Community discussions

MikroTik App
 
User avatar
grumpazoid
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 77
Joined: Tue Nov 19, 2019 1:32 pm

Firewall Input rules apperaring port 5678 tcp. Hacked.

Tue Jun 29, 2021 12:28 pm

I have a CCR1016 and it has been running 6.48.1 - now updated to 6.48.3

I have noticed two identical entries entries appearing on the input chain at the top: add action=accept chain=input disabled=no dst-port=5678 protocol=tcp

I also have two mikrotik CRS switches on the network. Any reason for this? Should I be concerned?
Last edited by grumpazoid on Tue Jun 29, 2021 5:18 pm, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Firewall Input rules apperaring port 5678 tcp

Tue Jun 29, 2021 12:38 pm

If the second is not udp, someone do incomplete work.
 
User avatar
grumpazoid
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 77
Joined: Tue Nov 19, 2019 1:32 pm

Re: Firewall Input rules apperaring port 5678 tcp

Tue Jun 29, 2021 12:45 pm

If the second is not udp, someone do incomplete work.
Please could you elaborate?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Firewall Input rules apperaring port 5678 tcp

Tue Jun 29, 2021 1:00 pm

Please do not use "Reply with quote" without any reason, use "Post Reply" instead.

Accept incoming Neighbor Discovery protocol, but the protocol use UDP not TCP.

You can delete the rules without problems.
 
User avatar
grumpazoid
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 77
Joined: Tue Nov 19, 2019 1:32 pm

Re: Firewall Input rules apperaring port 5678 tcp

Tue Jun 29, 2021 4:16 pm

I had been hacked - same as here viewtopic.php?f=2&t=172091&p=841272&hil ... tp#p841272

Although My router OS was more up to date. Big concern - Reset Time
Last edited by grumpazoid on Tue Jun 29, 2021 5:13 pm, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Firewall Input rules apperaring port 5678 tcp

Tue Jun 29, 2021 4:30 pm

Use the same port for Neighbor Discovery protocol, a perfect legit service use between RouterBOARD to mask the traffic...


Probably your router is "compromised" some time ago...
 
User avatar
grumpazoid
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 77
Joined: Tue Nov 19, 2019 1:32 pm

Re: Firewall Input rules apperaring port 5678 tcp

Tue Jun 29, 2021 5:18 pm

Thanks. I am aware 5678 UDP is legit.
Someone was adding 5678 TCP at the top of my input chain and had set up L2TP client as documented in the aforementioned post.
Router OS has been kept up to date. I run a L2TP server so maybe compromised that way?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Firewall Input rules apperaring port 5678 tcp. Hacked.

Tue Jun 29, 2021 6:32 pm

Probably, but is hard to say.

Better make backup, NOT backup, EXPORT.
Netinstall the device, and import back the export, section by section, for search other strange thing, if any....
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19104
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall Input rules apperaring port 5678 tcp. Hacked.

Tue Jun 29, 2021 7:10 pm

As the rextended stated, the only safe course of action is to a neintsall and put back the old confg exported back in bits, without the offending bits and especially any scripts (even if you made them they may have been modified!)
Do not use the same userID (edit: and password thank rextended) and use a different winbox port too if using winbox.
Last edited by anav on Tue Jun 29, 2021 10:18 pm, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Firewall Input rules apperaring port 5678 tcp. Hacked.

Tue Jun 29, 2021 9:04 pm

P.S.: Do not use same password and change ALL your password used till now!!!!!!...
 
User avatar
grumpazoid
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 77
Joined: Tue Nov 19, 2019 1:32 pm

Re: Firewall Input rules apperaring port 5678 tcp. Hacked.

Wed Jun 30, 2021 11:54 am

Thanks all. Netinstall completed with new credentials
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19104
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall Input rules apperaring port 5678 tcp. Hacked.

Wed Jun 30, 2021 5:22 pm

Well done, most people take a few times to get the hang of netinstall, seems like it worked well for you first go!
 
User avatar
grumpazoid
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 77
Joined: Tue Nov 19, 2019 1:32 pm

Re: Firewall Input rules apperaring port 5678 tcp. Hacked.

Mon Jul 05, 2021 3:39 pm

The first time nothing happened and the reboot button did not appear. Second attempt all worked as per the instructions on the wiki.

Who is online

Users browsing this forum: Ahrefs [Bot], Bing [Bot], eworm, raiod and 91 guests