Community discussions

MUM Europe 2020
 
heiko_s
newbie
Topic Author
Posts: 40
Joined: Tue Jul 10, 2007 10:02 am
Location: germany

RoS hacked, device sompromised, http redirected, ports open

Sun Sep 28, 2014 10:18 am

Good morning everyboy,
since two days, one of our customers has a problem: all outgoing http traffic is redirected to an chinese website hao.360.cn. At first we thouhgt that there is an trojan on the PC, but we found out that the RoS device, which is the router to the internet, is the problem. I tested with a clean live linux from stick direktly on the eth port of the RoS device (SXT) and had the same problems.

After that, i did a portscan from the outside to this device:
hack.PNG
Port 3389,8291 and 443 were open before - rest was closed.

We will exchange this device with a freshly installed and afterwards have a close look on it.

Does anybody have anay hint how to get access to this device? The former password was changes.
Any help - as PN to me - will be preciated.
If we can get access, i'll post the result of the research here - if wanted.

Best regards from Germany
Heiko
You do not have the required permissions to view the files attached to this post.
 
User avatar
boen_robot
Forum Guru
Forum Guru
Posts: 2411
Joined: Thu Aug 31, 2006 4:43 pm
Location: europe://Bulgaria/Plovdiv

Re: RoS hacked, device sompromised, http redirected, ports o

Sun Sep 28, 2014 2:34 pm

Did you had ports port 21, 22, 23 and 80 disabled from "/ip service", or just from the outside using an "/ip firewall filter" rule? In fact, are you sure you had them disabled (as they are enabled by default)?

If you only disabled them from the outside, it's possible that there WAS a Trojan on a PC (not necessarily the customer that complained; any one of your customers, or maybe even one of your PCs) which upon being activated on the PC looked for FTP/Telnet/SSH/HTTP servers on the local network, and lo and behold, it found your router. If you access your router via FTP or HTTP, said Trojan doesn't even need to brute force your password - it can just listen for it.


If the Trojan was smart enough to be able to change your password, and now you can't enter the router by any protocol... I don't know how you can enter. You could always reset the device, and then make sure to configure it in a more secure fashion next time, but that's not going to tell you much about who did what from where.
PEAR2_Net_RouterOS(1.0.0b6) - My API client in PHP
(Rate my posts? If you want... no pressure...)
 
andriys
Forum Guru
Forum Guru
Posts: 1193
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: RoS hacked, device sompromised, http redirected, ports o

Sun Sep 28, 2014 4:42 pm

Port 3389,8291 and 443 were open before - rest was closed.
I guess port 3389 might be the key. I assume this port is redirected to either shared Windows Terminal Services server or to an admin's Windows computer. In either case the guys making the attack may have broken into your windows box and then a) collected various passwords and b) accessed your Mikrotik device from the inside.

In any case I always assume exposing RDP directly to the wild Internet to be a very bad idea. If you absolutely require to provide this service to your users you'd better set up some kind of road-warrior VPN.
 
heiko_s
newbie
Topic Author
Posts: 40
Joined: Tue Jul 10, 2007 10:02 am
Location: germany

Re: RoS hacked, device sompromised, http redirected, ports o

Sun Sep 28, 2014 8:00 pm

Thanks for the replies. To make it clear:

The ports were disabled by the service ports - not reachable from inside nor from outside.
We have around ~500 CPE's and an automated setup script which does any changes for us.

The RDP Port was not open to internet - just to our management network 172.16.x.x - all other access is blockes by firewall.
The customer does not have the password for accessing the RoS device, so it was not possible to "listen" to this password. But my colleague told me that it might be possible that the inital configuration was without password...
So maybe the attacker had open door to the router.

So nobody knows a good brute force program to attack the device to see what was done to it?

BR
Heiko
 
User avatar
boen_robot
Forum Guru
Forum Guru
Posts: 2411
Joined: Thu Aug 31, 2006 4:43 pm
Location: europe://Bulgaria/Plovdiv

Re: RoS hacked, device sompromised, http redirected, ports o

Sun Sep 28, 2014 8:17 pm

The customer does not have the password for accessing the RoS device
Of course they don't... You know I'm not talking about "listen" in the sense of human ears, right?
, so it was not possible to "listen" to this password.
When I say "listen", I mean "listen for packets on the network". FTP and HTTP are not encrypted, so an application can be made to take all incoming packets, despite the fact the PC is not the destination for the packet. As long as there's L2 connectivity between the router and a client's PC, an application can intercept it. Most applications don't, but Trojans (and legitimate programs like Wireshark) do.

Or are you saying there's no L2 connectivity?
But my colleague told me that it might be possible that the inital configuration was without password...
The initial configuration, yes. It's with username "admin" and no password, which is the first thing any attacker (even a human one, not just bots) would try. But if you've changed that (as I'm sure you did... didn't you?!?), then surely that's not the problem.
PEAR2_Net_RouterOS(1.0.0b6) - My API client in PHP
(Rate my posts? If you want... no pressure...)
 
heiko_s
newbie
Topic Author
Posts: 40
Joined: Tue Jul 10, 2007 10:02 am
Location: germany

Re: RoS hacked, device sompromised, http redirected, ports o

Sun Sep 28, 2014 8:48 pm

i meant "listen" on network packets -as the customer does not have the password, no one from the customers net has connected to the device.
If the windows PC had been compromised, it could have listend only to inside packets.

Normally the password is changed by the script, but sometimes the script does not work properly on new RoS releases. So he mentioned that he could have forgotten to chenge it manually.

If it was this, an attacker had it very easy to access - truly - that is not the point. i'd like to get into this device and want to see what has been done to it, to know if the customer was compromised in another way also.
So any help on how to brute force into the device would be VERY helpful!!!!

BR
Heiko
 
User avatar
boen_robot
Forum Guru
Forum Guru
Posts: 2411
Joined: Thu Aug 31, 2006 4:43 pm
Location: europe://Bulgaria/Plovdiv

Re: RoS hacked, device sompromised, http redirected, ports o

Sun Sep 28, 2014 9:01 pm

If this was x86, you could've dismounted the HDD, and run it as a secondary HDD on another system, where you can try to inspect the file system for settings and the like. I remember reading some time ago in the forum a link to an article that tried to recover settings like that, though I haven't personally tried it.

For SXT though, I don't think you can dismount the HDD, and as such, that's not really possible anyway.

As far as brute forcing goes, you could use something like this, but if the device was accessed by a bot, chances are it generated a long and random password, thus making it next to impossible to crack in any reasonable amount of time. After all, the same mechanisms that once could've protected you are now protecting the attacker. If it was that easy, you would've been hacked long ago.
PEAR2_Net_RouterOS(1.0.0b6) - My API client in PHP
(Rate my posts? If you want... no pressure...)
 
ayufan
Member
Member
Posts: 331
Joined: Sun Jun 03, 2007 9:35 pm
Contact:

Re: RoS hacked, device sompromised, http redirected, ports o

Mon Sep 29, 2014 2:10 pm

For SXT though, I don't think you can dismount the HDD, and as such, that's not really possible anyway.
Is possible as long as you have physical access to the device and you can "netinstall" the device.
hAP AC, TP-Link Archer C7 v2, RB951G, RB450G, RPI2, RPI zero

Who is online

Users browsing this forum: Geyonk, kleini, lpinto71 and 165 guests