Community discussions

 
Kraken2k
Frequent Visitor
Frequent Visitor
Posts: 51
Joined: Wed Oct 01, 2014 1:50 pm
Location: Prague

Re: Winbox vulnerability: please upgrade

Mon Oct 29, 2018 11:14 am

Automatic upgrade should be the default and is quickly becoming best practice.
This is plain stupid!
I could be fired on the spot if I don't issue warning about down time. Some environments depend on
equipment which is 24/7/365 up.
Not every one have Mikrotik in home or small office environment.
If you like automation there is what Normis proposed as a script for doing it.

Happy networking,
I think that automatic upgrade could be in "default configuration" - if you do anything beyond average home configuration (like the example you described), first step with a new device is "remove default configuration" and then config the device from the very beginning, tailored to your needs.

Home users, who does not care much and leave the default config on (or those who does not understand/does not care) will get automatic updates and won't stay behind with old vulnerable versions. And these usually don't run the critical applications, that does not survive two or three minutes outage during the night hours.
No, if that ever sees day light then it should be an "opt in" option with warning sign on first connect screen otherwise it should be as it is now.
That's my opinion based on 30 years of experience as system engineer/admin. I don't say it lightly.

Here, in country where I am from all home based routers CPE's are belonging to providers and are directly managed by them. If you use MT it will be in most cases behind their router with port forwarding enabled.

Br,
Sasa
Just to be sure, I would like to say, that by " should be in default configuration" I don't mean "it should be default value". Yes, default value (when you erase configuration) should be "off", in "default configuration" (the factory default when you turn on the device for the first time) it imho should be "on".

The reason is simple: if you just connect the device to network and you don't care about config at all, it become a ticking bomb for the rest of the network - this is is the way how to partially fix this kind of behavior (as it happens, and you cannot do anything about it). It's similar thing to default configuration that forbids the logon from WAN port. If you reset the configuration (which is what we usually do after RoS/firmware update), the option for autoupdate will be set to "off" and you can configure it by yourself as you want.
 
CsXen
Frequent Visitor
Frequent Visitor
Posts: 84
Joined: Wed Sep 10, 2014 8:31 pm
Location: Budapest - Hungary

Re: Winbox vulnerability: please upgrade

Mon Nov 05, 2018 11:00 pm

Hi.

if you just connect the device to network and you don't care about config at all, it become a ticking bomb for the rest of the network

Well... our good old RB532A's gets no security updates, because MT retired the MIPSLE branch. Not backporting any security update.
And the latests release (6.33.4) is vulnerable... so we backrolled to 6.27, which is virtually not vulnerable.
We have no chance to filter the WAN side, because the Android WinBox app over a mobile net is comes from "random" IP's.
And we have no funds to change the hardware, because they works on charity based on some very remote site.
What to do ? Should I blame MT for they ignorance ? Or just pray and hope, that no vulnerability will be found in the old 6.27 ?

Best regards: CsXen
 
caresss
just joined
Posts: 11
Joined: Mon Nov 05, 2018 11:09 pm

Re: Winbox vulnerability: please upgrade

Mon Nov 05, 2018 11:45 pm

With my total respect to Mikrotik let me tell you guys again that your ROS 6.43.4 is still vulnerable and tonight I was playing with the hacker by closing every single door to access my router. He was kind enough not to directly change my password and kick me out ... He was just playing with some mangle rules and using my gateway to increase the traffic through whatever he needs making my WAN graph full all the time.

Regardless of all, I locked all ip services and changed the default ports to something way so far from the original. Created a syslog dedicated to this mikrotik RB2011UiAS where I wanted to see what was going. Initially, the hacker was using my username to gain access again and to unbind the winbox and telnet from locking them to internet IP and not keeping them.

I realized that and rapidly deleted all users and created a totally new crazy user with a hard to guess password. In a sudden I was still in mikrotik session, tracing the log I saw him got in again through mac-telnet he scans what's changed and logs on back from winbox :| "Casper". (while using telnet nothing is logged it is the first time I know this!)

After that, I dropped all the ways for him to access the router-board ... added his mac-address which appeared in mikrotik's log to filter rules "input,forward,output" dropping everything possible from his way ... For a sudden after countable minutes and I was still inside the mikrotik session, the router rebooted and I got kicked out! He did it this time and changed the password I knew that from the Syslog!!!!! It was logged because he ran to change the pass prior to entering and kicking him out and prior to changing the log location so I had the chance to read what happened while I was kicked out.

