Community discussions

MikroTik App
 
User avatar
Techsystem
Member
Member
Topic Author
Posts: 337
Joined: Tue Dec 21, 2021 5:12 am

attacking my mikrotik device

Thu Nov 10, 2022 8:51 pm

Hello My friends.. so i get this repeated message in my mikrotik RB951ui log as you see below
TCP connection established from 104.152.52.57
so anyone can explain to me what happen here, i make a search to this IP : 104.152.52.54 and i found that this public ip is from a merica.
what i can do in this case
by the way i dont have any pptp tunnel on my mikrotik
You do not have the required permissions to view the files attached to this post.
 
gabacho4
Member
Member
Posts: 329
Joined: Mon Dec 28, 2020 12:30 pm
Location: Earth

Re: attacking my mikrotik device

Thu Nov 10, 2022 8:58 pm

Your router has likely been hacked. That IP belongs to a hosting service so odds are it has been made part of some sort of botnet. You need to perform a net install on the router, recreate your configuration, and ensure that you don't change any firewall rules without understanding 100% what they do.
 
User avatar
Techsystem
Member
Member
Topic Author
Posts: 337
Joined: Tue Dec 21, 2021 5:12 am

Re: attacking my mikrotik device

Thu Nov 10, 2022 9:57 pm

i don't know why mikrotik enable this default ospf and pptp enterface in Routers . its not the first time that attacker uses this vulnerability to access to mikrotik routers.
Last edited by Techsystem on Fri Nov 11, 2022 9:48 am, edited 1 time in total.
 
gabacho4
Member
Member
Posts: 329
Joined: Mon Dec 28, 2020 12:30 pm
Location: Earth

Re: attacking my mikrotik device

Thu Nov 10, 2022 10:00 pm

Your firewall rules are what play the biggest role there. Which ROS version are you using? Can you provide a sanitized copy of your config?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: attacking my mikrotik device

Thu Nov 10, 2022 10:21 pm

Yes, if hte router is hacked there was an unsafe config most likely
First step disconnect from net.
Second step netinstall a fresh version of stable software.
Third step manually add back in the config for required traffic.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: attacking my mikrotik device

Thu Nov 10, 2022 11:23 pm

Default config are not perfect, but will make it hard to hack your router.
If you do change things, you need to now what your are doing.
If you open router to be administrated from a public IP you will be at risk.
If you do not upgrade your router you also may be at risk.
i don't know why mikrotik enable this bullshit default ospf and pptp
No need to use bad language.
OSPF and PPTP are not enabled by default, they are part of functions that RouterOS can be configured to handle.

Post your config and we can help out figure out what are wrong. Bad config/hacked etc.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: attacking my mikrotik device

Fri Nov 11, 2022 12:08 am

The fact that you haven't configured any PPTP tunnel on your Mikrotik doesn't mean that PPTP service does not listen for incoming connections.

The log only shows that the unknown address has successfully initiated a TCP session to establish a PPTP control connection, but since it repeats multiple times, it is likely it did not succeed in username&password authentication, which is no surprise given that you haven't configured any user account for PPTP.

The question is why your firewall permits incoming PPTP connections via WAN - a 951 is a SOHO grade router whose default firewall configuration doesn't allow any incoming connections via WAN, unless the default configuration comes from a very old version of RouterOS.

So as others have suggested, post the export of the configuration (see my automatic signature below regarding anonymisation - you don't want to reveal an IP address of a router along with an export of its weak or non-existent firewall). Also remove the serial number before posting - it can be used to find out the address if you use the "cloud" DDNS service.

As said before, it will probably be the safest way to netinstall your router with an up-to-date RouterOS version, but some comments on the current configuration may be helpful for you before you start modifying the default one created by netinstall.
 
User avatar
Techsystem
Member
Member
Topic Author
Posts: 337
Joined: Tue Dec 21, 2021 5:12 am

Re: attacking my mikrotik device

Fri Nov 11, 2022 6:38 am

Your firewall rules are what play the biggest role there. Which ROS version are you using? Can you provide a sanitized copy of your config?
yes .. sure you can look to it in the last comment .
 
