Community discussions

 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23545
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Urgent security advisory

Wed Mar 28, 2018 3:44 pm

It has come to our attention that a rogue botnet is currently scanning random public IP addresses to find open Winbox (8291) and WWW (80) ports, to exploit a vulnerability in the RouterOS www server that was patched more than a year ago (in RouterOS v6.38.5, march 2017).

Since all RouterOS devices offer free upgrades with just two clicks, we urge you to upgrade your devices with the "Check for updates" button, if you haven't done so within the last year.

Your devices are safe if the port 80 is firewalled, or if you have upgraded to v6.38.5 or newer. If you are using our home access point devices with default configuration, they are firewalled from the factory, and you should also be safe, but please upgrade never the less.

The vulnerability in question was fixed in March 2017:

Current release chain:
What's new in 6.38.5 (2017-Mar-09 11:32):
!) www - fixed http server vulnerability;
And also Bugfix release chain:
What's new in 6.37.5 (2017-Mar-09 11:54):
!) www - fixed http server vulnerability;
Currently this botnet only spreads and scans. It doesn't do anything else, but we still suggest to change your password and upgrade your firewall, just in case. Recommendations about securing your router: https://wiki.mikrotik.com/wiki/Manual:S ... our_Router

FAQ:

What is affected?

- Webfig with standard port 80 and no firewall rules
- Winbox has nothing to do with the vulnerability, Winbox port is only used by the scanners to identify MikroTik brand devices. Then it proceeds to exploit WEBFIG through port 80.

Am I safe?

- If you upgraded your router in the last ~12 months, you are safe
- If you had "ip service" "www" disabled: you are safe
- If you had firewall configured for port "80": you are safe
- If you only had Hotspot in your LAN, but Webfig was not available: you are safe.
- If you only had User Manager in your LAN, but Webfig was not available: you are safe.
- If you had other Winbox port before this: you are safe from the scan, but not from the infection.
- If you had "winbox" disabled, you are safe from the scan, not from the infection.

- If you had "ip service" "allowed-from" set to specific network: you are safe if that network was not infected.
- If you had "Webfig" visible to LAN network, you could be infected by an infected device in your LAN.

How to detect and cure?

- Upgrading to v6.38.5 or newer will remove the bad files, stop the infection and prevent anything similar in the future.
- If you upgrade device and you still see attempts to access Telnet from your network - run Tool/Torch and find out a source of the traffic. It will not be router itself, but another device in local network which also is affected and requires an upgrade.

P.S: some details about the operation of the botnet can be found here
No answer to your question? How to write posts
 
anav
Forum Veteran
Forum Veteran
Posts: 885
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Urgent security advisory

Wed Mar 28, 2018 4:28 pm

Thanks Normis, by the way suggest a small little toaster oven for your live-in red car. You can power it from the 12VDC receptacle for cigarette lighter. ;-)
(if you had a permanent address I would send a care package to include beard trimming kit and eyeglass wipes)

Being a new user, I thought that WINBOX was a proprietary encrypted connection method to be used really only from behind the Mikrotik. By the way can I add, winbox is one sweeeet concept for a person like me that easily self-destructs on access to routers due to rule changes. I just use the mac address of the interface and I can connect no matter what stupid move I made with rules
Safe mode is for kittens LOL (well its a lab environment for now, so no harm no foul)
Wouldn't one want to connect via Https or SSL or something to the mikrotik from the outside and then access Winbox? (I mean a way besides the complication of setting up a VPN which I find at the moment a bridge to far (intimidating). I want to get to the point of a standard encrypted method to access WINBOX remoteley, as eventually want to buy and setup a mikrotik for a family member in Spain and I live in Canada.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23545
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Urgent security advisory

Wed Mar 28, 2018 4:30 pm

Winbox has nothing to do with this. The tool only used it to identify that a device runs RouterOS.