Unfortunately, it seems I have no chance except resetting the router but I am truly so highly disappointed from Mikrotik which I used its hardware/software personally for almost 14 years without a headache ... By this vulnerability which is still active my reliance on Mikrotik is 0 and I will be replacing all my companies firewalls/routers to something more which is rigid.

Sorry guys but we no longer have trust in your stuff.

Fix ROS6.43.3 because I am sure 10000% it is still vulnerable and I saw the proof tonight with a very long fight.
Last edited by caresss on Tue Nov 06, 2018 12:19 am, edited 1 time in total.
 
CsXen
Frequent Visitor
Frequent Visitor
Posts: 84
Joined: Wed Sep 10, 2014 8:31 pm
Location: Budapest - Hungary

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 12:05 am

Hi.
If you can, try to switch on the packet sniffer, and log everything to and from your WinBox/API port.. and stream it to another machine to record it.
Probably it can be help to discover and resolve the problem.

Best regards: CsXen
 
User avatar
honzam
Forum Guru
Forum Guru
Posts: 2154
Joined: Wed Feb 27, 2008 10:27 pm
Location: Czech Republic

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 12:08 am

Fix ROS6.43.3 because I am sure 10000% it is still vulnerable and I saw the proof tonight with a very long fight.
You have a proof? For example, screens or something?
LAN, FTTx, Wireless. ISP operator
 
caresss
just joined
Posts: 11
Joined: Mon Nov 05, 2018 11:09 pm

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 12:11 am

Hi.
If you can, try to switch on the packet sniffer, and log everything to and from your WinBox/API port.. and stream it to another machine to record it.
Probably it can be help to discover and resolve the problem.

Best regards: CsXen
I will do so when I reset the router in order to gain access back to it ...
 
User avatar
honzam
Forum Guru
Forum Guru
Posts: 2154
Joined: Wed Feb 27, 2008 10:27 pm
Location: Czech Republic

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 12:11 am

Hi.

if you just connect the device to network and you don't care about config at all, it become a ticking bomb for the rest of the network
We have no chance to filter the WAN side, because the Android WinBox app over a mobile net is comes from "random" IP's
You can use VPN for remote access. It's simple and then WAN can be easily filtered...
LAN, FTTx, Wireless. ISP operator
 
caresss
just joined
Posts: 11
Joined: Mon Nov 05, 2018 11:09 pm

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 12:13 am

Fix ROS6.43.3 because I am sure 10000% it is still vulnerable and I saw the proof tonight with a very long fight.
You have a proof? For example, screens or something?
I have a full Syslog!
 
caresss
just joined
Posts: 11
Joined: Mon Nov 05, 2018 11:09 pm

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 12:15 am

Hi.

if you just connect the device to network and you don't care about config at all, it become a ticking bomb for the rest of the network
We have no chance to filter the WAN side, because the Android WinBox app over a mobile net is comes from "random" IP's
You can use VPN for remote access. It's simple and then WAN can be easily filtered...
I secured the router perfectly closing every single anty door! Filtering and blocking the mac address of the attacker didn't do anything! Where is mikrotik from that!
 
User avatar
honzam
Forum Guru
Forum Guru
Posts: 2154
Joined: Wed Feb 27, 2008 10:27 pm
Location: Czech Republic

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 12:18 am

Fix ROS6.43.3 because I am sure 10000% it is still vulnerable and I saw the proof tonight with a very long fight.
You have a proof? For example, screens or something?
I have a full Syslog!
And? Can you share it with us? Or with support@mikrotik.com
LAN, FTTx, Wireless. ISP operator
 
caresss
just joined
Posts: 11
Joined: Mon Nov 05, 2018 11:09 pm

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 12:20 am

Fix ROS6.43.3 because I am sure 10000% it is still vulnerable and I saw the proof tonight with a very long fight.
You have a proof? For example, screens or something?
I have a full Syslog!
And? Can you share it with us? Or with support@mikrotik.com
I will mask the users and mac address and post the log!
 
