Community discussions

MikroTik App
 
thecableguy
Trainer
Trainer
Topic Author
Posts: 11
Joined: Sun Oct 06, 2013 3:35 pm

Security breached devices - Port TCP 4145

Thu Aug 09, 2018 10:52 am

Hello community.
After the announcement of the security hole in our devices we immediately updated the majority of our clients routers.
Unfortunately some devices were not updated as they are managed by the customers themselves.
So last night i decided to do a global check for any compromised devices. i've found 7 devices and informed the customers to
take actions.
I created some rules in forward chain to spot the traffic designated to port 4145 TCP .. which was the SOCKS modified port.. to find the hacked devices..
and i also created rules to find out the SRC IPs the traffic was originated from.
Next thing to do was to create a drop rule to stop traffic FROM "attackers" TO "hacked" devices.

Here comes the funny part.
Google Ips (8.8.8.8, 8.8.4.4) appeared in my list therefore any inbound traffic was dropped causing some problems to DNS resolve requests etc.

Port 4145 TCP is used for a vvr-control service or something.
My questions to the community are these.

1) My best guess is that traffic from google ips have had to be forged to bypass firewalls.
What is your opinion on this?

2) Even though the devices were patched .. and any visible modifications were undone .. I still track traffic on port 4145 (40b packets, Ack.Rst) and it got me thinking..
Could it be that the "hack" created further modifications that are invisible to user and the only way to be sure is to use NetInstall and start over? This traffic has to somehow
be triggered and it seems i cant find a legit reason. I also used packet sniffer to analyze traffic on wireshark but didnt find anything major there.

What do you think about that?

This post is more of exchanging opinions rather than solving a problem.
Did anyone else had a similar situation and what actions you have taken?
 
R1CH
Forum Veteran
Forum Veteran
Posts: 930
Joined: Sun Oct 01, 2006 11:44 pm

Re: Security breached devices - Port TCP 4145

Thu Aug 09, 2018 12:49 pm

Traffic above the reserved ports (0-1024) can be attributed to ephemeral port use. While most OSes generally use the higher end of available ports, there's nothing stopping them from using 1025-65535 as ephemeral port numbers.
 
mkx
Forum Guru
Forum Guru
Posts: 4613
Joined: Thu Mar 03, 2016 10:23 pm

Re: Security breached devices - Port TCP 4145

Thu Aug 09, 2018 12:50 pm

In which direction do ACK packets flow (assuming RSTs go in the other direction)? If they originate from internet and target sanitized devices, then they can be explained as connection resumption attempts that are rejected (not dropped). As if the other end still considered connection established.
BR,
Metod
 
mkx
Forum Guru
Forum Guru
Posts: 4613
Joined: Thu Mar 03, 2016 10:23 pm

Re: Security breached devices - Port TCP 4145

Thu Aug 09, 2018 1:00 pm

@RC1H: it used to be this way. However, "service" ports below 1024 should be assigned to particular protocol (if my memory serves me right by IANA but I may well be wrong) and many of app developers tend to skip this procedure especially if their app doesn't use "open" protocol for communication. Many modern apps use well known ports above 1023 as service ports. Examples are TCP ports 1433 by MS SQL and 5432 by PostgreSQL just to name a couple.

Indeed many OSes require non-trivial app permissions when app tries to use "low" port while high ports can be used by any app without restrictions. I believe most of hackers have full control over their "tools" and this limitation should not present any problem whatsoever.
BR,
Metod
 
R1CH
Forum Veteran
Forum Veteran
Posts: 930
Joined: Sun Oct 01, 2006 11:44 pm

Re: Security breached devices - Port TCP 4145

Thu Aug 09, 2018 1:39 pm

I think you misunderstand, this isn't about services listening on high ports.

Say for example client on the network want to connect to Google DNS, 8.8.8.8 port 53. Their OS has to pick a port on the system to send the query, and to which replies are sent, for example maybe it picks 192.168.88.10 port 4145 as the source port for the query. Then it sends the query to 8.8.8.8 port 53, Google DNS replies to 192.168.88.10 (ignoring NAT for now) port 4145... and now you've accidentally blacklisted Google.

Blacklisting on UDP traffic should not be included in any firewall rules ever, because UDP is connectionless and easily spoofed.

