2020 8:15 pm

The IP space is allocated to https://censys.io/ censys.io. Censys is a well-known network security organization. They run many scans across the internet like Shodan.

Good catch that you're seeing this. My guess is that Censys has found or is aware of a potential vulnerability. If so, they would be attempting responsible disclosure with Mikrotik and scanning the internet for potentially vulnerable hosts at the same time.
 
Krizoovie
just joined
Posts: 3
Joined: Thu Jul 22, 2021 3:01 pm

Re: potential vulnerability: error unknown msg on OVPN server

Thu Sep 23, 2021 1:21 pm

I've got similar log messages.

sep/15 23:55:51 ovpn,debug,error,63032,13296,13300,12024,31696,31260,12088,13296,l
2tp,info,13300,debug,79,65535,critical,32952,15944,37776,79,31336,40328,19200,4043
,30660,31260,54256,31260,warning unknown msg! 
sep/15 23:55:52 ovpn,info TCP connection established from 162.142.125.194 
sep/15 23:55:52 ovpn,info TCP connection established from 162.142.125.194 
sep/16 06:40:02 ovpn,info TCP connection established from 68.183.40.229 
sep/16 06:40:02 ovpn,info TCP connection established from 68.183.40.229 
sep/16 06:40:04 ovpn,info TCP connection established from 68.183.40.229 
sep/16 06:40:06 ovpn,info TCP connection established from 68.183.40.229 
sep/16 06:40:08 ovpn,info TCP connection established from 68.183.40.229 
sep/16 06:40:10 ovpn,info TCP connection established from 68.183.40.229 
sep/16 06:40:12 ovpn,info TCP connection established from 68.183.40.22
sep/22 06:26:15 ovpn,info TCP connection established from 154.89.5.38 
sep/22 06:26:15 ovpn,debug,error,63032,13296,13300,12024,31696,31260,12088,13296,l2tp,info,13300,debug,79,65535,critical,32952,15944,37776,79,31336,40328,19200,4043,30660,31260,54256,31260,warning msg too short 
sep/22 06:26:31 ovpn,info TCP connection established from 154.89.5.21 
sep/22 06:26:32 ovpn,info TCP connection established from 154.89.5.21 
sep/22 06:26:32 ovpn,debug,error,63032,13296,13300,12024,31696,31260,12088,13296,l
2tp,info,13300,debug,79,65535,critical,32952,15944,37776,79,31336,40328,19200,4043,30660,31260,54256,31260,warning msg too short 
 
lleysan
newbie
Posts: 25
Joined: Tue Jun 30, 2015 5:44 pm

Re: potential vulnerability: error unknown msg on OVPN server

Wed Oct 20, 2021 9:59 am

I have the same errors. It was scanner Сensys.io. I'd recommend create drop rules that blocked all their IPs
 
Wyz4k
Member Candidate
Member Candidate
Topic Author
Posts: 240
Joined: Fri Jul 10, 2009 10:23 am

Re: potential vulnerability: error unknown msg on OVPN server

Wed Oct 20, 2021 10:19 am

I have the same errors. It was scanner Сensys.io. I'd recommend create drop rules that blocked all their IPs
Yeah, already done.

l contacted them and asked why they were scanning my IPs which they did not respond to, so I reported it to my government as a malicious actor.
 
Jusufs
just joined
Posts: 10
Joined: Thu Sep 12, 2019 1:13 pm

Re: potential vulnerability: error unknown msg on OVPN server

Wed Nov 10, 2021 7:24 am

Can you please publish this blocking rule please ?
 
Wyz4k
Member Candidate
Member Candidate
Topic Author
Posts: 240
Joined: Fri Jul 10, 2009 10:23 am

Re: potential vulnerability: error unknown msg on OVPN server

Wed Nov 10, 2021 7:31 am

https://www.whois.com/whois/192.35.169.80

their IP range is 192.35.168.0/23.

Add this to an IP list called badguys: ip -> firewall -> address list
then add a new rule: chain=input src_address_list=badguys action=drop and chain=forward src_address_list=badguys action=drop. Make sure those two rules are high up in your firewall so that they get blocked early.
 
Jusufs
just joined
Posts: 10
Joined: Thu Sep 12, 2019 1:13 pm

Re: potential vulnerability: error unknown msg on OVPN server

Wed Nov 10, 2021 10:00 am

Thanks

Who is online

Users browsing this forum: Bing [Bot] and 79 guests