caresss
just joined
Posts: 11
Joined: Mon Nov 05, 2018 11:09 pm

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 12:55 am

Fix ROS6.43.3 because I am sure 10000% it is still vulnerable and I saw the proof tonight with a very long fight.
You have a proof? For example, screens or something?
I have a full Syslog!
And? Can you share it with us? Or with support@mikrotik.com
Date Time Message Text
#Password changed and I cannot access the router anymore!
11/5/18 22:38:15 system,info,account user NewUserCreated logged in from ??:3B:??:22:??:AC via mac-telnet
#It seems he rebooted the router and I was unable to login as you see a failure below!
11/5/18 22:38:08 system,error,critical login failure for user NewUserCreated from 192.168.my.ip via winbox
11/5/18 22:37:52 interface,info ether5 link up (speed 1G, full duplex)
11/5/18 22:37:52 interface,info ether3 link up (speed 1G, full duplex)
11/5/18 22:37:52 interface,info ether1 link up (speed 1G, full duplex)
11/5/18 22:37:52 interface,info ether9 link up (speed 100M, full duplex)
11/5/18 22:37:52 interface,info ether8 link up (speed 100M, full duplex)
11/5/18 22:37:52 interface,info ether7-WAN link up (speed 100M, full duplex)
11/5/18 22:37:52 interface,info ether4 link up (speed 100M, full duplex)
11/5/18 22:37:52 interface,info ether2-WAN link up (speed 100M, full duplex)
11/5/18 22:37:08 system,info,account user NewUserCreated logged out from ??:3B:??:22:??:AC via mac-telnet
11/5/18 22:37:08 system,info,account user NewUserCreated logged out from ??:3B:??:22:??:AC via mac-telnet
11/5/18 22:37:08 system,info,account user NewUserCreated logged out from 192.168.my.ip via winbox
11/5/18 22:36:56 system,info user NewUserCreated changed by NewUserCreated
11/5/18 22:32:56 system,info,account user NewUserCreated logged in from ??:3B:??:22:??:AC via mac-telnet
11/5/18 22:32:10 system,info,account user NewUserCreated logged out from 192.168.my.ip via telnet
11/5/18 22:32:08 system,info,account user NewUserCreated logged in from 192.168.my.ip via telnet
11/5/18 22:29:55 interface,info ether9up (speed 100M, full duplex)
11/5/18 22:29:53 system,info device changed by NewUserCreated
11/5/18 22:29:45 system,info filter rule changed by NewUserCreated
11/5/18 22:29:15 system,info,account user NewUserCreated logged out from 192.168.my.ip via telnet
11/5/18 22:29:10 system,info filter rule added by NewUserCreated
11/5/18 22:29:09 system,info filter rule added by NewUserCreated
11/5/18 22:29:07 system,info,account user NewUserCreated logged in from 192.168.my.ip via telnet
11/5/18 22:22:47 system,info,account user NewUserCreated logged out from ??:3B:??:22:??:AC via mac-telnet
11/5/18 22:22:21 system,info device changed by NewUserCreated
#This is the interface he was attacking from. I trusted the mikrotik filter more than disabling the interface BUT he was faster this time to change the newuserpass keeping me out!
11/5/18 22:22:21 interface,info ether9 link down
11/5/18 22:18:01 system,info arp entry changed by NewUserCreated
11/5/18 22:09:11 system,info,account user NewUserCreated logged out from 192.168.my.ip via telnet
11/5/18 22:07:22 system,info,account user NewUserCreated logged in from 192.168.my.ip via telnet
11/5/18 22:03:30 system,info mangle rule removed by NewUserCreated
11/5/18 22:03:25 system,info mangle rule removed by NewUserCreated
11/5/18 22:00:47 system,info,account user NewUserCreated logged in from 192.168.my.ip via winbox
11/5/18 21:59:49 system,info,account user NewUserCreated logged out from 192.168.my.ip via winbox
#This tells that I lost hope with everything and I had no other chance other than adding a filter rule to block his mac-address from input,forward,output!BUT nothing worked!
11/5/18 21:59:15 system,info filter rule added by NewUserCreated
11/5/18 21:59:03 system,info filter rule added by NewUserCreated
11/5/18 21:58:49 system,info filter rule added by NewUserCreated
#I can't believe it howcome he knew rapidly the exact newly created user!
11/5/18 21:56:36 system,info,account user NewUserCreated logged in from ??:3B:??:22:??:AC via mac-telnet
#After I cleaned fully my mikrotik he tried to login with the old deleted user as you can see below!
11/5/18 21:55:58 system,error,critical login failure for user OldDeletedUser from ??:3B:??:22:??:AC via mac-telnet
11/5/18 21:54:18 system,info address changed by NewUserCreated
11/5/18 21:54:14 system,info address changed by NewUserCreated
11/5/18 21:54:09 system,info address changed by NewUserCreated
11/5/18 21:54:05 system,info address changed by NewUserCreated
11/5/18 21:54:00 system,info address changed by NewUserCreated
11/5/18 21:53:44 system,info address changed by NewUserCreated
11/5/18 21:53:41 system,info address changed by NewUserCreated
11/5/18 21:53:12 system,info address added by NewUserCreated
11/5/18 21:53:07 system,info address changed by NewUserCreated
11/5/18 21:53:07 system,info address changed by NewUserCreated
11/5/18 21:53:07 system,info address changed by NewUserCreated
11/5/18 21:53:07 system,info address changed by NewUserCreated
11/5/18 21:52:55 system,info address changed by NewUserCreated
11/5/18 21:52:44 system,info address changed by NewUserCreated
11/5/18 21:52:44 system,info address changed by NewUserCreated
11/5/18 21:52:44 system,info address changed by NewUserCreated
11/5/18 21:52:44 system,info address changed by NewUserCreated
11/5/18 21:51:21 system,info nat rule changed by NewUserCreated
11/5/18 21:50:20 system,info address changed by NewUserCreated
11/5/18 21:50:06 system,info route changed by NewUserCreated
11/5/18 21:50:03 system,info route changed by NewUserCreated
11/5/18 21:49:32 system,info,account user NewUserCreated logged out from 192.168.my.ip via telnet
11/5/18 21:49:14 system,info,account user NewUserCreated logged in from 192.168.my.ip via telnet
11/5/18 21:47:47 system,info address changed by NewUserCreated
11/5/18 21:46:42 system,info route changed by NewUserCreated
11/5/18 21:44:30 system,info nat rule changed by NewUserCreated
11/5/18 21:44:29 system,info nat rule changed by NewUserCreated
11/5/18 21:43:13 system,info nat rule changed by NewUserCreated

