We are working on it.unless they have a time machine (and you guys don't, right?).
We are working on it.unless they have a time machine (and you guys don't, right?).
@Deantwo: you largely misinterpreted what I wrote in my post.6 year old default firewall rules aren't secure enough? What do you expect MikroTik to do about that now?
MikroTik already updated the default firewall rules more than a year ago.
They can't change how they made stuff 6 years ago unless they have a time machine (and you guys don't, right?).
If you want the newer default firewall rules, you just take a spare router, upgrade it to the latest RouterOS version, reset the configuration to default, and then you just copy the firewall rules from it onto your older routers.
You can also reset your router to the newer default configuration and then build a new configuration up around that.
Or even better, read the manual about how to secure your router: https://wiki.mikrotik.com/wiki/Manual:S ... our_Router
That is not correct. Since beginning of default firewall, it protects the default wan port. The issue is that some people want to make VPN in their home router, so they turn off the firewall.ROS is that old default settings
Yeah, but when will it be released?We are working on it.unless they have a time machine (and you guys don't, right?).
Yeah, if a guide starts by saying "remove the default configuration", you likely need to rethink your choice of configuration guide.Actually old firewall protected router just fine. Users ef-ed up configuration and did not adjust firewall accordingly.
Of course we will think about improvements, but there will always be the case when somebody change something and complain that router is not secure.
Actually old firewall protected router just fine. Users ef-ed up configuration and did not adjust firewall accordingly.
Of course we will think about improvements, but there will always be the case when somebody change something and complain that router is not secure.
Jul/28/2018 08:12:46 system,info,account user macgaiver logged in from 95.154.216.151 via winbox
Jul/28/2018 08:12:46 system,info socks config changed by macgaiver
Jul/28/2018 08:12:47 system,info new script added by macgaiver
Jul/28/2018 08:12:48 system,info new script scheduled by macgaiver
Jul/28/2018 08:12:48 system,info new script added by macgaiver
Jul/28/2018 08:12:48 system,info new script scheduled by macgaiver
Jul/28/2018 08:12:48 system,info new script added by macgaiver
Jul/28/2018 08:12:48 system,info new script scheduled by macgaiver
Jul/28/2018 08:12:48 system,info,account user macgaiver logged out from 95.154.216.151 via winbox
Jul/28/2018 08:13:17 system,info script removed from scheduler by macgaiver
Jul/28/2018 08:13:17 system,info script removed by macgaiver
Jul/28/2018 08:13:17 system,info filter rule changed by macgaiver
Jul/28/2018 08:13:17 system,info filter rule changed by macgaiver
Jul/28/2018 08:13:17 system,info filter rule changed by macgaiver
Jul/28/2018 08:13:17 system,info script removed from scheduler by macgaiver
Jul/28/2018 08:13:17 system,info script removed by macgaiver
Aug/05/2018 11:31:15 system,info,account user macgaiver logged in from 95.154.216.151 via winbox
Aug/05/2018 11:31:16 system,info socks acl entry added by macgaiver
Aug/05/2018 11:31:16 system,info socks config changed by macgaiver
Aug/05/2018 11:31:16 system,info new script added by macgaiver
Aug/05/2018 11:31:16 system,info new script scheduled by macgaiver
Aug/05/2018 11:31:16 system,info new script added by macgaiver
Aug/05/2018 11:31:16 system,info new script scheduled by macgaiver
Aug/05/2018 11:31:16 system,info new script added by macgaiver
Aug/05/2018 11:31:16 system,info,account user macgaiver logged out from 95.154.216.151 via winbox
Aug/05/2018 11:31:16 system,info new script scheduled by macgaiver
Aug/05/2018 11:31:47 system,info script removed from scheduler by macgaiver
Aug/05/2018 11:31:47 system,info filter rule changed by macgaiver
Aug/05/2018 11:31:47 system,info script removed by macgaiver
Aug/05/2018 11:31:47 system,info script removed by macgaiver
Aug/05/2018 11:31:47 system,info filter rule changed by macgaiver
Aug/05/2018 11:31:47 system,info script removed from scheduler by macgaiver
Aug/05/2018 11:31:47 system,info filter rule changed by macgaiver
Aug/05/2018 11:31:47 system,info script removed from scheduler by macgaiver
Aug/05/2018 11:31:47 system,info script removed by macgaiver
Aug/19/2018 23:22:47 system,info,account user macgaiver logged in from 95.154.216.151 via winbox
Aug/19/2018 23:22:47 system,info socks acl entry added by macgaiver
Aug/19/2018 23:22:47 system,info socks config changed by macgaiver
Aug/19/2018 23:22:47 system,info new script added by macgaiver
Aug/19/2018 23:22:47 system,info new script scheduled by macgaiver
Aug/19/2018 23:22:47 system,info new script added by macgaiver
Aug/19/2018 23:22:47 system,info,account user macgaiver logged out from 95.154.216.151 via winbox
Aug/19/2018 23:22:47 system,info new script scheduled by macgaiver
