Community discussions

MikroTik App
 
millenium7
Long time Member
Long time Member
Topic Author
Posts: 538
Joined: Wed Mar 16, 2016 6:12 am

New hack/bug? User accounts wiped

Fri Apr 16, 2021 1:23 am

This is a strange one
Approx midnight last night one of our routers became unreachable by monitoring software
I discovered I could log into it with admin/*blank* and there were no user accounts other than this admin one saying default
In addition, AAA/radius was turned off (though the entry in RADIUS was still there) and the custom user groups were missing
All of the other config was still there and in place, literally just the user related section was seemingly wiped out

The routers uptime was several days hence it had no rebooted, and we had successful access to it yesterday meaning all user related config was there
What the hell? I've never seen anything like this
I have seen it when a router is wiped and config is restored because it doesn't contain user account related information. However if that was the case
1) the router have rebooted if it had some kind of wipe happen to it
2) we wouldn't have anything logging into it successful in the time the router has been up. There were both local and RADIUS accounts successfully logging into it yesterday

RouterOS version is 6.44.6, device is a CCR1036-8G-2S+
 
User avatar
pcunite
Forum Guru
Forum Guru
Posts: 1345
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: New hack/bug? User accounts wiped

Fri Apr 16, 2021 1:26 am

RouterOS version is 6.44.6, device is a CCR1036-8G-2S+

I think 6.44.x was vulnerable, so I don't think this is a new'ish hack. Here is a post about it. I updated to 6.47.x a while back to play it safe.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: New hack/bug? User accounts wiped

Fri Apr 16, 2021 1:42 am

What is strange is a professional IT person not keeping their exposed to the net equipment up to date on firmware.
I do get the fact that IT folks have become extremely lazy compared to olden days now that most apps like virus programs auto udpate files but even still there are major upgrades that require some intervention but these popup and let you know its available and needs to be done, or they can be pushed onto devices, not so for router firmware........
One has to ACTIVELY manage them.

NETINSTALL with a fresh download of latest firmware (which means at minimum the latest long term version - my personal recommendation) or the latest cough cough stable version.
 
millenium7
Long time Member
Long time Member
Topic Author
Posts: 538
Joined: Wed Mar 16, 2016 6:12 am

Re: New hack/bug? User accounts wiped

Fri Apr 16, 2021 2:45 am

What is strange is a professional IT person not keeping their exposed to the net equipment up to date on firmware.
I do get the fact that IT folks have become extremely lazy compared to olden days now that most apps like virus programs auto udpate files but even still there are major upgrades that require some intervention but these popup and let you know its available and needs to be done, or they can be pushed onto devices, not so for router firmware........
One has to ACTIVELY manage them.
Hang on a second. Firstly it isn't exposed to the internet, you jumped to that conclusion on your own.
Secondly just blindly updating all your routers is a really good way to screw up your network with bugs that get introduced. Automatic updates are a huge no-no in most companies and for good reason, as updates can and do introduce bugs and other security vulnerabilities from time to time. especially true in the world of mikrotik
6.44.6 is a known stable firmware for us and 6.45/46 introduced instability
I'm aware of known access vulnerabilities up to 6.43 to reverse the passwords but 6.44 patched it. Is there anything since?
 
millenium7
Long time Member
Long time Member
Topic Author
Posts: 538
Joined: Wed Mar 16, 2016 6:12 am

Re: New hack/bug? User accounts wiped

Fri Apr 16, 2021 4:28 am

RouterOS version is 6.44.6, device is a CCR1036-8G-2S+

I think 6.44.x was vulnerable, so I don't think this is a new'ish hack. Here is a post about it. I updated to 6.47.x a while back to play it safe.
just checked, SMB was not enabled (and shouldn't be enabled anywhere in our network. regular compliance checks ensure it isn't)
 
kalamaja
Member Candidate
Member Candidate
Posts: 112
Joined: Wed May 23, 2018 3:13 pm

Re: New hack/bug? User accounts wiped

Fri Apr 16, 2021 5:14 am

To understand what could have happened, you have to give us possible vectors. Nobody sees your configuration, so tell us what WAS enabled and exposed and to which scopes? Did the instance have public IP? Which services were enabled from IP -> Services? Which of these services were exposed from the firewall? What did Log say about the period?
 
millenium7
Long time Member
Long time Member
Topic Author
Posts: 538
Joined: Wed Mar 16, 2016 6:12 am

Re: New hack/bug? User accounts wiped

Mon Apr 19, 2021 7:37 am

Router has a pretty standard config. It's denied access unless from a trusted address list
Enabled services are api/api-ssl/ssh/winbox

If this is a hack then its at a level lower than RouterOS. It's either that, or the flash memory is corrupt

Noticed now that the router is failing on backups, it can't create a backup file on the flash memory
If I try and do this via CLI or by GUI manually, I immediately get an error message
Couldn't make backup - action failed (6)
I've checked and the active user is in the 'full' group, which has all possible permissions

Is there a way to check the flash memory?
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3292
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: New hack/bug? User accounts wiped

Mon Apr 19, 2021 8:09 am

Post your original config.
/export hide-sensitive

Who is online

Users browsing this forum: AtisE, CGGXANNX, Kanzler, richinuk, VinceKalloe and 84 guests