I masked his mac and some ips ... after his last mac-telnet and login, logging stopped and I was no longer able to login again.
 
User avatar
vecernik87
Member
Member
Posts: 311
Joined: Fri Nov 10, 2017 8:19 am

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 2:07 am

Thanks for sharing! This does not look good and support staff should be notified. However, unless we give them some better info (ideally packet capture from TAP) I do not believe, they will be able to help. I can personally confirm that the known attack vector was closed. (I still have few devices on purpose with older ROS. I can hack them (i.e. steal passwords from any user) but the same approach does not work on new ROS). There might be another unknown attack vector. In addition, as far as I know, the file with readable passwords is still available in current ROS versions:
What's new in 6.43 (2018-Sep-06 12:44):
....
*) user - all passwords are now hashed and encrypted, plaintext passwords are kept for downgrade (will be removed in later upgrades);
Therefore if there is still some other way to access the file, it means it is still possible to get password of any user.

I will not speculate about possible reasons in your situation. There are many possibilities including unknown vulnerability or incorrect way of resetting device (maybe you didn't wipe it completely or you had it unprotected and connected for few minutes while attacker had enough time to implant some backdoor). Such speculation is wild guessing without knowing what really happened.

Anyway, you mentioned that your firewall rule for MAC address did not work. I can confirm such behavior - MAC winbox/telnet cannot be filtered using /ip firewall rules. For example following code won't do anything:
/ip firewall raw add action=drop chain=prerouting src-mac-address=3C:97:0E:D7:XX:XX
I believe that is happening because MAC winbox/telnet communication is not an IP communication, therefore does not go through "routing" block shown at packet flow and therefore it does not go through any chain available in /ip firewall. (however packet count of such rule still increase, which is weird...)
I found only way to filter incoming non-IP communication by creating a bridge over single interface and using /interface bridge filter. This unfortunately breaks other behavior because bridge will be in running state even if you disconnect the cable from your ethernet port.
Other way to block access to your MAC winbox/telnet is use correct interface-list in /tool mac-server and /tool mac-server mac-winbox. Simply said - there should be no MAC access to your device from WAN port. Can you please clear up, if the attacker was accessing your device from WAN and if you had enabled/disabled MAC access on WAN interface?.
 