User avatar
Techsystem
Member
Member
Topic Author
Posts: 337
Joined: Tue Dec 21, 2021 5:12 am

Re: attacking my mikrotik device

Fri Nov 11, 2022 6:41 am

Default config are not perfect, but will make it hard to hack your router.
If you do change things, you need to now what your are doing.
If you open router to be administrated from a public IP you will be at risk.
If you do not upgrade your router you also may be at risk.
i don't know why mikrotik enable this bullshit default ospf and pptp
No need to use bad language.
OSPF and PPTP are not enabled by default, they are part of functions that RouterOS can be configured to handle.

Post your config and we can help out figure out what are wrong. Bad config/hacked etc.
sorry if my language seems to be unappropriate, you can find my router config in the last comment.
 
User avatar
Techsystem
Member
Member
Topic Author
Posts: 337
Joined: Tue Dec 21, 2021 5:12 am

Re: attacking my mikrotik device

Fri Nov 11, 2022 6:45 am

The fact that you haven't configured any PPTP tunnel on your Mikrotik doesn't mean that PPTP service does not listen for incoming connections.

The log only shows that the unknown address has successfully initiated a TCP session to establish a PPTP control connection, but since it repeats multiple times, it is likely it did not succeed in username&password authentication, which is no surprise given that you haven't configured any user account for PPTP.

The question is why your firewall permits incoming PPTP connections via WAN - a 951 is a SOHO grade router whose default firewall configuration doesn't allow any incoming connections via WAN, unless the default configuration comes from a very old version of RouterOS.

So as others have suggested, post the export of the configuration (see my automatic signature below regarding anonymisation - you don't want to reveal an IP address of a router along with an export of its weak or non-existent firewall). Also remove the serial number before posting - it can be used to find out the address if you use the "cloud" DDNS service.

As said before, it will probably be the safest way to netinstall your router with an up-to-date RouterOS version, but some comments on the current configuration may be helpful for you before you start modifying the default one created by netinstall.
so this is my router config
i didn't change any firewall rule. yet i disable some other function like ipv6, ospf defaut and ...etc
question to ask :
when i initiate a scan for open port on my LAN i always get this 2000 callback port, and i couldn't close it, so do you know what is this port..?
You do not have the required permissions to view the files attached to this post.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: attacking my mikrotik device

Fri Nov 11, 2022 8:16 am

I am trying to understand your firewall. (after a quick look)
add action=drop chain=input protocol=tcp src-address=0.0.0.0/0 src-port=2000
add action=drop chain=input protocol=udp src-address=0.0.0.0/0 src-port=2000
This only blocks port 2000 udp/tcp on your router.
Normally you should block all port and only have open the needed ports.

See anavs post here:
viewtopic.php?t=180838

Last rule should be some like this:
add action=drop chain=input 
add action=drop chain=forward
 
User avatar
karlisi
Member
Member
Posts: 435
Joined: Mon May 31, 2004 8:09 am
Location: Latvia

Re: attacking my mikrotik device

Fri Nov 11, 2022 8:19 am

Your router is completely unprotected. I suggest to apply default firewall rules first, then add your customizations.
Edit: OK, Jotne already wrote about it.
 
gabacho4
Member
Member
Posts: 329
Joined: Mon Dec 28, 2020 12:30 pm
Location: Earth

Re: attacking my mikrotik device

Fri Nov 11, 2022 8:23 am

Wouldn’t you also want to specify 2000 as the destination port in that rule? Source port can be whatever but OP is specifically trying to block connections to his router on port 2000.

Also, add action=accept chain=input dst-address=127.0.0.1 log=yes makes me uneasy as well.

