Community discussions

MUM Europe 2020
 
gcs
Member Candidate
Member Candidate
Topic Author
Posts: 145
Joined: Tue May 18, 2010 10:06 pm
Location: Tyler, Texas USA

Can ROS become infected?

Fri Nov 22, 2013 7:39 pm

I have at least 1 router board that is sending out traffic even though nothing is connected to it. Most of the traffic source is port 1080 socks and many of the dest port is 25 smtp.


this is causing my network to be attacked from outside and I am geting a lot of email about abuse from outside people.

Any ideas?

Thanks

David
 
JackANSI
Frequent Visitor
Frequent Visitor
Posts: 71
Joined: Wed Apr 03, 2013 6:52 pm

Re: Can ROS become infected?

Mon Nov 25, 2013 3:37 am

Netinstall a fresh copy of ROS on it and see if it still does it.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24361
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Can ROS become infected?

Mon Nov 25, 2013 9:30 am

RouterOS can not be infected. Unless you are running some illegaly modified or cracked version, then anything could be possible, I suppose.
No answer to your question? How to write posts
 
timberwolf
Member Candidate
Member Candidate
Posts: 274
Joined: Mon Apr 25, 2011 12:08 pm
Location: Germany

Re: Can ROS become infected?

Mon Nov 25, 2013 10:21 am

RouterOS can not be infected. ...
Heard that one before. :lol: Even if you prohibit writing to disk, infected code can still be run from RAM. ;-)
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24361
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Can ROS become infected?

Mon Nov 25, 2013 10:33 am

RouterOS can not be infected. ...
Heard that one before. :lol: Even if you prohibit writing to disk, infected code can still be run from RAM. ;-)
I would love to see some actual evidence for this.
No answer to your question? How to write posts
 
timberwolf
Member Candidate
Member Candidate
Posts: 274
Joined: Mon Apr 25, 2011 12:08 pm
Location: Germany

Re: Can ROS become infected?

Mon Nov 25, 2013 10:47 am

RouterOS can not be infected. ...
Heard that one before. :lol: Even if you prohibit writing to disk, infected code can still be run from RAM. ;-)
I would love to see some actual evidence for this.
Evidence for what? That ROS can be infected or that it's possible to run code from RAM? ;-)
Seriously normis, stop arguing that way, that's highly unprofessional. Systems(regardless of the base OS) have been hijacked that way in the past, that's nothing left for speculation.

However you are probably right in saying, that ROS hasn't been hijacked yet, but that doesn't guarantee a bit.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24361
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Can ROS become infected?

Mon Nov 25, 2013 10:57 am

A lot of stuff is possible in pure theory, however, until somebody has actually done it, there is no point in scaring people.
No answer to your question? How to write posts
 
timberwolf
Member Candidate
Member Candidate
Posts: 274
Joined: Mon Apr 25, 2011 12:08 pm
Location: Germany

Re: Can ROS become infected?

Mon Nov 25, 2013 11:01 am

A lot of stuff is possible in pure theory, however, until somebody has actually done it, there is no point in scaring people.
That wasn't my intention but stating "RouterOS can not be infected." isn't really better. :?
Anyway, I hope the report from gcs was bogus.
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: Can ROS become infected?

Mon Nov 25, 2013 11:17 am

i would put this like that:

Using all means provided by RouterOS to protect itself it is impossible to execute 3rd party malicious code on it.
 
jaykay2342
Member
Member
Posts: 335
Joined: Tue Dec 04, 2012 2:49 pm
Location: /Vigor/LocalGroup/Milky Way/Earth/Europe/Germany

Re: Can ROS become infected?

Mon Nov 25, 2013 1:53 pm

i would put this like that:

Using all means provided by RouterOS to protect itself it is impossible to execute 3rd party malicious code on it.
can you tell us more about what Mikrotik does to minimize the possibility that it executes malicious code?
i would also say that it's unlikely that this happens, but to say it's impossible is really unprofessional.


I'm working as a security analyst for some time and have seen some crazy of compromised systems.
There is no system in th world about you can say it's 100% secure. Ok all systems can be 100% but you need to unplug the power cable to secure it ;)

you can say there is no known vulnerability, the system have multiple layers to mitigate intrusions. but than tell us more about that.

what gcs is describing sound more like some "usual" infection used for sending spam and such stuff. If seen a lot of compromised linux based boxes in my life getting abused for such activity. But during forensics it usually turned out they got hacked via known and not patched vulnerabilities.
It's unlikely that those bad guys spend a lot of time to find a vulnerability to compromise systems with the (spam)-bots especially if the possible count of targets is very low. they just interested in the count of infected hosts.

some questions at gcs
1. is really everything disconnected ?
2. it could be that you configured (by accident) a socks proxy which is open for the world?
3. are you running something inside metarouter what could be compromised?

at mirkrotik:
please don't just say something stupid like "RouterOS can not be infected." even if this is unlikely it's worth to investigate so you should help the user to find the problem. if it's just something like a open socksproxy we're all happy. if there is really the unlikely case that someone have a 0day exploited for routeros and use it just to send spam you should be really interested in find it as soon as possible.
9-5 Job: Securityanalyst at a major MSSP.
Free time volunteer: Networkadmin and founder at a small non-profit WISP.
Certifications: ITILv3, GCIA
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24361
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Can ROS become infected?

Mon Nov 25, 2013 1:55 pm

I did not say it's impossible to make. I said that it's not likely that the OP has such problems, because nobody has done it yet.
No answer to your question? How to write posts

Who is online

Users browsing this forum: Google [Bot], ingdaka and 78 guests