Aug/19/2018 23:23:17 system,info script removed from scheduler by macgaiver
Aug/19/2018 23:23:17 system,info filter rule changed by macgaiver
Aug/19/2018 23:23:17 system,info script removed by macgaiver
Aug/19/2018 23:23:17 system,info filter rule changed by macgaiver
Aug/19/2018 23:23:17 system,info filter rule changed by macgaiver
Aug/19/2018 23:23:17 system,info script removed from scheduler by macgaiver
Aug/19/2018 23:23:17 system,info script removed by macgaiver
Sep/03/2018 23:03:03 system,info,account user macgaiver logged in from 109.172.76.49 via winbox
Sep/03/2018 23:03:07 system,info,account user macgaiver logged in from 109.172.76.49 via telnet
Sep/03/2018 23:03:11 system,info ip service changed by macgaiver
Sep/03/2018 23:03:13 system,info ip service changed by macgaiver
Sep/03/2018 23:03:14 system,info,account user macgaiver logged out from 109.172.76.49 via winbox
Sep/03/2018 23:03:14 system,info,account user macgaiver logged out from 109.172.76.49 via telnet
Sep/03/2018 23:03:16 system,info,account user macgaiver logged in from 159.224.52.96 via api
Sep/03/2018 23:03:20 system,info socks config changed by macgaiver
Sep/03/2018 23:03:21 system,info dns changed by macgaiver
Sep/03/2018 23:03:21 system,info item changed by macgaiver
Sep/03/2018 23:03:23 system,info script removed by macgaiver
Sep/03/2018 23:03:24 system,info script removed from scheduler by macgaiver
Sep/03/2018 23:03:25 system,info socks config changed by macgaiver
Sep/03/2018 23:03:26 system,info http proxy settings changed by macgaiver
Sep/03/2018 23:03:37 wireless,info 60:A4:D0:05:67:CB@wlan1: disconnected, disabling
Sep/03/2018 23:03:37 system,info,account user macgaiver logged out from 159.224.52.96 via api
Sep/03/2018 23:03:37 system,info,account user macgaiver logged out from 159.224.52.96 via api
Sep/03/2018 23:03:43 system,info verified routeros-mipsbe-6.42.7.npk
Sep/03/2018 23:03:43 system,info installed routeros-mipsbe-6.42.7
Sep/03/2018 23:03:44 system,info router rebooted
I have understood that even if you limit the connections in the IP/Services to specific addresses that it still allows the attacker close enough to execute the exploit. I have created firewall rules for the default 8291 and also for the port that I changed my Winbox access to. This is the only sure way in my mind that they won't be able to even reach IP/Services.May i ask, how is it possible to attacker to load up the know scripts and modify firewall, sock proxy, etc.
if in IP/Services only winbox and ssh is allowed,but they are limited to connect from known prefixes?
It's even happened in 6.42.1 or 6.42.3
https://www.rdw.nl/particulier/nieuws/2 ... -rijbewijs@msatter: Is it joke or not?
Without knowing exactly what you had configured on it, it is hard to know what was and wasn't possibly.May i ask, how is it possible to attacker to load up the know scripts and modify firewall, sock proxy, etc.
if in IP/Services only winbox and ssh is allowed,but they are limited to connect from known prefixes?
It's even happened in 6.42.1 or 6.42.3
Even if he knows the password BUT the service is LIMITED to my ip prefixes, how the hell he can control my device?!Without knowing exactly what you had configured on it, it is hard to know what was and wasn't possibly.May i ask, how is it possible to attacker to load up the know scripts and modify firewall, sock proxy, etc.
if in IP/Services only winbox and ssh is allowed,but they are limited to connect from known prefixes?
It's even happened in 6.42.1 or 6.42.3
Also if you didn't change your password after upgrading, anyone that may have exploited your router before you upgraded might still have access.
I suggest you email support@mikrotik.com (see), they will be able to look through your configuration and see if it is a configuration issue or a software bug.
Check your logs to see where the attacker accessed from, it could be a compromised machine from a trusted IP-address range. We can't really help you here without more information.Even if he knows the password BUT the service is LIMITED to my ip prefixes, how the hell he can control my device?!Without knowing exactly what you had configured on it, it is hard to know what was and wasn't possibly.May i ask, how is it possible to attacker to load up the know scripts and modify firewall, sock proxy, etc.
if in IP/Services only winbox and ssh is allowed,but they are limited to connect from known prefixes?
It's even happened in 6.42.1 or 6.42.3
Also if you didn't change your password after upgrading, anyone that may have exploited your router before you upgraded might still have access.
I suggest you email support@mikrotik.com (see), they will be able to look through your configuration and see if it is a configuration issue or a software bug.
The only way is this possible, if Mikrotik made the service check connecting IP address AFTER authentication.
If the services does NOT allow connection from anybut but listed IPs, the packets from unlisted source should not access the application. I think.
Please fixme, or accept that there is another piece of sh!t found in the pancake...