I suggest to set up IPsec VPN to your device for remote management, close all other ports. Setting up IPsec is easy even for a new user, just click "VPN" in the QuickSet menu. It will enable everything that is needed. The link I posted above includes more suggestions to secure your router.
No answer to your question? How to write posts
 
m2c
just joined
Posts: 10
Joined: Tue May 23, 2017 11:58 am

Re: Urgent security advisory

Wed Mar 28, 2018 5:51 pm

I've noticed some strange behavior of my several hotspots with public ip.
Found the following log entry:

mar/24 16:33:09 smb,info created new share: pub
mar/24 16:33:21 script,error script error: no such item (4)
mar/24 16:39:29 info fetch: file ".i" downloaded
mar/24 16:43:15 script,error script error: no such item (4)

Now the hotspots are making lots of connections to outside ips on telnet and winbox ports.
The question is: how do I fix them? Is upgrade and password change enough?
Firmware is 6.38
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5689
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Urgent security advisory

Wed Mar 28, 2018 5:58 pm

Yes, upgrade and for security reasons change password, too.
 
changeip
Forum Guru
Forum Guru
Posts: 3801
Joined: Fri May 28, 2004 5:22 pm

Re: Urgent security advisory

Wed Mar 28, 2018 7:05 pm

is there a known 8291 vulnerability or just 80?
Colo and Wholesale Bandwidth Available! Sales at SanDiegoBroadband dot com
 
User avatar
honzam
Forum Guru
Forum Guru
Posts: 2153
Joined: Wed Feb 27, 2008 10:27 pm
Location: Czech Republic

Re: Urgent security advisory

Wed Mar 28, 2018 7:16 pm

Since all RouterOS devices offer free upgrades with just two clicks
Normis thanks for fix. But this fix is only for actual devices. There is nothing for MIPSLE. Your statement: all RouterOS devices is not true.
LAN, FTTx, Wireless. ISP operator
 
random12
just joined
Posts: 10
Joined: Wed Mar 28, 2018 7:09 pm

Re: Urgent security advisory

Wed Mar 28, 2018 7:23 pm

Hi,

Seems that we are having strange processes even after upgrade to version 6.41.3.

Could you please post the complete instructions what to check in config or filesystem if we had malicious processes before the upgrade and after upgrade to 6.41.3?

Are there any kind of startup scripts what should be checked?

What is the purpose of /ram/history.console file? I can see a lot of passwords stored in plain text.

Thanks.
 
random12
just joined
Posts: 10
Joined: Wed Mar 28, 2018 7:09 pm

Re: Urgent security advisory

Wed Mar 28, 2018 7:26 pm

Not sure if you are aware but there is a complete instruction - https://github.com/BigNerd95/Chimay-Red
 
m2c
just joined
Posts: 10
Joined: Tue May 23, 2017 11:58 am

Re: Urgent security advisory

Wed Mar 28, 2018 7:32 pm

Upgraded and changed passwords. No more telnet spam.
 
Nando_lavras
newbie
Posts: 35
Joined: Tue Jul 11, 2006 4:38 am

Re: Urgent security advisory

Wed Mar 28, 2018 8:23 pm

Routers with http port disabled and winbox port limited in "IP Service List" using the option "Available From" are protected? Or a additional firewall is necessary is this case?

Thanks.
 
msatter
Forum Veteran
Forum Veteran
Posts: 923
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Urgent security advisory

Wed Mar 28, 2018 8:39 pm

Thanks for the security advisory and it much appreciated!
RB760iGS (hEX S) with the SFP being cooled.
Running:
RouterOS 6.44Beta28 / Winbox 3.18 / MikroTik APP 1.0.6
Cooling a SFP module: viewtopic.php?f=3&t=132258&p=671105#p671105
 
agenovez
just joined
Posts: 5
Joined: Thu Jul 21, 2011 5:44 pm
Location: Cuenca - Ecuador
Contact:

Re: Urgent security advisory

Wed Mar 28, 2018 9:01 pm

I confirm that this Chimay-Red Exploit is effective (tested on my own security lab), even though it is no easy to make it work (you need a lot of GNU/Linux/Programming Skills) to make it work, I am working on a security tool to update every Mikrotik Routerboard, for now I only have this code in Perl script, it basically extracts the Ip addresses from the CSV file then tries to connect to ftp with the credentials, upload the "activador.auto.rsc" you have to work on your own script to block or allow your Administration subnet, I know it is a rough script that need a lot of work, but it will work as a starting point(idea):