The better course, as recommended, is to specify what is allowed and then deny all else.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: attacking my mikrotik device

Fri Nov 11, 2022 8:47 am

i don't know why mikrotik enable this bullshit default ospf and pptp enterface in Routers . its not the first time that attacker uses this vulnerability to access to mikrotik routers.
Dear Techsystem, after this comment and after seeing your "configured" firewall, I must agree with @anav here:
First step disconnect from net.
With one addition: stay disconnected.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26293
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: attacking my mikrotik device

Fri Nov 11, 2022 8:54 am

Like others said, if you configure your own firewall, you can't blame manufacturer for this. You have removed firewall and there is no protection in place, like it is seen in your config.

Complete reinstall and then reset to default is the best way. Default config does have firewall. Do not remove it this time.
 
User avatar
Techsystem
Member
Member
Topic Author
Posts: 337
Joined: Tue Dec 21, 2021 5:12 am

Re: attacking my mikrotik device

Fri Nov 11, 2022 10:02 am

Like others said, if you configure your own firewall, you can't blame manufacturer for this. You have removed firewall and there is no protection in place, like it is seen in your config.

Complete reinstall and then reset to default is the best way. Default config does have firewall. Do not remove it this time.
i agree with you Normis. and well.. please i don't hate Mikrotik, i know that there are a professional people out there, but really want to know if there is a specific firewall rule that prohibit this kind of attacking on my current situation. or its a mandatory to apply all default rules in its order to avoid this..?
 
gabacho4
Member
Member
Posts: 329
Joined: Mon Dec 28, 2020 12:30 pm
Location: Earth

Re: attacking my mikrotik device

Fri Nov 11, 2022 10:11 am

In a nut shell, the input chain is dangerous if you misconfigure it. Input is access to the router itself. So don’t create allow rules in the input chain unless you absolutely understand what you’re doing and if doing so is necessary. Most importantly, never create an input rule that allows access from any source to any port/service. That gives complete access to the router from WAN and will result in your router being compromised.

Edit: leave the default rules in place and add your own rules as necessary. Don’t blow away the default firewall.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: attacking my mikrotik device

Fri Nov 11, 2022 2:29 pm

There is no one rule techsystem, except perhaps dont let you configure routers. ;-))

Now that you know that the router has been exposed on the internet in such a manner you need to do the following steps
1. disconnect it from the internet
2. netinstall the lastest stable firmware
3. Keep the default rules in place
4. modify them so that they block all and only allow the required traffic for users and admin.
 
User avatar
Techsystem
Member
Member
Topic Author
Posts: 337
Joined: Tue Dec 21, 2021 5:12 am

Re: attacking my mikrotik device

Fri Nov 11, 2022 3:20 pm

There is no one rule techsystem, except perhaps dont let you configure routers. ;-))

Now that you know that the router has been exposed on the internet in such a manner you need to do the following steps
1. disconnect it from the internet
2. netinstall the lastest stable firmware
3. Keep the default rules in place
4. modify them so that they block all and only allow the required traffic for users and admin.
Hello Anav..! Maybe ..! :D , so is it mandatory to netinstall the router..? i replaced all my old rules with default rule that came with the router does that make scence..? so why all of you recommended to neinstall the router..?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: attacking my mikrotik device

Fri Nov 11, 2022 3:37 pm

For two reason:
1) you have 4beta and the last is 7.6 and is better remove all old mess and restore default firewall and other rules that work with firewall
2) if your device is hacked, you clean the hack

i don't know why mikrotik enable this default ospf and pptp enterface in Routers . its not the first time that attacker uses this vulnerability to access to mikrotik routers.
don't write bullshit
theirs are off on default and if you open them, it's your fault
MikroTik cannot prevent the mistakes of those who use the router
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: attacking my mikrotik device

Fri Nov 11, 2022 4:50 pm

You come here asking for help and advice, you are provided that guidance and not just by one person, and then you question it.
I can only repeat is so many times. One can lead a horse to water but cannot make it drink.

I am starting to think its not even a horse but a donkey ;-)

Good luck, I'm off to help others that listen.

Who is online

Users browsing this forum: Google [Bot], GoogleOther [Bot], menyarito, phascogale, Soleous75 and 71 guests