# sep/11/2018 17:50:21 by RouterOS 6.43
# software id =
#
#
#
/interface gre
add !keepalive local-address=185.31.1.2 name=to_Sremote-address=46.0.1.1
add !keepalive local-address=185.31.1.2 name=to_X remote-address=178.215.1.1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/routing ospf instance
set [ find default=yes ] router-id=192.168.123.0
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0 name=public4444
/ip address
add address=185.31.1.2/24 interface=ether1 network=185.31.1.0
add address=192.168.123.254/24 interface=ether2 network=192.168.123.0
add address=10.10.10.26/30 interface=to_Xl network=10.10.10.24
add address=20.20.20.1/30 interface=to_Y network=20.20.20.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related
add action=accept chain=input connection-state=established,related
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=netmap chain=dstnat comment="HTTPS Nginx" dst-port=443 in-interface=ether1 protocol=tcp to-addresses=192.168.123.1 to-ports=443
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add distance=1 gateway=185.31.1.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2001
set api disabled=yes
set api-ssl disabled=yes
/routing ospf network
add area=backbone network=10.10.10.24/30
add area=backbone network=192.168.123.0/24
add area=backbone network=20.20.20.0/30
/system clock
set time-zone-name=Europe/Moscow
/system ntp client
set enabled=yes primary-ntp=216.229.0.179 secondary-ntp=80.240.216.155
Yeah, that configuration is not secure. Wide open to the internet and attackers.here is full export command (little obfuscated)
/exportCode: Select all# sep/11/2018 17:50:21 by RouterOS 6.43 # software id = # # # /interface gre add !keepalive local-address=185.31.1.2 name=to_Sremote-address=46.0.1.1 add !keepalive local-address=185.31.1.2 name=to_X remote-address=178.215.1.1 /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik /routing ospf instance set [ find default=yes ] router-id=192.168.123.0 /snmp community set [ find default=yes ] addresses=0.0.0.0/0 name=public4444 /ip address add address=185.31.1.2/24 interface=ether1 network=185.31.1.0 add address=192.168.123.254/24 interface=ether2 network=192.168.123.0 add address=10.10.10.26/30 interface=to_Xl network=10.10.10.24 add address=20.20.20.1/30 interface=to_Y network=20.20.20.0 /ip dhcp-client add disabled=no interface=ether1 /ip dns set allow-remote-requests=yes servers=8.8.8.8 /ip firewall filter add action=fasttrack-connection chain=forward connection-state=established,related add action=accept chain=forward connection-state=established,related add action=accept chain=input connection-state=established,related add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp add action=drop chain=input dst-port=53 in-interface=ether1 protocol=tcp /ip firewall nat add action=masquerade chain=srcnat out-interface=ether1 add action=netmap chain=dstnat comment="HTTPS Nginx" dst-port=443 in-interface=ether1 protocol=tcp to-addresses=192.168.123.1 to-ports=443 /ip firewall service-port set ftp disabled=yes set tftp disabled=yes set irc disabled=yes set h323 disabled=yes set sip disabled=yes set udplite disabled=yes set dccp disabled=yes set sctp disabled=yes /ip route add distance=1 gateway=185.31.1.1 /ip service set telnet disabled=yes set ftp disabled=yes set www disabled=yes set ssh port=2001 set api disabled=yes set api-ssl disabled=yes /routing ospf network add area=backbone network=10.10.10.24/30 add area=backbone network=192.168.123.0/24 add area=backbone network=20.20.20.0/30 /system clock set time-zone-name=Europe/Moscow /system ntp client set enabled=yes primary-ntp=216.229.0.179 secondary-ntp=80.240.216.155
/ip firewall filter
add action=accept chain=forward in-interface=ether1 connection-state=established,related
add action=accept chain=input in-interface=ether1 connection-state=established,related
add action=drop chain=forward in-interface=ether1
add action=drop chain=input in-interface=ether1
No they can not access the linux operating system of the router, unless you have rooted the router yourself already. Which you really should not do.Can hackers also put backdoors to linux?
I suggest you email support@mikrotik.com with your license issue.2. How I can I reinstall CHR license on new disk image?
Yes. And this is fine. Everyone has his own vision of comfort and safety.Yeah, that configuration is not secure. Wide open to the internet and attackers.
I haven't access to email or account. Only disk image with self-updated license.2. How I can I reinstall CHR license on new disk image?
I suggest you email support@mikrotik.com with your license issue.
Email support@mikrotik.com, they can help you with all your questions.I haven't access to email or account. Only disk image with self-updated license.I suggest you email support@mikrotik.com with your license issue.2. How I can I reinstall CHR license on new disk image?
Any other suggestion?
You got hacked and started asking questions. Then when someone gives you a sensible answer and tells you where you went wrong, you disagree with them and stick your head in the sand.Yes. And this is fine. Everyone has his own vision of comfort and safety.Yeah, that configuration is not secure. Wide open to the internet and attackers.
If this is a reasonable answer, then I invite you to go to Western Siberia in the winter to restore access to the router.
You ARE a fool.
Even better reason to have it secure, and a plan for how to access it remotely when you finally do secure it correctly.If this is a reasonable answer, then I invite you to go to Western Siberia in the winter to restore access to the router.
From the picture and config you supplied us, we can't tell you.Just answer me, what kind of job is running on this configuration?
No. Read everything from the beginningLet me understand this.
1. You have an open router with no firewall
2. You ask why somebody connected to it
Correct?
He is talking about what he said in viewtopic.php?p=685673#p685509, a job is shown to be running, yet the configuration doesn't appear to have any scripts in it.Sorry I don't understand that question. Try to re-phrase it.
I have another similar configuration of CHR (not previosly hacked). Before asking, I checked there and didn't see any jobs.This is normal, if you open a Terminal. There is no hacker here.
ok. confirm this!This is normal, if you open a Terminal. There is no hacker here.
I feel stupid for forgetting this detail... knew I was forgetting something.This is normal, if you open a Terminal. There is no hacker here.
I'm not advocating for Mikrotik but please stop this. It's very annoying and I'm really not sure if you're just trolling, speaking on behalf of a competitor or you have a genuine case of hacking. Tell us all details, like how you've checked there were no default empty or easy to guess passwords, proxy service or firewall rules enabled that make it easy to use the router as a starting point for hackers, etc. If you're not 100% positive the break-in is a result of a new security hole then you should consider removing your post and rethink what you post here. We're all here to share info on all the existing exploits and how to deal with them. If you happen to find a genuine one, make a support request with a supout file and file a support request instead.One of a client's main router with ros 6.42.7 has been compromised and a lot of traffic was beeing generated before i replace it for a new one.What do you want to say? Have you example of hacked 6.42.7 or are you just guessing and making noise?
Ros 6.42.7 with only winbox port open to web, and the other network routers and access points including swos switches are all compromised except the ones with ros 6.18.
This crazy security holes....
The issue with doing that is that users won't know what is happening.is there maybe a plan to add auto update option and set that as default option?
There are many routers which will never be updated or until something real bad happens.
Ah very nice, thanks.Example is already in the manual:
https://wiki.mikrotik.com/wiki/Manual:U ... to-upgrade
/system package update
set channel=bugfix
check-for-updates once
:delay 1s;
:if ( [get status] = "New version is available" ) do={ install }
Sorry to disagree but you'r wrong, It is MIKROTIK job to update our router's software when critical vulnerability is on the way.
It isn't MikroTik's job to update your router for you, it is only their job to make you able to update it easily and quickly.