User avatar
Karas
just joined
Posts: 6
Joined: Sat Apr 21, 2012 2:53 am
Location: Port Elizabeth, South Africa

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 9:09 am

I masked his mac and some ips ... after his last mac-telnet and login, logging stopped and I was no longer able to login again.
Um, quick question.
Isnt this hacker on your local network?
All the IPs Im seeing are local (unless I skipped over something), and logging in via mac-telnet...
 
User avatar
Jotne
Long time Member
Long time Member
Posts: 592
Joined: Sat Dec 24, 2016 11:17 am

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 10:02 am

With my total respect to Mikrotik let me tell you guys again that your ROS 6.43.4 is still vulnerable ....
Is this the first time this router has been hacked?
Have you done netinstall and added config from scratch?
 
td32
Frequent Visitor
Frequent Visitor
Posts: 69
Joined: Fri Nov 18, 2016 5:55 am

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 10:41 am

you can change the password all day long but if someone has remote access on you pc most probably has installed a keyloger also
11/5/18 22:38:15 system,info,account user NewUserCreated logged in from ??:3B:??:22:??:AC via mac-telnet
system,info,account user NewUserCreated logged in from ??:3B:??:22:??:AC via mac-telnet
system,info,account user NewUserCreated logged in from 192.168.my.ip via telnet
 
nescafe2002
Member
Member
Posts: 448
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 10:59 am

Can you identify the MAC address (mac vendor)?

Have you tried looking it up via ip/arp / bridge/hosts or switch/hosts after regaining access to check which interface it is connected to?

Have you crossed checked with your own machines and ensured it isn't a local device?
 
User avatar
Deantwo
Member Candidate
Member Candidate
Posts: 245
Joined: Tue Sep 30, 2014 4:07 pm

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 11:21 am

Hey caresss

As mentioned by vecernik87, MAC-Telnet and MAC-WinBox are not an IP protocols, so an IP firewall will do nothing to block it. You need to configure your interface list to prevent access from any untrusted networks.

The fact that the attacker is using MAC-Telnet or MAC-WinBox means that they have direct access to your router. This can mean that they are INSIDE your network, or maybe they have hacked your ISP's router and are attacking you from there. Assuming that is it isn't from inside your own network, simply exclude your WAN interface from the mactel and mac-winbox interface lists.
For example:
/interface list member print
/interface list member remove [find list~"^mac" interface="WAN"]
/interface list member print

I don't know why you were even fighting the hacker, just unplug the ethernet cables. Then you can reset the router and fix the issues. If you need time to get to the router, you can use the shutdown command so the router goes offline until you manually reboot it by power cycling.
For example:
/system shutdown
y

I suggest netlinstalling the router, to be sure that nothing nasty has happened.
See: https://wiki.mikrotik.com/wiki/Manual:Netinstall

You can e-mail support@mikrotik.com and they might have more/better suggestions.

By the way if it is your ISP that has been hacked, you might want to let them know. Because if your ISP is compromised, then EVERYTHING you send over the internet is vulnerable to man-in-the-middle attacks.
I wish my FTP was FTL.
 
caresss
just joined
Posts: 11
Joined: Mon Nov 05, 2018 11:09 pm

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 6:42 pm

Thanks for sharing! This does not look good and support staff should be notified. However, unless we give them some better info (ideally packet capture from TAP) I do not believe, they will be able to help. I can personally confirm that the known attack vector was closed. (I still have few devices on purpose with older ROS. I can hack them (i.e. steal passwords from any user) but the same approach does not work on new ROS). There might be another unknown attack vector. In addition, as far as I know, the file with readable passwords is still available in current ROS versions:
What's new in 6.43 (2018-Sep-06 12:44):
....
*) user - all passwords are now hashed and encrypted, plaintext passwords are kept for downgrade (will be removed in later upgrades);
Therefore if there is still some other way to access the file, it means it is still possible to get password of any user.

I will not speculate about possible reasons in your situation. There are many possibilities including unknown vulnerability or incorrect way of resetting device (maybe you didn't wipe it completely or you had it unprotected and connected for few minutes while attacker had enough time to implant some backdoor). Such speculation is wild guessing without knowing what really happened.

