Community discussions

MikroTik App
 
tim427
just joined
Topic Author
Posts: 5
Joined: Sat Aug 15, 2020 10:10 am

Suspicious behaviour in SMB config

Mon Mar 28, 2022 12:17 pm

Hi all,

I monitor all my Mikrotik devices and have automated config versioning by using Oxidized (https://github.com/ytti/oxidized).

Those configs are pushed to a git-server, were I get notifications when something has changed. Surprisingly I received one of these notifications, while there wasn't any change last week (no updates, no config changes).
+ /ip smb shares
+ add comment="default share" directory=/pub name=pub
+ /ip smb users
+ add name=guest
Quickly followed by:
  /ip smb shares
  add comment="default share" directory=/pub name=pub
+ add comment="default share" directory=/pub name=pub
  /ip smb users
  add name=guest
+ add name=guest
And;
  /ip smb shares
  add comment="default share" directory=/pub name=pub
  add comment="default share" directory=/pub name=pub
+ add comment="default share" directory=/pub name=pub
  /ip smb users
  add name=guest
  add name=guest
+ add name=guest
Which is, in my opinion strange/suspicious, due to the fact;
  • I have not changed the config myself
  • I have not updated the Mikrotik prior this behaviour
  • Removing this part of config, results in "coming back" later
  • Updating to the latest RouterOS and Firmware, does not resolve this behaviour (currently 7.1.5)
  • I do not use the IP->SMB-service at all
  • I do not see any login attempts, nor successful logins prior these changes (remote syslog, etc.)
  • Rebooting does not help
Resulting;
Image

I'm unable to remove these "default looking" SMB-shares and SMB-users via the WebGUI, but it's possible to remove them by using WinBox or SSH.

These events started around the same time when some national newspapers where reporting about botnets (used for/against the conflict in RU/UA). With this in mind, this could be a hint of (failed?) attempts, an abused vulnerability or just simply a bug in RouterOS.

Personally, I highly doubt this is a bug, as the software is running longer without showing this behaviour.

I'm wondering; are there other Mikrotik users with spontaneous extra "default looking" SMB-shares and/or SMB-users? (Please check/verify by hand)

With "no config";
Image
- /ip smb shares
- add comment="default share" directory=/pub name=pub
- add comment="default share" directory=/pub name=pub
- add comment="default share" directory=/pub name=pub
- /ip smb users
- add name=guest
- add name=guest
- add name=guest
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: Suspicious behaviour in SMB config

Mon Mar 28, 2022 12:37 pm

My RBD52G (hAP ac2) running 6.49.3 acting as WAN router has only one of default shares:
[user@router] > /ip smb print
       enabled: no
        domain: MSHOME
       comment: MikrotikSMB
  allow-guests: yes
    interfaces: all
[user@router] > /ip smb shares print
Flags: X - disabled, I - inactive, * - default
 #    NAME                                          DIRECTORY                                          MAX-SESSIONS
 0  * ;;; default share
      pub                                           /flash/pub                                                   10

Similarly RBD25G (audience) running 7.2rc5 acting as WiFi AP:
[user@ap] > /ip/smb/print
       enabled: no
        domain: MSHOME
       comment: MikrotikSMB
  allow-guests: yes
    interfaces: all
[user@ap] > /ip/smb/shares/print
Flags: * - DEFAULT
Columns: NAME, DIRECTORY, MAX-SESSIONS
#   NAME  DIRECTORY  MAX-SESSIONS
;;; default share
0 * pub   /pub                 10

I've never configured any SMB (because I detest the thought of running something so stupid on my router or AP) and it looks pretty default to me.

It is weird that your device suddenly started to multiply the config though.
 
tim427
just joined
Topic Author
Posts: 5
Joined: Sat Aug 15, 2020 10:10 am

Re: Suspicious behaviour in SMB config

Mon Mar 28, 2022 12:50 pm

....

I've never configured any SMB (because I detest the thought of running something so stupid on my router or AP) and it looks pretty default to me.

It is weird that your device suddenly started to multiply the config though.
Same! I've never configed this part, and "default" means -> nothing setted with the config (read; empty part).
 
R1CH
Forum Guru
Forum Guru
Posts: 1099
Joined: Sun Oct 01, 2006 11:44 pm

Re: Suspicious behaviour in SMB config

Mon Mar 28, 2022 9:04 pm

Simply looking at the SMB menu creates this share, it's one of those RouterOS quirks.
 
tim427
just joined
Topic Author
Posts: 5
Joined: Sat Aug 15, 2020 10:10 am

Re: Suspicious behaviour in SMB config

Tue Mar 29, 2022 4:18 pm

Simply looking at the SMB menu creates this share, it's one of those RouterOS quirks.
I'm literally not touching the system... So this is an known bug?
 
Tummler
just joined
Posts: 15
Joined: Sun Feb 06, 2022 4:49 pm

Re: Suspicious behaviour in SMB config

Sat Jul 02, 2022 9:55 pm

Same issue here with an rb5009. In my case, this is happening within 10 minutes of netinstall (following its suspected compromise). Until today, I have never noticed a “default” SMB share.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Suspicious behaviour in SMB config

Mon Jul 04, 2022 1:08 am

default SMB share exist everytime, you can not "not have it"
you simply do not notice that

and about duplicete lines of OP, on 4000+ devices and from RouterOS 2.x to 7.x on all possible old and new architecture, never happen anywhere.

Who is online

Users browsing this forum: cyrq, JDF and 85 guests