Community discussions

 
vijaykumaryadav4u
just joined
Topic Author
Posts: 6
Joined: Tue Jan 02, 2018 3:24 pm

The security flaw for Hajime is closed by the firewall

Thu May 24, 2018 5:43 pm

My multiple CCR router has been compromised. how to tackle this type of issue.


/ip firewall filter
add action=tarpit chain=input comment=\
"Add you ip addess to allow-ip in Address Lists." dst-port=30553 \
protocol=tcp
add action=add-src-to-address-list address-list=allow-ip \
address-list-timeout=1h chain=input comment=\
"The security flaw for Hajime is closed by the firewall." packet-size=\
1083 protocol=icmp
add action=accept chain=input comment=\
"Please update RotherOS and change password." src-address-list=allow-ip
add action=drop chain=input comment=\
" Thanks are accepted on WebMoney Z399578297824" dst-port=53 protocol=udp
add action=drop chain=input comment=\
"or BTC 14qiYkk3nUgsdqQawiMLC1bUGDZWHowix1" dst-port=\
53,8728,8729,21,22,23,80,443,8291 protocol=tcp
/system note
set note="The security flaw for Hajime is closed by the firewall. Please updat\
e RotherOS. Gratitude is accepted on WebMoney Z399578297824 or BTC 14qiYkk\
3nUgsdqQawiMLC1bUGDZWHowix1"
 
pwuk
just joined
Posts: 24
Joined: Wed Aug 01, 2012 8:51 pm

Re: The security flaw for Hajime is closed by the firewall

Thu May 24, 2018 8:18 pm

That's rather funny!

1) Restore your config to a backup version before you got hacked, update the firmware to the latest version
2) Keep your firmware updtodate. Don't use an easy to guess password.
3) Block non-established input traffic from the internet, especially control traffic, unless you know what you're doing. Even then be careful, an accident misconfiguration to say DNS or a web proxy and your router could be used for all sorts.

This doesn't look like someone who is trying to cover their tracks, just a vigilante concerned about people running unsafe configs/firmwares. It looks like they've used the same exploits that the HAJIME worm [0] used.
vulnerability that affects MikroTik RouterOS firmware 6.38.4 and earlier, and which allows attackers to execute code and take over the device. This vulnerability, called "Chimay Red", was one of the flaws included in the WikiLeaks "Vault 7" leak of alleged CIA hacking tools, and has also been used to compromise MikroTik routers by changing hostnames of vulnerable devices in the past year.
6.38.5 came out in March 2017 so you really should be patched.
What's new in 6.38.5 (2017-Mar-09 11:32):

!) www - fixed http server vulnerability;

[0] https://www.corero.com/blog/882-hajime- ... uters.html
 
Wolfraider
just joined
Posts: 19
Joined: Wed Jul 15, 2015 8:06 pm

Re: The security flaw for Hajime is closed by the firewall

Thu May 24, 2018 9:23 pm

We got hit with that too on a test router. I took a backup of it before I wiped and updated the firmware. The funny part was we had firmware 6.41.3 on ours and that was only 2 months behind.
/ip firewall filter
add action=tarpit chain=input comment="Add you ip addess to allow-ip in Address Lists." dst-port=30553 protocol=tcp
add action=add-src-to-address-list address-list=allow-ip address-list-timeout=1h chain=input comment="The security flaw for Hajime is closed by the firewall." packet-size=1083 protocol=icmp
add action=accept chain=input comment="Please update RotherOS and change password." src-address-list=allow-ip
add action=drop chain=input comment=" Thanks are accepted on WebMoney Z399578297824" dst-port=53 protocol=udp
add action=drop chain=input comment="or BTC 14qiYkk3nUgsdqQawiMLC1bUGDZWHowix1" dst-port=53,8728,8729,21,22,23,80,443,8291 protocol=tcp
add action=passthrough chain=input
/system note
set note="The security flaw for Hajime is closed by the firewall. Please update RotherOS. Gratitude is accepted on WebMoney Z399578297824 or BTC 14qiYkk3nUgsdqQawiMLC1bUGDZWHowix1"
 
dcolli
just joined
Posts: 5
Joined: Mon Mar 12, 2012 4:08 pm

Re: The security flaw for Hajime is closed by the firewall

Fri May 25, 2018 5:27 pm

I had the same invasion yesterday in version 6.40.4.
 