Blacklisting on TCP traffic should only occur for SYN attempts (connection state new) to specific ports, otherwise you risk blacklisting randomly when the OS picks a port that happens to coincide with a blacklisted one.
 
mkx
Forum Guru
Forum Guru
Posts: 4613
Joined: Thu Mar 03, 2016 10:23 pm

Re: Security breached devices - Port TCP 4145

Thu Aug 09, 2018 1:43 pm

I mostly agree with you. I was just emphasizing that ports above 1023 need not be for temporary usage. It is not clear to me what kind of traffic has OP observed and hence my questions. He did explicitly mention TCP though.
BR,
Metod
 
pe1chl
Forum Guru
Forum Guru
Posts: 6907
Joined: Mon Jun 08, 2015 12:09 pm

Re: Security breached devices - Port TCP 4145

Thu Aug 09, 2018 2:48 pm

Of course when you try to capture traffic "to port 4145" and identify the counterpart as a hacker, you need to make sure that you only
identify traffic initiated by the other party and not replies to traffic you make yourself.
So when you setup a TCP connection from port 4145 to Google DNS port 53, and Google reply to you with traffic from their port 53 to your port 4145,
you should not identify that as a hacker.
There are some ways to do that, for TCP it is easy to filter on "TCP flags = SYN", but in general you could consider using the connection
state "new".
 
thecableguy
Trainer
Trainer
Topic Author
Posts: 11
Joined: Sun Oct 06, 2013 3:35 pm

Re: Security breached devices - Port TCP 4145

Sat Aug 11, 2018 4:53 am

Then it sends the query to 8.8.8.8 port 53, Google DNS replies to 192.168.88.10 (ignoring NAT for now) port 4145... and now you've accidentally blacklisted Google.

Blacklisting on UDP traffic should not be included in any firewall rules ever, because UDP is connectionless and easily spoofed.

Blacklisting on TCP traffic should only occur for SYN attempts (connection state new) to specific ports, otherwise you risk blacklisting randomly when the OS picks a port that happens to coincide with a blacklisted one.
Good point my friend..BUT ... i'm not using google for DNS resolving...neither my clients on the network.. What i mean is that there is no possible way to send dns requests to google ips .. with connection originating from this specific router or any other router in the internal network.
So .. that was a good hypothesis but unfortunately thats not the case.

I also strongly agree that inbound and forward traffic should be "firewalled" on syn packets. That was a good point.
 
pe1chl
Forum Guru
Forum Guru
Posts: 6907
Joined: Mon Jun 08, 2015 12:09 pm

Re: Security breached devices - Port TCP 4145

Sat Aug 11, 2018 10:15 am

i'm not using google for DNS resolving...neither my clients on the network.. What i mean is that there is no possible way to send dns requests to google ips .. with connection originating from this specific router or any other router in the internal network.
Have you explicitly redirected or blocked that?
You need to know that Google stuff sends DNS requests to Google DNS no matter how it is configured via DHCP.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 5103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Security breached devices - Port TCP 4145

Sat Aug 11, 2018 3:30 pm

Hi Cableguy, you lost me when you said you didnt have control of individually managed routers. So how did you manage to change their FW rules and see their traffic??
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
User avatar
nabilx
just joined
Posts: 18
Joined: Thu Jul 06, 2017 11:19 pm
Location: Syria, Hama
Contact:

Re: Security breached devices - Port TCP 4145

Wed Sep 12, 2018 4:58 am


2) Even though the devices were patched .. and any visible modifications were undone .. I still track traffic on port 4145 (40b packets, Ack.Rst) and it got me thinking..
Could it be that the "hack" created further modifications that are invisible to user and the only way to be sure is to use NetInstall and start over? This traffic has to somehow
be triggered and it seems i cant find a legit reason. I also used packet sniffer to analyze traffic on wireshark but didnt find anything major there.
I know it's old thread but anyway:
My router was hacked and found this
/ip socks print           
                  enabled: yes
                     port: 4145
  connection-idle-timeout: 2m
          max-connections: 200
Disable ip socks:
 /ip socks set enabled=no
Not English , Ignore bad grammar :)
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24709
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Security breached devices - Port TCP 4145

Wed Sep 12, 2018 8:44 am

nabilx, this has been discussed many times already. Yes, disable socks, fix the firewall (it also could be modified) and make sure you change your passwords. And run the latest 6.43
No answer to your question? How to write posts
 
Atanas
just joined
Posts: 2
Joined: Fri Jan 25, 2019 8:53 am

Re: Security breached devices - Port TCP 4145

Fri Jan 25, 2019 9:06 am

Normis, what about 'long-term' version, the last one is 6.42.11, does it provide the same security, performance and stability features like 6.43.8 (Stable)? Is it safe against port 4145 breach?

Who is online

Users browsing this forum: seriosha and 33 guests