Community discussions

MikroTik App
 
JelleM
just joined
Topic Author
Posts: 10
Joined: Fri Aug 31, 2018 1:33 pm

Mēris Botnet and BTest Server

Thu Sep 09, 2021 4:48 pm

It appears that Yandex has seen a new botnet executing large scale application-layer attacks from, what seems to be, RouterOS devices: https://habr.com/ru/company/yandex/blog/577040/.
A common denominator is that there is a BTest server running on port 2000 on infected devices. It also runs a TCP service on port 5678 which to the casual observer might be Neighbour Discovery (MNDP), however MNDP runs on UDP. This is actually a SOCKS4 server running on that port. And although a large swath of the infected devices runs 6.45.9 it also appears to have infected some 6.48.4 devices. The creation of a SOCKS proxy on that port has been seen before on hacked devices:
viewtopic.php?f=2&t=172091 and viewtopic.php?f=2&t=176447 . But I have not seen stuff about the BTest server running on port 2000.

Is there a vulnerability in BTest server that we need to be aware of? Or is this just badly configured/unsecured routers being hacked as usual? The researchers have contacted Mikrotik but do not include a response in their post. Anyone heard anything from Mikrotik?

Who is online

Users browsing this forum: No registered users and 62 guests