aebuitrago
just joined
Posts: 1
Joined: Tue Jan 16, 2018 9:49 pm

Re: The security flaw for Hajime is closed by the firewall

Thu May 31, 2018 7:34 pm

I was have the same issue today.

The compromised port and were the vulnerability get into my router was API 8728.

I got this because i'm checking dayly my routers, and the rules was placed 3 minutes before, and i got this in the log. the router that i have is a Lab router to catch this kind of issues:

This is what i get in my log before the script was uploaded. I log the mikrotik log into syslog server, that why i get this trace.

system, info, account user admin logged in from 37.193.69.238 via api

My admin password is 20 characters long and it contains alphanumeric characters, thats why is "impossible" to get Cracked. This password is not saved in winbox and i write it every time thati need to get into this router.

After that login, they disable log notifications, and put the rules published in this post. That occurs 20 minutes ago from this post.

Please check if you have Mikrotik API service activated and deactivate the service.
 
punkaker
just joined
Posts: 6
Joined: Thu Apr 12, 2018 7:26 pm

Re: The security flaw for Hajime is closed by the firewall

Fri Jun 01, 2018 11:37 am

+ 1, also found this in one of our routers. We were scared when we saw it at the first time, but fortunatelly it seems that there were no bad-intentions at all.

We learnt something and will try to keep the routers updated / FW secured.
 
User avatar
jspool
Member
Member
Posts: 372
Joined: Sun Oct 04, 2009 4:06 am
Location: Oregon

Re: The security flaw for Hajime is closed by the firewall

Fri Jun 01, 2018 11:16 pm

If you have anything Internet facing you must be vigilant.

Definition of vigilant
: alertly watchful especially to avoid danger

It is truly surprising that so many are:
1. Not up on the current threat landscape.
2. Fail to implement basic firewall restrictions on management services.
3. Show surprise when their poorly secured device is infiltrated.

#2 Would have prevented the Winbox vulnerability although its still important to update to a patched version that closes this hole.
 
alasmar4924
just joined
Posts: 4
Joined: Mon May 21, 2018 1:46 am

Re: The security flaw for Hajime is closed by the firewall

Sat Jun 02, 2018 1:44 am

hiI need help how I can use firewall on mikrotik ti block an application named (netshare). I use hotspot so so people use this app to share free internet to others. you can find it on google play and how it work. I see that this app use port 8282 and it give the client a diffrent ip which is 192.168.49.1/24
and I find in netshare setting the proxy port is
1024-65563
so, please help me to block it. I use a diffrent ways but I coud not stop this application
 
fedor47271
just joined
Posts: 12
Joined: Thu Nov 02, 2017 11:52 am

Re: The security flaw for Hajime is closed by the firewall

Sat Jun 02, 2018 10:07 am

I had such kind of the invasion too.

And now i updated routerOS from 6.41 to 6.42.3. I changed all user's passwords and update my router from the backup which i had before the invasion.

But i find this string(screenshot) in the terminal window. What is it mean?
You do not have the required permissions to view the files attached to this post.
 
JohnTRIVOLTA
Member Candidate
Member Candidate
Posts: 115
Joined: Sun Dec 25, 2016 2:05 pm
Location: BG/Sofia

Re: The security flaw for Hajime is closed by the firewall

Sat Jun 02, 2018 10:52 am

I had such kind of the invasion too.