#MWIRELESS V01
#SCRIPT PARA ACTIVACION DE SNMP Y API PARA (CONFIDENTIAL)
#POR: ANDRES GENOVEZ (Bitfrost) para CONFIDENTIAL
#Script solo para uso autorizado sin responsabilidad - 03-2015
#Basado en Ejemplos de: http://perlenespanol.com/tutoriales/modulos/usando_el_modulo_netftp.html y harto v220

use Net::Netmask;
#use strict;
use Net::FTP;

my $username = "admin";
my $pwd = "mypasswd";

open (FILE, '27-05-2015.csv');
 while ($line = <FILE>) {
 chomp;

$ip = $line;
chomp $ip;
$ip =~ s/\s+//g;

if($ip ne "") {
if (my $ftp = Net::FTP->new($ip)) {
$ftp->login($username,$pwd);
#ACCIONES QUE QUEREMOS EJECUTAR EN EL MK
$ftp->put("activador.auto.rsc","activador.auto.rsc");
$ftp->quit or die("No se puedo desconectar del servidor: $!");

}else
{

print "Error: $ip\n";
}

}



}
 
strods
MikroTik Support
MikroTik Support
Posts: 1350
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: Urgent security advisory

Wed Mar 28, 2018 10:18 pm

That is correct - all RouterOS devices offer free upgrade until RouterBOARD platform is EOL. You should Netinstall your MIPSLE devices since Netinstall will put a fresh installation on your device and protect it by firewall right away, before putting router on public network.

If you upgrade device and you still see attempts to access Telnet from your network - run Tool/Torch and find out a source of the traffic. It will not be router itself, but another device in local network which also is affected and requires an upgrade.
 
kobuki
Member Candidate
Member Candidate
Posts: 123
Joined: Sat Apr 02, 2011 5:59 pm

Re: Urgent security advisory

Wed Mar 28, 2018 10:40 pm

Just to make it clear: only devices running a not up-to-date RouterOS version are affected, whose HTTP port (TCP/80) are open and provides the login facility and management GUI, right?

I never allow unencrypted connections and always disable the HTTP and HTTPS interfaces. Only SSH and Winbox is enabled. It would be really nice to state the accurate state of affairs instead of us playing guess game. I understand the importance of upgrading, but scripts work fast and we can't update all affected devices in an instant.
 
User avatar
hknet
Frequent Visitor
Frequent Visitor
Posts: 86
Joined: Sun Jul 17, 2016 6:05 pm
Location: Vienna, Austria
Contact:

Re: Urgent security advisory

Wed Mar 28, 2018 11:11 pm

Just to make it clear: only devices running a not up-to-date RouterOS version are affected, whose HTTP port (TCP/80) are open and provides the login facility and management GUI, right?

I never allow unencrypted connections and always disable the HTTP and HTTPS interfaces. Only SSH and Winbox is enabled. It would be really nice to state the accurate state of affairs instead of us playing guess game. I understand the importance of upgrading, but scripts work fast and we can't update all affected devices in an instant.
Pardon me, but the statement was quite clear:
"to exploit a vulnerability in the RouterOS www server"
anyway, it might be a good idea to keep up with updates at least on the "bugfix" level,but ymmv.

regards
hk
 
kobuki
Member Candidate
Member Candidate
Posts: 123
Joined: Sat Apr 02, 2011 5:59 pm

Re: Urgent security advisory

Wed Mar 28, 2018 11:18 pm

Pardon me, but specifying "www server" is not clear, at all. A serious security vulnerability merits more than vague statements about services. Do the scripts only scan port 80? Are we safe behind HTTPS (which still fall under the "www server" category) or not? Etc. You're obviously not very familiar with CVE notices and the like. Anyway I hope someone will link or create one. This error must be very severe to warrant a mass email from Mikrotik (that's where I was notified of it in the first place) so some due diligence is in order.
 
warn1ng
just joined
Posts: 22
Joined: Sun Jul 03, 2011 3:12 am

Re: Urgent security advisory

Wed Mar 28, 2018 11:30 pm

I have 2 Questions :

1 - If the HTTP Port was OPEN (8880) but it was already configured with "Available From" and only allowing a some range of Public IPs and Private IPs, can be affected ?
2 - How we check if the Mikrotik is already been infected ?