Anyway, you mentioned that your firewall rule for MAC address did not work. I can confirm such behavior - MAC winbox/telnet cannot be filtered using /ip firewall rules. For example following code won't do anything:
/ip firewall raw add action=drop chain=prerouting src-mac-address=3C:97:0E:D7:XX:XX
I believe that is happening because MAC winbox/telnet communication is not an IP communication, therefore does not go through "routing" block shown at packet flow and therefore it does not go through any chain available in /ip firewall. (however packet count of such rule still increase, which is weird...)
I found only way to filter incoming non-IP communication by creating a bridge over single interface and using /interface bridge filter. This unfortunately breaks other behavior because bridge will be in running state even if you disconnect the cable from your ethernet port.
Other way to block access to your MAC winbox/telnet is use correct interface-list in /tool mac-server and /tool mac-server mac-winbox. Simply said - there should be no MAC access to your device from WAN port. Can you please clear up, if the attacker was accessing your device from WAN and if you had enabled/disabled MAC access on WAN interface?.
Thanks for your time replying with all the above! Yes I was missing the mac access and when I wanted to take over and set them to none he trapped me and kicked me out. Anyway the ether9 is the LAN to the ISP for microwave link with inter branching! When he realized that I was aware of the situation he started resetting every single router on the ISP side almost 30 mikrotik APs with ROS versions below 6.40 ...

The story ended up netinstalling the main backbone which he attacked and restoring all the mikrotik APs after he reset them all and locking everything even the mac side with the latest OS. He wasn't that smart but it was the OS fault. Anyway thank God all is back to normal now after dealing with almost 80 routers and switches. Absolutely pain in the neck and applause for Mikrotik over that :))

We were born to learn so every day is a new school day in this new techie era!
Have a calm eve...
 
caresss
just joined
Posts: 11
Joined: Mon Nov 05, 2018 11:09 pm

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 6:54 pm

With my total respect to Mikrotik let me tell you guys again that your ROS 6.43.4 is still vulnerable ....
Is this the first time this router has been hacked?
Have you done netinstall and added config from scratch?
Unfortunately, it wasn't the 1st time. I was cleaning after him every time but he kept getting back in through that mac-telnet and again mac-winbox. Absolutely Casper! Until yesterday where I decided for the 1st time to install a remote syslog! From that syslog I was able to trace his prints, and started to fight back and clean all what he did ... The funny thing is that while mac-telnet whatever you do the log will not catch it!!! I was expecting to see some commands but nothing! I never knew this :)

An advice, don't take things with carelessness and absolutely install syslog because it is very essential for everything and especially security which comes 1st.
But I confirm 10000% that I updated the ROS to 6.34.4 and it was absolutely clean with totally new user and very long and complicated pass ... It took him seconds to guess the user and logon with it! I was so sure he was out, no scripts, no packet sniffing config, no php file in files nothing and absolutely nothing so he can guess the user. In seconds he guessed it!!! That truly frightened me and I gave up somehow knowing that whatever I will do he will keep coming back. Happened what happened and the lesson learned.

I believe he sniffed the packets between the latest winbox session from my side and the routerboard. There's still somehow a hidden vulnerability!
 
caresss
just joined
Posts: 11
Joined: Mon Nov 05, 2018 11:09 pm

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 6:58 pm

Can you identify the MAC address (mac vendor)?

Have you tried looking it up via ip/arp / bridge/hosts or switch/hosts after regaining access to check which interface it is connected to?

Have you crossed checked with your own machines and ensured it isn't a local device?
Didn't bother to look! This mac was another routerboard switch connected to the interbranching. Probably he natted the port from a pc or winbox enabled os to the machine with this mac to get a different mac other than real one! Mysterious :)
 
caresss
just joined
Posts: 11
Joined: Mon Nov 05, 2018 11:09 pm

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 6:59 pm

you can change the password all day long but if someone has remote access on you pc most probably has installed a keyloger also
11/5/18 22:38:15 system,info,account user NewUserCreated logged in from ??:3B:??:22:??:AC via mac-telnet
system,info,account user NewUserCreated logged in from ??:3B:??:22:??:AC via mac-telnet
system,info,account user NewUserCreated logged in from 192.168.my.ip via telnet
Noway :) I am a specialist, I use MacOS and is very clean. 0 chance for a keylogger.
 
caresss
just joined
Posts: 11
Joined: Mon Nov 05, 2018 11:09 pm

Re: Winbox vulnerability: please upgrade

Tue Nov 06, 2018 7:01 pm

Hey caresss

As mentioned by vecernik87, MAC-Telnet and MAC-WinBox are not an IP protocols, so an IP firewall will do nothing to block it. You need to configure your interface list to prevent access from any untrusted networks.