And now i updated routerOS from 6.41 to 6.42.3. I changed all user's passwords and update my router from the backup which i had before the invasion.

But i find this string(screenshot) in the terminal window. What is it mean?
This note came from a backup when the routerboard was infected, just a note :). Be calm, the board is no longer infected.
/system note edit note
Delete the text and ctrl with o for saving the changes!
 
fedor47271
just joined
Posts: 12
Joined: Thu Nov 02, 2017 11:52 am

Re: The security flaw for Hajime is closed by the firewall

Sat Jun 02, 2018 11:08 am

I had such kind of the invasion too.

And now i updated routerOS from 6.41 to 6.42.3. I changed all user's passwords and update my router from the backup which i had before the invasion.

But i find this string(screenshot) in the terminal window. What is it mean?
This note came from a backup when the routerboard was infected, just a note :). Be calm, the board is no longer infected.
/system note edit note
Delete the text and ctrl with o for saving the changes!

Thanks a lot. I did it and after rebooting this string disappeared. :wink:
 
pe1chl
Forum Guru
Forum Guru
Posts: 4712
Joined: Mon Jun 08, 2015 12:09 pm

Re: The security flaw for Hajime is closed by the firewall

Sat Jun 02, 2018 2:03 pm

You will have to decide for yourself if you trust that such people have only good intentions, and how well you are
able to check that they did not change anything else to your router than the firewall and the note.
At least check the users and the scripts sections to see if their are unexpected things.
Safest for sure is to netinstall the router and reconfigure it. Not by making a backup before netinstall and a restore
afterwards. You could do a /export before, manually search that for bad things and reconfigure the router from there.

But most important: you need to improve your firewall. Services like API, Telnet, SSH, Winbox and Webfig should
NOT be accessible from a random internet IP address. Preferably make them accessible only from the inside network
(so block them on the internet interface) but if this is impossible because all management is to be done from internet
at least use a list of allowed addresses or configure a VPN and allow management only via the VPN.
 
pwuk
just joined
Posts: 24
Joined: Wed Aug 01, 2012 8:51 pm

Re: The security flaw for Hajime is closed by the firewall

Mon Jun 11, 2018 10:42 pm

The compromised port and were the vulnerability get into my router was API 8728.
I got this because i'm checking dayly my routers, and the rules was placed 3 minutes before, and i got this in the log. the router that i have is a Lab router to catch this kind of issues:
This is what i get in my log before the script was uploaded. I log the mikrotik log into syslog server, that why i get this trace.
system, info, account user admin logged in from 37.193.69.238 via api
My admin password is 20 characters long and it contains alphanumeric characters, thats why is "impossible" to get Cracked.
That's quite concerning -- you were hacked via the API while running a recent firmware (more recent than v6.38.5)?
 
solelunauno
Frequent Visitor
Frequent Visitor
Posts: 84
Joined: Mon Jul 16, 2012 7:00 pm
Location: Roseto Capo Spulico CS Italy
Contact:

Re: The security flaw for Hajime is closed by the firewall

Mon Jun 18, 2018 1:21 pm

There was also a change in the "admin" password, ad there was a new user added, with name "Admin".
SL1 Systems srl MTCNA MTCRE
 
User avatar
mmuniz
Trainer
Trainer
Posts: 4
Joined: Thu Sep 24, 2015 2:07 am
Contact:

Re: The security flaw for Hajime is closed by the firewall

Fri Jun 22, 2018 1:06 am

Several Mikrotiks got hacked yesterday so I have updated to ROS 6.40.8 and applied some ip services filter, and disable the http and https services and today I got hacked again the same messages
set note="The security flaw for Hajime is closed by the firewall. Please update RotherOS. Gratitude is accepted on WebMoney Z399578297824 or BTC 14qiYkk3nUgsdqQawiMLC1bUGD\
what ROS version is really stop this vulnerability ?
 
msatter
Forum Veteran
Forum Veteran
Posts: 875
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: The security flaw for Hajime is closed by the firewall

Fri Jun 22, 2018 2:26 am

So many ports: viewtopic.php?f=21&t=134776&start=50#p665608 and have you checked which service ports are open?