Thanks
 
random12
just joined
Posts: 10
Joined: Wed Mar 28, 2018 7:09 pm

Re: Urgent security advisory

Thu Mar 29, 2018 12:06 am

Hi again,

We have a bunch of Mikrotiks with OS version higher than vulnerable one but all of them are still infected.

Even after "update FW" -> "reboot" -> "change password".

Image

Image

Image

Image\


So even with the 6.41.3 all our devices are still infected.

Please respond ASAP and provide us instructions on how to remove all this shit from our Mikrotiks.

I can upload this /rw/info file if you need it, virustotal analysis shows nothing.
 
ubikrotik
Member Candidate
Member Candidate
Posts: 126
Joined: Wed May 25, 2016 3:56 am

Re: Urgent security advisory

Thu Mar 29, 2018 2:29 am

hi all,

We are running our main router on 6.37.1 (stable). This is a CCR1009. What happens if I upgrade to the current? I know master port will be disabled and A bridge will be created. And also P2P in firewall will no longer work.


Anything else?
 
warn1ng
just joined
Posts: 22
Joined: Sun Jul 03, 2011 3:12 am

Re: Urgent security advisory

Thu Mar 29, 2018 2:47 am

hi all,

We are running our main router on 6.37.1 (stable). This is a CCR1009. What happens if I upgrade to the current? I know master port will be disabled and A bridge will be created. And also P2P in firewall will no longer work.


Anything else?
I will go just to 6.37.5 witch is know to be fixed, and you will have no problem with the Bridge changes.
 
ccp421
just joined
Posts: 1
Joined: Sat Mar 25, 2017 6:16 am

Re: Urgent security advisory

Thu Mar 29, 2018 2:48 am

We just change our winbox port to something else besides default. We do this with everything.

So to log in to the new port in winbox ip:new port

And flush firewall connections or reboot router.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23545
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Urgent security advisory

Thu Mar 29, 2018 8:38 am

Chek first post for updated info ...
No answer to your question? How to write posts
 
reverged
Member Candidate
Member Candidate
Posts: 270
Joined: Thu Nov 12, 2009 8:30 am

Re: Urgent security advisory

Thu Mar 29, 2018 9:06 am

@normis

Can you answer 2 items for the FAQ:

1. Is there a simple test to know if a router is infected?
2. Upgrading to 6.37.5+ cures an infection or it only prevents infection?
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23545
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Urgent security advisory

Thu Mar 29, 2018 9:12 am

@normis

Can you answer 2 items for the FAQ:

1. Is there a simple test to know if a router is infected?
2. Upgrading to 6.37.5+ cures an infection or it only prevents infection?
done
No answer to your question? How to write posts
 
User avatar
eworm
Member Candidate
Member Candidate
Posts: 165
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: Urgent security advisory

Thu Mar 29, 2018 9:19 am

And a FAQ entry about webfig from https (www-ssl) may be reasonable.
 
djmuk
newbie
Posts: 47
Joined: Mon Jan 18, 2010 8:48 pm

Re: Urgent security advisory

Thu Mar 29, 2018 11:41 am

I'm intrigued - those posts look like you're running ps on the mikrotik - hos do you get a 'proper' shell / bash connection?

Or are they grabs from something like a sysinfo file?

David
Hi again,

We have a bunch of Mikrotiks with OS version higher than vulnerable one but all of them are still infected.

Even after "update FW" -> "reboot" -> "change password".


