What firmware are (were) they on ? Also are you on standard Winbox ports etc. I've heard another user with this who were firewalling their external access for Winbox and were wondering if some internal malware was doing it.Thank you so much for posting this. Yes, same thing here. Have had 300 customers down all day. Found the NAT entry and all is good now. I also need to know if this is a new exploit.
Code: Select all
oct/15 23:48:58 system,info,account user admin logged in from 109.251.192.80 via ssh
oct/15 23:49:01 system,info filter rule added by admin
oct/15 23:49:01 system,info nat rule added by admin
oct/15 23:49:01 system,info nat rule added by admin
oct/15 23:49:01 system,info,account user admin logged out from 109.251.192.80 via ssh
Code: Select all
/ip firewall filter
add action=accept chain=forward
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=53 protocol=udp to-addresses=185.117.88.13 to-ports=53
add action=masquerade chain=srcnat
In general management ports like SSH and Winbox should not be open to internet by default.
Oh yes - that's the other thing I do by default. admin username is deleted / renamed.- are you seriously using "admin" ?
Many versions above include vulnerable versions. Also, mostly nobody is saying what firewall you have and what services are open to public. Please all share more details.
- running version
- did you perhaps upgrade from an older/vulnerable version to this one?
- have you deleted the old user and made a new one with new pass?
- are you seriously using "admin" ?
- what services open
- firewall rules
- logs
- send supout.rif to support
Normis
if you read the facebook topic I created you can see its not an firewall issue because even though one of people I talk to on facebook said he had secured firewall and was able get past it so we need to figure out if this is some kind of exploit for mikrotik and other linux based firmware. Even the latest version of OS got nailed also.
Many versions above include vulnerable versions. Also, mostly nobody is saying what firewall you have and what services are open to public. Please all share more details.
- running version
- did you perhaps upgrade from an older/vulnerable version to this one?
- have you deleted the old user and made a new one with new pass?
- are you seriously using "admin" ?
- what services open
- firewall rules
- logs
- send supout.rif to support
That is just "security by obscurity". When it is vulnerable for admin, it is probably vulnerable for any user.- Do not use "admin" user, ever
Well, maybe you should have thought about it a little more before giving most of your customers a $19.95 router!I'd like to add that it has become difficult to update our customers' routers. Most are hAPs and do not have enough free space to upgrade.
`Was there anyone here using SSH keys to log in instead of passwords? For anyone exploited, did the bot add any keys for any users?
`@NathanA, was SSH the only exposed service? No winbox or API etc?
Upgraded to 6.45.5 from 6.45.4 (or .3)This topic so far: "I heard somebody got hacked"; "Me too"; "I have no firewall and use admin user".
So please:
- Use latest version (at least "long-term")
- If you upgraded from a vulnerable older version, make a new user and new password, delete the old user
- Do not use "admin" user, ever
- Send support your supout.rif file if you are running latest RouterOS release with firewall and non-admin
`so from what has been posted above
it seams like some kind of ssh authentication bypass.
it seams also that at least the user name must be known.
`You should have the suppout I sent to support, see call ref Ticket#2019090122001404
No, but people write those exploit kits that a script kiddie can use to quicky distribute his desired attack code to many different types of router.RouterOS doesn't use web interfaces on top of busybox, it has a custom proprietary protocol. Exploits affecting other devices like the DLINK or Netgear are not going to work on RouterOS.
`No, but people write those exploit kits that a script kiddie can use to quicky distribute his desired attack code to many different types of router.
Of course it will use a different method for different routers.
I'm not entirely convinced your (CZFan) problem has anything to do with what is being discussed here. The config changes that were made by this bot to compromised routers were VERY small and VERY simple...3 "/ip firewall [filter/nat] add" commands and that's it.
-- Nathan
`To test some of the theories in this thread, I netinstalled 6.45.6 on a spare board, with default config and then exposed SSH to the internet after setting a strong admin password. So far while there are plenty of brute force attempts, there is no sign of an exploit that can bypass authentication. I'll rotate the exposed ports if nothing interesting happens after a while.
`Seeing what video is shown in the redirect, it probably was a single-shot attack by some activist, that you will not see continuing all the time.
Are you REALLY asking that? Did you read the topic and other topics about MikroTik hacks first?How on Earth could this possible?</t>
- Laszlo
Thank you for that, I will do.
Are you REALLY asking that? Did you read the topic and other topics about MikroTik hacks first?
For now, netinstall your router to the current stable release and RESET it to factory default config.
I have done it, just waiting for to know, wether they can penetrate thru the changed password, or not.Seeing what video is shown in the redirect, it probably was a single-shot attack by some activist, that you will not see continuing all the time.
(maybe there will be a couple more shots, depending how much money they want to spend at their "exploit as a service" provider)
But of course, when there really is a vulnerability, it could also come back with other payloads.
More interesting would be to find an unimportant router that was attacked, remove the added rules and change the password (but not the username), and see if it is attacked again.
You fouled up the firewall. And now we can only hope you won't do it again after reinstalling and resetting to defaults.I am just wondering the attack vector, to understand how they penetrated it?