Did you change also the username and password after the restore?
RB760iGS (hEX S) with the SFP being cooled.
Running:
RouterOS 6.43 / Winbox 3.18 / MikroTik APP 0.69
Cooling a SFP module: viewtopic.php?f=3&t=132258&p=671105#p671105
 
User avatar
vecernik87
Member Candidate
Member Candidate
Posts: 183
Joined: Fri Nov 10, 2017 8:19 am

Re: The security flaw for Hajime is closed by the firewall

Fri Jun 22, 2018 2:48 am

I know this may sound silly but it is quite important to ask - except from password change mentioned by Msatter, did you reset/reviewed whole configuration? If you just updated your ROS, added few firewall rules and left rest of config intact, there might be anything hidden. Even this message might be actually just leftover from previous hack. It is hard to say, but if there is suspicion, that vulnerability is still open, would be good to think about every possible option.
 
User avatar
mmuniz
Trainer
Trainer
Posts: 4
Joined: Thu Sep 24, 2015 2:07 am
Contact:

Re: The security flaw for Hajime is closed by the firewall

Fri Jun 22, 2018 3:55 am

I know this may sound silly but it is quite important to ask - except from password change mentioned by Msatter, did you reset/reviewed whole configuration? If you just updated your ROS, added few firewall rules and left rest of config intact, there might be anything hidden. Even this message might be actually just leftover from previous hack. It is hard to say, but if there is suspicion, that vulnerability is still open, would be good to think about every possible option.

I did try my best to check what was in the new configuration and remove it before the update, and it didn't show immediately after the reload ,maybe it infected the backup file ?
 
User avatar
karlisi
Member Candidate
Member Candidate
Posts: 180
Joined: Mon May 31, 2004 8:09 am
Location: Latvia

Re: The security flaw for Hajime is closed by the firewall

Fri Jun 22, 2018 12:30 pm

maybe it infected the backup file ?
Do you restored from .backup file not from configuration backup (.rsc file)?
---
Karlis
 
Wolfraider
just joined
Posts: 19
Joined: Wed Jul 15, 2015 8:06 pm

Re: The security flaw for Hajime is closed by the firewall

Fri Jun 22, 2018 4:08 pm

Check to see if you have the api enabled. Firewall if you need it. Disable if you don't. That is how they are accessing the device.
 
User avatar
maniraj4143
just joined
Posts: 8
Joined: Wed Jan 22, 2014 4:47 am
Location: INDIA
Contact:

Re: The security flaw for Hajime is closed by the firewall

Sat Jul 14, 2018 10:00 am

1. Cloud services should also be disabled
/ip cloud
set ddns-enabled=no
set update-time=no

2. Disable the services which are not required, Only winbox allowed
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes

3. Remove all files from the file list menu
 
shelbynetworks
just joined
Posts: 6
Joined: Mon Jan 17, 2011 11:34 pm

Re: The security flaw for Hajime is closed by the firewall

Wed Sep 12, 2018 8:49 pm

ive dissected a few of these; resetting the config is not an option when working remote. Ive found that updating the firmware does not remove the bug though it does restore functionality. the bitcoin miner is actually running on the mikrotik; torch reveals no lan traffic but massive traffic and connections on the WAN interface. Ive found scripts, schedulers, memory log set to 1 line, allow remote requests(this was a problem before bitcoin); check your dns cache and if you see a bunch of crypto addresses your infected. Ive removed all the scripts, schedulers etc and closed all the holes but the miner is still running like its a part of the OS, need to be able to fix w/o wiping; any suggestions? blocking the offending IPs will result in a different offending IPs.

Who is online

Users browsing this forum: chib777 and 6 guests