I can upload this /rw/info file if you need it, virustotal analysis shows nothing.
 
gocosf2
just joined
Posts: 1
Joined: Thu Mar 29, 2018 12:39 pm

Re: Urgent security advisory

Thu Mar 29, 2018 12:50 pm

we have a RouterOS v6.38.5 router that has been hacked today and deleted to the default settings. Also via the winbox port ... We think there is a circular second exploit that works in a similar way to this.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23545
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Urgent security advisory

Thu Mar 29, 2018 1:02 pm

we have a RouterOS v6.38.5 router that has been hacked today and deleted to the default settings. Also via the winbox port ... We think there is a circular second exploit that works in a similar way to this.
It is not related to this topic. You probably had an easy to guess password.
No answer to your question? How to write posts
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23545
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Urgent security advisory

Thu Mar 29, 2018 1:04 pm

I can upload this /rw/info file if you need it, virustotal analysis shows nothing.
These are leftover files. They don't do anything. This is not the program itself, only some remaining things it created. You can delete those if you like, but the device is no longer "infected" as you say
No answer to your question? How to write posts
 
User avatar
amt
Member
Member
Posts: 423
Joined: Fri Jan 16, 2015 2:05 pm

Re: Urgent security advisory

Thu Mar 29, 2018 1:15 pm

maybe our problem in the following address could be related to this topic.

viewtopic.php?f=2&t=132160
 
lomayani
just joined
Posts: 16
Joined: Sat Jun 17, 2017 7:21 am

Re: Urgent security advisory

Thu Mar 29, 2018 1:35 pm

I have seen these from last Friday. I saw anything below 3.38.5 is compromised. Also i have seen 6.39.2 and below in series is affected. I have not seen anything from 6.39.3 and above which is compromised
I upgrade most of the routers to 6.41.3. Not seeing any problem in 6.41.3
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1622
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Urgent security advisory

Thu Mar 29, 2018 1:36 pm

@Normis
How "random12" user could show us results of "ps", "ls" etc ... Is he cracking his own router or uses some Mikrotik's debug/special module?

Simple question: How?
Real admins use real keyboards.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23545
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Urgent security advisory

Thu Mar 29, 2018 1:37 pm

@Normis
How "random12" user could show us results of "ps", "ls" etc ... Is he cracking his own router or uses some Mikrotik's debug/special module?

Simple question: How?
There exists a special NPK package that you can install and gain access to shell. This is not public. This user must have gotten it from MikroTik support. Sometimes this package is installed by MikroTik support when debuging a live installation, but is usually removed. Don't ask, we will not share it :)
No answer to your question? How to write posts
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23545
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Urgent security advisory

Thu Mar 29, 2018 1:39 pm

I have seen these from last Friday. I saw anything below 3.38.5 is compromised. Also i have seen 6.39.2 and below in series is affected. I have not seen anything from 6.39.3 and above which is compromised
I upgrade most of the routers to 6.41.3. Not seeing any problem in 6.41.3
Not possible. Maybe you had another router behind that one, then you would see some traffic as if it was coming from this one.
No answer to your question? How to write posts
 
random12
just joined
Posts: 10
Joined: Wed Mar 28, 2018 7:09 pm

Re: Urgent security advisory

Thu Mar 29, 2018 1:41 pm

These are leftover files. They don't do anything. This is not the program itself, only some remaining things it created. You can delete those if you like, but the device is no longer "infected" as you say
Really? How can you understand it? What's inside this "/rw/info" file?

What's about those "/ram/.info" processes that is currently running in memory?
 
random12
just joined
Posts: 10
Joined: Wed Mar 28, 2018 7:09 pm

Re: Urgent security advisory

Thu Mar 29, 2018 1:51 pm

Image

This screen clearly shows me version 6.40.5 (that is not vulnerable as you say us) with "/rw/info" and "/ram/.info" processes in memory.

Are you telling me that it's all safe now?
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1622
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Urgent security advisory

Thu Mar 29, 2018 1:58 pm

...
There exists a special NPK package that you can install and gain access to shell. This is not public. This user must have gotten it from MikroTik support. Sometimes this package is installed by MikroTik support when debuging a live installation, but is usually removed. Don't ask, we will not share it :)
I know about the "special" module ... not asking "for" ... just asking "how" :-)
Real admins use real keyboards.
 
kobuki
Member Candidate
Member Candidate
Posts: 123
Joined: Sat Apr 02, 2011 5:59 pm

Re: Urgent security advisory

Thu Mar 29, 2018 2:28 pm

(post Removed as others have answered my question)
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23545
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Urgent security advisory

Thu Mar 29, 2018 3:46 pm

This screen clearly shows me version 6.40.5 (that is not vulnerable as you say us) with "/rw/info" and "/ram/.info" processes in memory.
Are you telling me that it's all safe now?