The fact that the attacker is using MAC-Telnet or MAC-WinBox means that they have direct access to your router. This can mean that they are INSIDE your network, or maybe they have hacked your ISP's router and are attacking you from there. Assuming that is it isn't from inside your own network, simply exclude your WAN interface from the mactel and mac-winbox interface lists.
For example:
/interface list member print
/interface list member remove [find list~"^mac" interface="WAN"]
/interface list member print

I don't know why you were even fighting the hacker, just unplug the ethernet cables. Then you can reset the router and fix the issues. If you need time to get to the router, you can use the shutdown command so the router goes offline until you manually reboot it by power cycling.
For example:
/system shutdown
y


I suggest netlinstalling the router, to be sure that nothing nasty has happened.
See: https://wiki.mikrotik.com/wiki/Manual:Netinstall

You can e-mail support@mikrotik.com and they might have more/better suggestions.

By the way if it is your ISP that has been hacked, you might want to let them know. Because if your ISP is compromised, then EVERYTHING you send over the internet is vulnerable to man-in-the-middle attacks.
I was so far from that location, and when I wanted to act badly he was faster :) anyway thank God things went OK this morning and I rescued everything having a very difficult and stressful time.

I'll keep you posted guys if anything new will come up regarding this mysterious issue :)
 
msatter
Forum Veteran
Forum Veteran
Posts: 928
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Winbox vulnerability: please upgrade

Wed Nov 07, 2018 12:49 pm

The hacker, who goes by the name of Alexey and says he works as a server administrator, claims to have disinfected over 100,000 MikroTik routers already.
https://www.zdnet.com/google-amp/articl ... k-routers/

Owners being angry at him should think about that someone from the outside could just walk in their router what is not the intention. As Gray Hat Hacker you are on the wrong side of law but with the good intentions and helping us all, it should not lead to consequences.
RB760iGS (hEX S) with the SFP being cooled.
Running:
RouterOS 6.44Beta28 / Winbox 3.18 / MikroTik APP 1.0.6
Cooling a SFP module: viewtopic.php?f=3&t=132258&p=671105#p671105
 
User avatar
mozerd
Member Candidate
Member Candidate
Posts: 119
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Winbox vulnerability: please upgrade

Wed Nov 07, 2018 1:35 pm

The hacker, who goes by the name of Alexey and says he works as a server administrator, claims to have disinfected over 100,000 MikroTik routers already.
https://www.zdnet.com/google-amp/articl ... k-routers/

Owners being angry at him should think about that someone from the outside could just walk in their router what is not the intention. As Gray Hat Hacker you are on the wrong side of law but with the good intentions and helping us all, it should not lead to consequences.
Based on my experience with MikroTik and MOAB where I have been asked to remotely install the service many of the router firewall's are miss-configured.
The Value proposition that is MikroTik is such that it is very popular because MikroTik is POWERFUL, extensible and inexpensive. Very unfortunately a lot of these configurations are managed by people who have NO idea what they are doing applying the worst possible firewall disciplines one can imagine --- so its not at all surprising that a LOT get hacked.

IMO, MikroTik have provided the basic guidelines to effectively secure the router -- but when the undisciplined admin wants to expand on that capability they break the effective security model and get into trouble enabling the bad guys to invade their territory,
 
User avatar
Jotne
Long time Member
Long time Member
Posts: 592
Joined: Sat Dec 24, 2016 11:17 am

Re: Winbox vulnerability: please upgrade

Wed Nov 07, 2018 2:22 pm

The hacker, who goes by the name of Alexey and says he works as a server administrator, claims to have disinfected over 100,000 MikroTik routers already.
Can any confirm this, or its just brag?
Has anyone seen a MT that has gotten an access list added to prevent external access?

Who is online

Users browsing this forum: eworm, Mazutti and 16 guests