Community discussions

MikroTik App
 
Cvan
Member Candidate
Member Candidate
Topic Author
Posts: 129
Joined: Sat Jun 09, 2018 3:32 am

Tik compromised after upgrade, security concern

Sat Jun 03, 2023 8:25 am

So I upgraded my Tik to 6.49.8 from 6.48.* about 48 hours ago. Within 24 hours after the upgrade my router was compromised.

Only found out when I was trying to connect to my VPN as I normally do daily.. Had been working fine with no security issues for at least a year..

A list of things that I found changed by the attack when I logged in..
  • About 6 new firewall rules had been added to the top of the chain
    SSH service port was now open and had an active user account called "MikroTikSystem"
    Two new address lists had been added with many entries and used for the new firewall rules named "LOCAL" and "WL"
    And of course my backup was deleted that I had just created before upgrading
I must have caught it fairly early because that is all the changes I have found so far.. and SSH showed the user "MikroTikSystem" still active with about 10 active sessions when I was in panic mode

At the very least thought I should log this.. but wonder how this happened after I upgraded.. is SSH service port enabled after an upgrade? and how did the attacker gain access so easily without any account setup.. where did this account come from --> "MikroTikSystem"
After I was able to secure router the attacker gave up.. added a screen capture for some kind of reference..
You do not have the required permissions to view the files attached to this post.
 
User avatar
Maggiore81
Trainer
Trainer
Posts: 558
Joined: Sun Apr 15, 2012 12:10 pm
Location: Italy
Contact:

Re: Tik compromised after upgrade, security concern

Sat Jun 03, 2023 8:26 am

please export the full conf.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Tik compromised after upgrade, security concern

Sat Jun 03, 2023 9:40 am

The fact that you still have the ADMIN account active says a lot about why your router has been compromised,
and you don't even know when because often they are compromised in the past, then they are used after some time to not give in 'eye.

From the lack of evidence, but the only sure thing from the screenshot, that you have the admin account active,
I'm assuming it's because of your misconfiguration that they hacked it for you.

The first level of security is how the device is configured.
 
Cvan
Member Candidate
Member Candidate
Topic Author
Posts: 129
Joined: Sat Jun 09, 2018 3:32 am

Re: Tik compromised after upgrade, security concern

Sat Jun 03, 2023 11:25 am

Cant argue that until I get around to exporting the config..

Perhaps it was already compromised and I did not know.. then by upgrading to the latest stable opened something by default giving unauth access..

I am on my tik regular/daily/weekly with winbox and I typically have a peak at my fw rules when logged in..
sometimes I just leave it open on my second monitor checking performance and usage..

All I can really say is I upgraded to latest stable, not to long after that; vpn stopped responding so I logged in and saw this
MikroTikSystemUser destroying everything.. was hoping maybe someone else came across something similar more specific to this
'MikroTikSystemUser' attack
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Tik compromised after upgrade, security concern

Sat Jun 03, 2023 3:24 pm

Remove it from the network, post the config here,
Use netinstall to install a clean version......

Who is online

Users browsing this forum: ccrsxx, GoogleOther [Bot] and 67 guests