You are right, this is some other tool. We fixed this one in v6.41 only. This is why upgrading to LATEST version is important. Your scanner has been stopped, but the .info process was not deleted. Upgrade to LATEST should fix also that one.
No answer to your question? How to write posts
 
tkotek001
just joined
Posts: 6
Joined: Wed Aug 09, 2017 10:21 am

Re: Urgent security advisory

Thu Mar 29, 2018 3:49 pm


This screen clearly shows me version 6.40.5 (that is not vulnerable as you say us) with "/rw/info" and "/ram/.info" processes in memory.

Are you telling me that it's all safe now?
not really - go for latest 6.41. due to smb exploit for 6.40.x https://github.com/BigNerd95/Chimay-Blue
original "chimay red" exploit had persistence option - check wikileaks files.
 
paulojrandrade
just joined
Posts: 8
Joined: Wed Jul 15, 2009 9:51 pm

Re: Urgent security advisory

Thu Mar 29, 2018 4:34 pm

Hello, good morning, in case of mass update, more than 320 equipments, is there any script?

Thank you
 
avantwireless
Member Candidate
Member Candidate
Posts: 137
Joined: Mon Nov 07, 2005 3:04 am

Re: Urgent security advisory

Thu Mar 29, 2018 4:47 pm

@normis... Ok so now I am really confused... People above point out how to see infection via a simple "ls" on the /rw directory but the ability to perform the "ls" is not available. So how the heck are we supposed to check to see if a machine is infected? And please don't point at another post because I looked at all the other posts and nothing was pointed out as "Here this is what you see if you are infected" EXCEPT the results of a tool we can't have. And yes all my ports are filtered, but that is not good enough to verify not infected... And upgrading some of these machines may not work due to legacy hardware.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23545
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Urgent security advisory

Thu Mar 29, 2018 4:49 pm

@normis... Ok so now I am really confused... People above point out how to see infection via a simple "ls" on the /rw directory but the ability to perform the "ls" is not available. So how the heck are we supposed to check to see if a machine is infected? And please don't point at another post because I looked at all the other posts and nothing was pointed out as "Here this is what you see if you are infected" EXCEPT the results of a tool we can't have. And yes all my ports are filtered, but that is not good enough to verify not infected... And upgrading some of these machines may not work due to legacy hardware.
Those are not "people" but one person who has already hacked his device himself. You can ignore him, his instructions can't be done by others.
There is only one thing needed to determine if you are vulnerable = upgrade RouterOS. Read the first post, the questions are answered there.
"Here this is what you see if you are infected"
There is no such test. Upgrade is mandatory. There is no other way to clean this tool from your device.
No answer to your question? How to write posts
 
random12
just joined
Posts: 10
Joined: Wed Mar 28, 2018 7:09 pm

Re: Urgent security advisory

Thu Mar 29, 2018 4:57 pm

You are right, this is some other tool. We fixed this one in v6.41 only. This is why upgrading to LATEST version is important. Your scanner has been stopped, but the .info process was not deleted. Upgrade to LATEST should fix also that one.

I suggest you edit the very first message in the thread and write that only 6.41.X has all required fixes.


> This is why upgrading to LATEST version is important.

What is the "LATEST version". Do you mean LATEST released version of maybe LATEST RC versions?
We are on the internet, as you may notice, use https links to point the version what you are talking about.


> Currently this botnet only spreads and scans

Why do you think so? The vulnerability allows to load some random code to Mikrotik and run it, why you are sure that it "only spreads and scans"?

I can see completely different picture here: ESTABLISHED ssh connections to some hosts from our Mikrotik, attempts to connect over ssh to internal hosts.