No, it you who is WRONG. Now why don't you toddle off to Microsoft and get a copy of Windows 10. Then you can have as many automated updates at inconvenient times as you like.Sorry to disagree but you'r wrong, It is MIKROTIK job to update our router's software
It isn't MikroTik's job to update your router for you, it is only their job to make you able to update it easily and quickly.
Oh... Am i wrong ? ROS has bugs, but its not windows 10, its much better, and dont forget that Mikrotik is selled all aroud the world to end customers.No, it you who is WRONG. Now why don't you toddle off to Microsoft and get a copy of Windows 10. Then you can have as many automated updates at inconvenient times as you like.Sorry to disagree but you'r wrong, It is MIKROTIK job to update our router's software
It isn't MikroTik's job to update your router for you, it is only their job to make you able to update it easily and quickly.
Normis,I disagree. It is the job of the administrator to configure the device securerly, and then decide when to upgrade. MikroTik can't reboot mission critical devices without consent. We have no access to your devices.
The vulnerability doesn't affect anyone that has the default firwall, or has configured his own firewall correctly.
So it means you can keep using it without worry, and there is no urgent need for the manufacturer to force upgrade your device.Securely ? I only have winbox access opened to WAN and with different port than default one.
How happy would you be if Tesla would suddenly reboot and try to upgrade in a middle of slippery mountain road with a lot of dangerous turns?
Router is supposed to work 24/7 and it is not possible to guess what would be convenient time for each customer to upgrade and have network downtime.
That is why network administrators exist to administer network, upgrade routers or set up upgrade scripts scheduled for most convenient time.
That´s why i choosed Mikrotik since 2001, to use it without worries, i am not a Sys Admin, i just show to clients and friends the best affordable equippment on market with the best software to manage it and i´m happy to have Mikrotik.So it means you can keep using it without worry, and there is no urgent need for the manufacturer to force upgrade your device.Securely ? I only have winbox access opened to WAN and with different port than default one.
Also, how could we upgrade it, if you have a firewall.
/system package update
check-for-updates once
:delay 1s;
:if ( [get status] = "New version is available") do={ install }
I think that I wouldn't want my 160.000€ car to stop whenever it feels like it should update itself, while I am in a rush to get my pregnant wife or my hurt child to the hospital.Tesla Car should go to a safe place/shop in auto mode, stop, do the critical updade, notify the client and contact tesla support to check with the client has we are talking about a 160.000€ car .... what do you think ?
No, it should not.Automatic upgrade should be the default
Only if you're using the Micro$oft definition of 'best', which really means worst.and is quickly becoming best practice.
I think its unfair to call Mikrotik bone-heads in this case, as they are also saying no to the automatic upgrades.No, it should not.Automatic upgrade should be the defaultOnly if you're using the Micro$oft definition of 'best', which really means worst.and is quickly becoming best practice.
Upgrading in a controlled manner is best practice, not when some bone-head elsewhere in the world dictates.
I don't think he meant Mikrotik but the likes of Microsoft and their stupid forced updates.I think its unfair to call Mikrotik bone-heads in this case, as they are also saying no to the automatic upgrades.
It is indeed Micro$oft I meant.I don't think he meant Mikrotik but the likes of Microsoft and their stupid forced updates.
In Windows 10 it does, actually.Even your "beloved" Microsoft does not force reboots.
It's getting a bit off-topic, but still. The default behavior of Windows 10 is to always install updates automatically as soon as they become available, and then force automatic reboot somewhen outside of a (somewhat) configurable "activity period". You can configure this activity period (with limitations), but that's it. Nothing else can be changed/configured unless you are using Pro or Enterprise edition, and even then you need to know how to use policy editor and what policy to tweak in order to prevent automatic updates to happen without user consent.No it does not, unless you scheduled automatic restarts.
What is considered unsafe entry? And how would you determine that particular entry is unsafe in specific firewall?would check firewall rules for unsafe entries on every upgrade
Everything outside default protection rules. It should be only warning, nothing else.What is considered unsafe entry? And how would you determine that particular entry is unsafe in specific firewall?would check firewall rules for unsafe entries on every upgrade
So, everyone else that does not use the default firewall will get annoying warnings about a supposedly insecure firewall configuration?Everything outside default protection rules. It should be only warning, nothing else.
No, not everybody. Only those who care enough to check their router from time to time. Those that don't care even to upgrade ancient unsafe ROS versions won't be bothered about it.So, everyone else that does not use the default firewall will get annoying warnings about a supposedly insecure firewall configuration?Everything outside default protection rules. It should be only warning, nothing else.
See how your own position is skewing your point of view?So, us, professional users of ROS, ...
Hi,I have several clients that still have 6.38.5 and were compromised this weekend.
New firmware file have been uploaded, but is ignored when it reboots. It remains in the file list and the log just shows 'router rebooted'.
I have tried several firmware versions including 6.42.3.
I have also reset the configuration then tried new firmware. It still fails to take the new firmware.
Any suggesions?
This is plain stupid!Automatic upgrade should be the default and is quickly becoming best practice.
But then you don't understand what "default" means?This is plain stupid!Automatic upgrade should be the default and is quickly becoming best practice.
I could be fired on the spot if I don't issue warning about down time. Some environments depend on
equipment which is 24/7/365 up.
we could add this into our iOS/Android application wizard mode./system package update
check-for-updates once
:delay 1s;
:if ( [get status] = "New version is available") do={ install }
I think this already exists:Maybe MikroTik or one of the expert scripting users could post a script that changes the firewall filter rules of a router to the new default firewall.
The script that adds that is of course already available in the router but it does a lot of other things.
Some users might not be prepared to reset their entire config but their firewall is not so complicated and it could easily be replaced with the new one.
(especially as there are now some rules that make it unnecessary to add specific rules to the filter after having configured dst-nat and IPsec)
The script would create the new WAN and LAN interface lists, populate them, remove all current firewall filter rules and install the default rules.
