Community discussions

MikroTik App
 
User avatar
jrecabeitia
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 91
Joined: Tue Jun 05, 2007 2:26 pm
Location: Villa Dolores - Cordoba - Argentina
Contact:

ROS Attack

Thu Jun 03, 2021 1:54 pm

Yesterday I detected that I did not have access to my central router (tile) At the end I accessed with the admin user without password, which was not registered in the router. I tried to backup again and it was impossible. Create the admin user again. I gave it a password. Delete admin.
When I wanted to re-enter I could only use admin, which I had already deleted. Find if there were any hidden scripts and remove them. Operate normally yesterday, although without being able to backup or delete anything.,
Today I try to access and again the only way is with admin. Try changing the firmware and it obviously doesn't take it.
Finally restart the router. The result is that there is no longer access in any way.
In addition I have another installation not linked to several 100 kilometers and today I find that there is no way to access your central router. Same situation. In one case the firmware is the latest 6.48.3 in the other it is an older one that unfortunately I do not have in mind.
In both routers, only the winbox service and the ssh with port 22000 have active
Any idea what is happening?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: ROS Attack

Thu Jun 03, 2021 2:03 pm

Any idea what is happening?
Yes, you put just released 6.48.3 on production, instead to wait all the MikroTik users used as beta-tester.
Ops, also you are beta-tester...

I'm still on 6.46.8 and on 6.47.9 on 8P, 16P and 24P Switch PoE


The problem described happen on corrupted RAM (overclocked something?) or damaged/malformed NAND/flash
Once someone enter on your unprotected device can reach all network, read backup file with username and password etc.
 
User avatar
jrecabeitia
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 91
Joined: Tue Jun 05, 2007 2:26 pm
Location: Villa Dolores - Cordoba - Argentina
Contact:

Re: ROS Attack

Thu Jun 03, 2021 2:10 pm

After half an hour, it allowed the access with the user admin without password in the TILE
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: ROS Attack

Thu Jun 03, 2021 2:12 pm

After half an hour, it allowed the access with the user admin without password in the TILE
Yes, is the mentioned problem.
It's happened also on some of my device if for some reason I do not syncronize properly memory speed with memory installed on some board

After that, the same devices still running from Years...

Also happen on CCR1016-12G second revision (/r2)

first series work perfectly, the r2 is a .....
nand continuosly corrupted until someone fix software on 6.46.8
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: ROS Attack

Thu Jun 03, 2021 2:28 pm

Where is the attack that you specified in the topic title? any proof of an attack? logs? how did they get it? is it a hardware failure? or is it an user misconfiguration?
 
User avatar
jrecabeitia
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 91
Joined: Tue Jun 05, 2007 2:26 pm
Location: Villa Dolores - Cordoba - Argentina
Contact:

Re: ROS Attack

Thu Jun 03, 2021 2:58 pm

Dear rextended, if it were a firmware problem ... because the same thing happens with a router that has another older version. If it were a flash memory problem, because the admin user appears out of nowhere. A mystery.
 
User avatar
jrecabeitia
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 91
Joined: Tue Jun 05, 2007 2:26 pm
Location: Villa Dolores - Cordoba - Argentina
Contact:

Re: ROS Attack

Thu Jun 03, 2021 3:59 pm

What do you think if I activate the other partition that contains very old firmware. (6.45.1) If it was a firmware problem or an attack (malicious software entered) the problem should disappear. If it's a hardware problem, continue.
 
mikeeg02
Member Candidate
Member Candidate
Posts: 162
Joined: Fri Mar 30, 2018 2:28 am
Location: Pennsylvania

Re: ROS Attack

Thu Jun 03, 2021 4:59 pm

What do you think if I activate the other partition that contains very old firmware. (6.45.1) If it was a firmware problem or an attack (malicious software entered) the problem should disappear. If it's a hardware problem, continue.
Wasnt there some serious vulnerabilities discovered in the 6.45.x series? I dont think that would be an improvement to your situation.

I have had good luck with the later 6.47.8 with both Tile and ARM. If you were going to change firmware for a test, I would go there.
 
User avatar
jrecabeitia
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 91
Joined: Tue Jun 05, 2007 2:26 pm
Location: Villa Dolores - Cordoba - Argentina
Contact:

Re: ROS Attack

Thu Jun 03, 2021 6:05 pm

I have changed the partition and installed version 6.47.10 so far so good.
I don't know which baton he sent me, but now I don't see the original partition. Only the current one remains. And I would like to refloat that partition to have a backup in the event of a failure.
 
mikeeg02
Member Candidate
Member Candidate
Posts: 162
Joined: Fri Mar 30, 2018 2:28 am
Location: Pennsylvania

Re: ROS Attack

Thu Jun 03, 2021 9:19 pm

I have changed the partition and installed version 6.47.10 so far so good.
I don't know which baton he sent me, but now I don't see the original partition. Only the current one remains. And I would like to refloat that partition to have a backup in the event of a failure.
If possible I would suggest the later 6.47.7 or 6.47.8 they were more stable. Most the fixes were geared towards ARM and snmp issues, but the later versions were much more stable. I have not tried 6.47.9, but I believe it had some issues.

Who is online

Users browsing this forum: mkx and 74 guests