Sometimes nmap utility shows Mikrotik devices on the other side, sometimes not.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23545
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Urgent security advisory

Thu Mar 29, 2018 5:06 pm

Please at least read carefully before spreading your misleading things. Even your own posts are conflicting!

carefully compare these sentences:

> Currently this botnet only spreads and scans

> Why do you think so? The vulnerability allows

You are mixing up two different topics! Botnet is discussed here. Your device shows unrelated file, possibly injected by the SMB vulnerability that was closed in v6.41 like I said before. This has nothing to do with the botnet. Also, if you have installed command line shell access, who can know where you got this package from, what other stuff you accidentally installed and what other intrusion points you opened by installing this stuff

My personal recommendation to you is reinstall your device with Netinstall.
No answer to your question? How to write posts
 
random12
just joined
Posts: 10
Joined: Wed Mar 28, 2018 7:09 pm

Re: Urgent security advisory

Thu Mar 29, 2018 5:19 pm

Those are not "people" but one person who has already hacked his device himself. You can ignore him, his instructions can't be done by others.

As you may understand it was done because we could get a proper answer from support.

There is only one thing needed to determine if you are vulnerable = upgrade RouterOS. Read the first post, the questions are answered there.

You are changing clothes on the go. Now you say that upgrade to 6.41.3 is mandatory.

There is no such test. Upgrade is mandatory. There is no other way to clean this tool from your device.

We tried to perform an upgrade from 6.40.5 to 6.41.3 for 2 infected devices remotely.
Both upgrades were unsuccessful (one device was reset to defaults, another one is not responding and we are waiting for someone in the remote office to have a look at the device).
Last edited by random12 on Thu Mar 29, 2018 5:28 pm, edited 2 times in total.
 
pe1chl
Forum Guru
Forum Guru
Posts: 4845
Joined: Mon Jun 08, 2015 12:09 pm

Re: Urgent security advisory

Thu Mar 29, 2018 5:19 pm

Hello, good morning, in case of mass update, more than 320 equipments, is there any script?
There is this page with some info on how to do that:
https://wiki.mikrotik.com/wiki/Manual:U ... to-upgrade

However, it still is something that could have further clarification.
There is the "/system package update" command which has the same functionality as in the system->packages screen,
i.e. check for upgrades on the MikroTik servers and decide to install them and reboot.

There is also the "/system upgrade" command which allows downloads from local location, but it is not clear to me if
this is a recommended mechanism for new use, as it is mentioned very little. Is it part of the Dude update mechanism?

It would be nice when a mechanism can be established and configured by default in our routers to automatically update
to minimally some pre-established version. I.e on some central server a version could be stored for different architectures
and all routers will make sure their software version is at least that version. It would be possible to individually upgrade
routers to higher versions and they would not downgrade themselves to that centrally stored version, but when a router
has a lower version it would auto-upgrade itself, e.g. once a day.

Such a config would allow us to keep the network safe (e.g. in cases like this worm), without all routers automatically
tracking whatever MikroTik releases in current or bug-fix. So testing can be done and tested versions put on that
central server. In this case, the routers could use some predetermined password of the central service, but it should
not be obligatory that the central service knows all the admin passwords of the routers (as is the case with Dude).

Would it be advisable to build something like this using "/system upgrade" and a scheduled job? Is there an example?
 
random12
just joined
Posts: 10
Joined: Wed Mar 28, 2018 7:09 pm

Re: Urgent security advisory

Thu Mar 29, 2018 5:32 pm

You are mixing up two different topics! Botnet is discussed here.


Keep calm and don't use exclamation signs while talking to the customer.

It's more than related: since "the botnet issue" has started we detected malicious activity on our Mikrotiks.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1622
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Urgent security advisory

Thu Mar 29, 2018 5:41 pm

@random12

Not judging anyone ... but how do you have access to internals of Mikrotik? Is it official way or not?

If not, then I should agrre with Normis that you device is not the representative example for the problem.
I could agree that maybe you have example of other malicious activity but are you sure that you are not responsible for opening any "door" to your device?
Real admins use real keyboards.

Who is online

Users browsing this forum: andrejtom and 4 guests