The user would then have to customize it in special cases, but for the average "NAT router with some forwardings and VPNs" it would just work.
Thanks for the link.This vulnerablity is from 6.28. I try it:
https://github.com/BigNerd95/WinboxExploit
https://github.com/BasuCert/WinboxPoC
Normis and Others in the forum, I upgraded my router os from v6.41 to v6.43.2 and winbox v3.18. I am been hacked by an attacker.From "now on"? Really? Like stated repeatedly, this has been fixed a long time ago. This is just a reminder AGAIN to please upgrade, where all these things are fixed.Hopefully the userdb (and every bit doing anything with passwords in ROS) gets hashes for passwords from now on, and hopefully a modern one.
Yes, I netinstalled on Friday. Today Monday i connect remotely to the office twice, from that 2 connection, now i can not connect back again. Telling me wrong username/password. I am sure the attacker sniffed the login detail again to put me out again.Have you netinstalled?
You should not allow remote connection to the router admin interface from the entire internet. That is just asking for trouble. The default firewall does not allow that, please do not remove that rule.Yes, I netinstalled on Friday. Today Monday i connect remotely to the office twice, from that 2 connection, now i can not connect back again. Telling me wrong username/password. I am sure the attacker sniffed the login detail again to put me out again.Have you netinstalled?
Just to confirm the (hopefully) obvious, you did use a different password afterwards, right?Yes, I netinstalled on Friday. Today Monday i connect remotely to the office twice, from that 2 connection, now i can not connect back again. Telling me wrong username/password. I am sure the attacker sniffed the login detail again to put me out again.Have you netinstalled?
+1 for dedicated release channel for security fixes and auto upgrade option menu to enable/disable.Normis:
1. about auto upgrade: yes, but it should be installed by default in new routers and it should use a dedicated release channel only for security fixes like those that fixed the winbox and webserver vulnerabilities.
2. about firewall: what I suggest fixes only the firewall filters without overwriting all other configuration, which may be easier to convince the users to do.
Normis and Others in the forum, I upgraded my router os from v6.41 to v6.43.2 and winbox v3.18. I am been hacked by an attacker.From "now on"? Really? Like stated repeatedly, this has been fixed a long time ago. This is just a reminder AGAIN to please upgrade, where all these things are fixed.Hopefully the userdb (and every bit doing anything with passwords in ROS) gets hashes for passwords from now on, and hopefully a modern one.
What is your take here!
I think that automatic upgrade could be in "default configuration" - if you do anything beyond average home configuration (like the example you described), first step with a new device is "remove default configuration" and then config the device from the very beginning, tailored to your needs.This is plain stupid!Automatic upgrade should be the default and is quickly becoming best practice.
I could be fired on the spot if I don't issue warning about down time. Some environments depend on
equipment which is 24/7/365 up.
Not every one have Mikrotik in home or small office environment.
If you like automation there is what Normis proposed as a script for doing it.
Happy networking,
No, if that ever sees day light then it should be an "opt in" option with warning sign on first connect screen otherwise it should be as it is now.I think that automatic upgrade could be in "default configuration" - if you do anything beyond average home configuration (like the example you described), first step with a new device is "remove default configuration" and then config the device from the very beginning, tailored to your needs.This is plain stupid!Automatic upgrade should be the default and is quickly becoming best practice.
I could be fired on the spot if I don't issue warning about down time. Some environments depend on
equipment which is 24/7/365 up.
Not every one have Mikrotik in home or small office environment.
If you like automation there is what Normis proposed as a script for doing it.
Happy networking,
Home users, who does not care much and leave the default config on (or those who does not understand/does not care) will get automatic updates and won't stay behind with old vulnerable versions. And these usually don't run the critical applications, that does not survive two or three minutes outage during the night hours.
No, for it to be useful it HAS TO BE enabled by default!No, if that ever sees day light then it should be an "opt in" option with warning sign on first connect screen otherwise it should be as it is now.
That's my opinion based on 30 years of experience as system engineer/admin. I don't say it lightly.
Just to be sure, I would like to say, that by " should be in default configuration" I don't mean "it should be default value". Yes, default value (when you erase configuration) should be "off", in "default configuration" (the factory default when you turn on the device for the first time) it imho should be "on".No, if that ever sees day light then it should be an "opt in" option with warning sign on first connect screen otherwise it should be as it is now.I think that automatic upgrade could be in "default configuration" - if you do anything beyond average home configuration (like the example you described), first step with a new device is "remove default configuration" and then config the device from the very beginning, tailored to your needs.This is plain stupid!Automatic upgrade should be the default and is quickly becoming best practice.
I could be fired on the spot if I don't issue warning about down time. Some environments depend on
equipment which is 24/7/365 up.
Not every one have Mikrotik in home or small office environment.
If you like automation there is what Normis proposed as a script for doing it.
Happy networking,
Home users, who does not care much and leave the default config on (or those who does not understand/does not care) will get automatic updates and won't stay behind with old vulnerable versions. And these usually don't run the critical applications, that does not survive two or three minutes outage during the night hours.
That's my opinion based on 30 years of experience as system engineer/admin. I don't say it lightly.
Here, in country where I am from all home based routers CPE's are belonging to providers and are directly managed by them. If you use MT it will be in most cases behind their router with port forwarding enabled.
Br,
Sasa
if you just connect the device to network and you don't care about config at all, it become a ticking bomb for the rest of the network
You have a proof? For example, screens or something?Fix ROS6.43.3 because I am sure 10000% it is still vulnerable and I saw the proof tonight with a very long fight.
I will do so when I reset the router in order to gain access back to it ...Hi.
If you can, try to switch on the packet sniffer, and log everything to and from your WinBox/API port.. and stream it to another machine to record it.
Probably it can be help to discover and resolve the problem.
Best regards: CsXen
You can use VPN for remote access. It's simple and then WAN can be easily filtered...Hi.
We have no chance to filter the WAN side, because the Android WinBox app over a mobile net is comes from "random" IP'sif you just connect the device to network and you don't care about config at all, it become a ticking bomb for the rest of the network
I have a full Syslog!You have a proof? For example, screens or something?Fix ROS6.43.3 because I am sure 10000% it is still vulnerable and I saw the proof tonight with a very long fight.
I secured the router perfectly closing every single anty door! Filtering and blocking the mac address of the attacker didn't do anything! Where is mikrotik from that!You can use VPN for remote access. It's simple and then WAN can be easily filtered...Hi.
We have no chance to filter the WAN side, because the Android WinBox app over a mobile net is comes from "random" IP'sif you just connect the device to network and you don't care about config at all, it become a ticking bomb for the rest of the network
And? Can you share it with us? Or with support@mikrotik.comI have a full Syslog!You have a proof? For example, screens or something?Fix ROS6.43.3 because I am sure 10000% it is still vulnerable and I saw the proof tonight with a very long fight.
I will mask the users and mac address and post the log!And? Can you share it with us? Or with support@mikrotik.comI have a full Syslog!You have a proof? For example, screens or something?Fix ROS6.43.3 because I am sure 10000% it is still vulnerable and I saw the proof tonight with a very long fight.
Date Time Message TextAnd? Can you share it with us? Or with support@mikrotik.comI have a full Syslog!You have a proof? For example, screens or something?Fix ROS6.43.3 because I am sure 10000% it is still vulnerable and I saw the proof tonight with a very long fight.
Therefore if there is still some other way to access the file, it means it is still possible to get password of any user.What's new in 6.43 (2018-Sep-06 12:44):
....
*) user - all passwords are now hashed and encrypted, plaintext passwords are kept for downgrade (will be removed in later upgrades);
/ip firewall raw add action=drop chain=prerouting src-mac-address=3C:97:0E:D7:XX:XX
Um, quick question.I masked his mac and some ips ... after his last mac-telnet and login, logging stopped and I was no longer able to login again.
Is this the first time this router has been hacked?With my total respect to Mikrotik let me tell you guys again that your ROS 6.43.4 is still vulnerable ....
11/5/18 22:38:15 system,info,account user NewUserCreated logged in from ??:3B:??:22:??:AC via mac-telnet
system,info,account user NewUserCreated logged in from ??:3B:??:22:??:AC via mac-telnet
system,info,account user NewUserCreated logged in from 192.168.my.ip via telnet
/interface list member print
/interface list member remove [find list~"^mac" interface="WAN"]
/interface list member print
/system shutdown
y
Thanks for your time replying with all the above! Yes I was missing the mac access and when I wanted to take over and set them to none he trapped me and kicked me out. Anyway the ether9 is the LAN to the ISP for microwave link with inter branching! When he realized that I was aware of the situation he started resetting every single router on the ISP side almost 30 mikrotik APs with ROS versions below 6.40 ...Thanks for sharing! This does not look good and support staff should be notified. However, unless we give them some better info (ideally packet capture from TAP) I do not believe, they will be able to help. I can personally confirm that the known attack vector was closed. (I still have few devices on purpose with older ROS. I can hack them (i.e. steal passwords from any user) but the same approach does not work on new ROS). There might be another unknown attack vector. In addition, as far as I know, the file with readable passwords is still available in current ROS versions:Therefore if there is still some other way to access the file, it means it is still possible to get password of any user.What's new in 6.43 (2018-Sep-06 12:44):
....
*) user - all passwords are now hashed and encrypted, plaintext passwords are kept for downgrade (will be removed in later upgrades);
I will not speculate about possible reasons in your situation. There are many possibilities including unknown vulnerability or incorrect way of resetting device (maybe you didn't wipe it completely or you had it unprotected and connected for few minutes while attacker had enough time to implant some backdoor). Such speculation is wild guessing without knowing what really happened.
Anyway, you mentioned that your firewall rule for MAC address did not work. I can confirm such behavior - MAC winbox/telnet cannot be filtered using /ip firewall rules. For example following code won't do anything:I believe that is happening because MAC winbox/telnet communication is not an IP communication, therefore does not go through "routing" block shown at packet flow and therefore it does not go through any chain available in /ip firewall. (however packet count of such rule still increase, which is weird...)Code: Select all/ip firewall raw add action=drop chain=prerouting src-mac-address=3C:97:0E:D7:XX:XX
I found only way to filter incoming non-IP communication by creating a bridge over single interface and using /interface bridge filter. This unfortunately breaks other behavior because bridge will be in running state even if you disconnect the cable from your ethernet port.
Other way to block access to your MAC winbox/telnet is use correct interface-list in /tool mac-server and /tool mac-server mac-winbox. Simply said - there should be no MAC access to your device from WAN port. Can you please clear up, if the attacker was accessing your device from WAN and if you had enabled/disabled MAC access on WAN interface?.
Unfortunately, it wasn't the 1st time. I was cleaning after him every time but he kept getting back in through that mac-telnet and again mac-winbox. Absolutely Casper! Until yesterday where I decided for the 1st time to install a remote syslog! From that syslog I was able to trace his prints, and started to fight back and clean all what he did ... The funny thing is that while mac-telnet whatever you do the log will not catch it!!! I was expecting to see some commands but nothing! I never knew thisIs this the first time this router has been hacked?With my total respect to Mikrotik let me tell you guys again that your ROS 6.43.4 is still vulnerable ....
Have you done netinstall and added config from scratch?
Didn't bother to look! This mac was another routerboard switch connected to the interbranching. Probably he natted the port from a pc or winbox enabled os to the machine with this mac to get a different mac other than real one! MysteriousCan you identify the MAC address (mac vendor)?
Have you tried looking it up via ip/arp / bridge/hosts or switch/hosts after regaining access to check which interface it is connected to?
Have you crossed checked with your own machines and ensured it isn't a local device?
Noway I am a specialist, I use MacOS and is very clean. 0 chance for a keylogger.you can change the password all day long but if someone has remote access on you pc most probably has installed a keyloger alsoCode: Select all11/5/18 22:38:15 system,info,account user NewUserCreated logged in from ??:3B:??:22:??:AC via mac-telnet system,info,account user NewUserCreated logged in from ??:3B:??:22:??:AC via mac-telnet system,info,account user NewUserCreated logged in from 192.168.my.ip via telnet
I was so far from that location, and when I wanted to act badly he was faster anyway thank God things went OK this morning and I rescued everything having a very difficult and stressful time.Hey caresss
As mentioned by vecernik87, MAC-Telnet and MAC-WinBox are not an IP protocols, so an IP firewall will do nothing to block it. You need to configure your interface list to prevent access from any untrusted networks.
The fact that the attacker is using MAC-Telnet or MAC-WinBox means that they have direct access to your router. This can mean that they are INSIDE your network, or maybe they have hacked your ISP's router and are attacking you from there. Assuming that is it isn't from inside your own network, simply exclude your WAN interface from the mactel and mac-winbox interface lists.
For example:Code: Select all/interface list member print /interface list member remove [find list~"^mac" interface="WAN"] /interface list member print
I don't know why you were even fighting the hacker, just unplug the ethernet cables. Then you can reset the router and fix the issues. If you need time to get to the router, you can use the shutdown command so the router goes offline until you manually reboot it by power cycling.
For example:Code: Select all/system shutdown y
I suggest netlinstalling the router, to be sure that nothing nasty has happened.
See: https://wiki.mikrotik.com/wiki/Manual:Netinstall
You can e-mail support@mikrotik.com and they might have more/better suggestions.
By the way if it is your ISP that has been hacked, you might want to let them know. Because if your ISP is compromised, then EVERYTHING you send over the internet is vulnerable to man-in-the-middle attacks.
Based on my experience with MikroTik and MOAB where I have been asked to remotely install the service many of the router firewall's are miss-configured.The hacker, who goes by the name of Alexey and says he works as a server administrator, claims to have disinfected over 100,000 MikroTik routers already.
https://www.zdnet.com/google-amp/articl ... k-routers/
Owners being angry at him should think about that someone from the outside could just walk in their router what is not the intention. As Gray Hat Hacker you are on the wrong side of law but with the good intentions and helping us all, it should not lead to consequences.
Can any confirm this, or its just brag?The hacker, who goes by the name of Alexey and says he works as a server administrator, claims to have disinfected over 100,000 MikroTik routers already.
Thanks, for these information, some mine device (setuped on 18 dic) fw vers 6.42.10 had this "attack".It has come to our attention that a rogue botnet is currently using the same vulnerability in the RouterOS Winbox service, that was patched in RouterOS v6.42.1 in April 23, 2018.
Since all RouterOS devices offer free upgrades with just two clicks, we urge you to upgrade your devices with the "Check for updates" button, if you haven't done so already.
Steps to be taken:
- Upgrade RouterOS to the latest release
- Change your password after upgrading
- Restore your configuration and inspect it for unknown settings. Delete SOCKS configurations, and any unknown scripts
- Implement a good firewall according to the article here: https://wiki.mikrotik.com/wiki/Manual:S ... our_Router
[UPDATED with specific versions]: Full details on what to do and what is affected: https://blog.mikrotik.com/security/winb ... ility.html
Since the attacker is inserting his script into the targeted routers and changing configuration in them, we recommend to carefully inspect the configuration of your device, restore it from verified backups or export files, and follow generic advice in the above links.
So why would your link be down? Clients connect to whatever frequency the SSID has set. And if you indeed have some very special purpose here, why did you set regulatory country ?@pe1chl You are right. But, let's look the problem with wireless in new update 6.43.8. If I had set up a auto-upgrade, at the time of the upgrade, the entire network would be stopped?! (In 6.43.7: Frequency 5920, Frequence Mode superchannel, Country romania. After upgrade to 6.43.8: Frequency auto, Frequence Mode regulary-domain, Conutry romania. And link is down )
I know, superchannel with country is wrong conf.. but auto-upgrade can be danger in this example.
I can's speak for his situation but it is not really uncommon that a link goes down when one side changes frequency, e.g. becauseSo why would your link be down?
Check if the update changed your master-slave settings to bridge. Thats the #1 thing I saw taking out routers who upgraded from below 6.40.8 to above it. Fixing the bridges and moving IP/DHCP-Server/Filter-Rules to use the new bridge interface got things going again.I upgraded my router and it stopped working...
Check the architecture of the router, make sure you are using the correct file.im having issues upgrading. it doest do it.. check for uodates then select download and install.. auto reboots but it stays to the version not new one... im using hap ac....
i have hap ac lite with verion 6.42rc24 software version tried diffferent steps updating it to 6.44beta50Check the architecture of the router, make sure you are using the correct file.im having issues upgrading. it doest do it.. check for uodates then select download and install.. auto reboots but it stays to the version not new one... im using hap ac....
Need more information to be able to help you. What and how are you updating? From what version to shat version? Again how are you doing it?
Screen shot of the logs after reboot Nope, it did not upgrade to 6.43.8 or the 6.44betaAnything in log just after reboot?
Did it upgrade to current (6.43.8 ) in the step 2?
Can you post the list of installed packages?
THANKS a LOT! it worked and its updated.The problem is that you somehow ended with two instances of package hotspot installed. You can try to uninstall the stand-alone one (the top one on the screenshot which is not idented on the list). If you succeed, then you'll be able to upgrade. If you don't succeed (quite probable), then the only way out is netinstall (make fresh backup, save backup file off device, netinstall it to 6.42.x to ensure highest probability for successful backup restore) and upgrade to desired version after that.
Tnx, I know, but it will be cool i we can do that Socks access entry move with update when router are miles away...@Darman: if your device got infected you should reset it to factory defaults to ensure all the nasty stuff is removed.
If CPU is at 100% for the last 5 seconds - remove all IP Socks Access entries xDDarman, how do you think an update will know what socks entries are legitimate and what are not?
Better idea: if the router is setup incorrectly/insecurely, brick it.If CPU is at 100% for the last 5 seconds - remove all IP Socks Access entries xDDarman, how do you think an update will know what socks entries are legitimate and what are not?
Hi anyone had read this ?
https://medium.com/tenable-techblog/mik ... d46398bf24
https://medium.com/tenable-techblog/mak ... 0705459bc6
Would you be able to share that system?I was lucky that my predecessor had a system in place to easily roll out changes to all customer routers at once. So upgrading all customer routers was done within 24 hours of me learning about this vulnerability. We now have an IP whitelist on the winbox service to prevent anything bad in the furture.
Basically my routers have a script version number, they then have a schedulered script that make them contact a web-server at regular interval to check if a file with the next script version number exist. If a file with the next script version number exist, it downloads it and executes it.Would you be able to share that system? :)I was lucky that my predecessor had a system in place to easily roll out changes to all customer routers at once. So upgrading all customer routers was done within 24 hours of me learning about this vulnerability. We now have an IP whitelist on the winbox service to prevent anything bad in the furture.
That is not correct! On every router except the CCR the default has been (at least for a very long time) to block all input from internet by default.Essentially the most general most important dilemma about most commonly (well, over the ultra-modern two years or anything to that effect) vulnerabilities in ROS is that main default settings did not sincerely shut all WAN access to RB.
Is enough only by upgrading the OS to safe version or MUST BE do netinstall?It has come to our attention that a rogue botnet is currently using the same vulnerability in the RouterOS Winbox service, that was patched in RouterOS v6.42.1 in April 23, 2018.
Since all RouterOS devices offer free upgrades with just two clicks, we urge you to upgrade your devices with the "Check for updates" button, if you haven't done so already.
Steps to be taken:
- Upgrade RouterOS to the latest release
- Change your password after upgrading
- Restore your configuration and inspect it for unknown settings. Delete SOCKS configurations, and any unknown scripts
- Implement a good firewall according to the article here: https://wiki.mikrotik.com/wiki/Manual:S ... our_Router
[UPDATED with specific versions]: Full details on what to do and what is affected: https://blog.mikrotik.com/security/winb ... ility.html
Since the attacker is inserting his script into the targeted routers and changing configuration in them, we recommend to carefully inspect the configuration of your device, restore it from verified backups or export files, and follow generic advice in the above links.
As stated multiple times in this thread, and other places on the forum. If you want to be 100% sure that your router is not infested with some Lovecraftian horror, netinstall it.Is enough only by upgrading the OS to safe version or MUST BE do netinstall?
Automatic upgrade with reboot will never become best practice in non-HA clusters.Automatic upgrade should be the default and is quickly becoming best practice.
That's not what I call "best practice"Well, why not, as long as I can turn it off and I'm not left out with setting "active hours".
You are not going to tell us that those 200.000 - 400.000 compromised MikroTik routers form a HA cluster, do you?Automatic upgrade with reboot will never become best practice in non-HA clusters.Automatic upgrade should be the default and is quickly becoming best practice.
I have explained several times that they should create a separate release channel and configure by default in every shipped router that whenever a release appears on that channel that is newer than the release installed on the router, it would automatically be installed (this channel would be polled e.g. once a day or once a week, during night local time).I think the point was that unlike with HA solutions, where you can take out some part and everything else will still work, unexpected reboots of lone routers would be annoying to users. Plus MikroTik would need extremely good quality control, because small mistake could result in thousands of inoperable routers, which would not amuse users either.
What if they don't find any for a while? Imagine that there's no vulnerability for few years and then something happens. They would have to make an update that would apply to several RouterOS versions released over all those years. They would have to minimize the number of preinstalled versions somehow (to make testing easier), but with new hardware coming out all the time, I don't know how.It should only be updated when security vulnerabilities have been found and fixed, ...
Better idea, prevent changing/removal of the default firewall. That is what all other "home router" brands seem to do. Simply prevent idiots from doing stupid things.I have explained several times that they should create a separate release channel and configure by default in every shipped router that whenever a release appears on that channel that is newer than the release installed on the router, it would automatically be installed (this channel would be polled e.g. once a day or once a week, during night local time).
I have not clearly stated (and I am not really sure) if they should make a minor release to fix security issues for every major release out in the field.What if they don't find any for a while? Imagine that there's no vulnerability for few years and then something happens. They would have to make an update that would apply to several RouterOS versions released over all those years.It should only be updated when security vulnerabilities have been found and fixed, ...
There could be a default firewall where user can add things, and an "expert" mode where they can redesign the whole firewall when desired.Better idea, prevent changing/removal of the default firewall. That is what all other "home router" brands seem to do. Simply prevent idiots from doing stupid things.
Bugfix version 6.38.7 should be vulnerable to the exploit, assuming firewall or service doesn't block IP access and MAC-WinBox-Server is running for MAC access.Hello, we have found that our CCR is not accessible, has been compromised, user and passw have changed V 6.38.7 (bubfix) is the version that appears from winbox, we have passed ExploitWinbox and Macserverexploit but it does not work, what else can we do? We do not have backup ..... Thanks!
No, because this is just a list of bookmarked connection parameters and the winbox does not have an actual connection to these devices until you select and open it.It is possible to show the column Version in the Tabsheet Managed?