Hi everyone,
This morning I started experiencing problems with the https certificates of various websites such as google, msn etc. In the beginning i thought there is a temporary problem maybe with google but after surfing some more I realised it wasn't just google but other sites as well. After upgrading my routers to 6.42.3 from 6.40.4 (main ones are a 1036 and a 1100 used as a load balancer) I started looking into the devices and I found out that there were two entries in the DNS settings 128.14.6.12 and 13 as DNS servers on the 1100 (load balancing). I removed the entries and all is back to normal. I obviously was hacked. I had all services disabled except www and winbox on which I changed the default ports (www was changed from day one but decided to change it again). My bad that I used the default admin account with an 8 digit password (although letters+symbols+numbers), so I've changed the username and the password as well and disabled the admin account. So my question is
1. What else should I do to further secure my devices and if there is anything else I should look for in them
2. Is there anything I can do about reporting these IPs to someone? From what I found the 128.14.0.0/17 subnet belongs to zenlayer.com (some chinese-usa ISP?)
Thanks everyone!
Re: Hacked-Rogue DNS?
It seems that one can not be 100% sure about the extent of damage done by hackers.
It also seems that the cure is as follows:
It also seems that the cure is as follows:
- take device off-line
- create full configuration export and copy file off device
- thoroughly examine the exported configuration script to find any signs of hacked configuration and remove or repair the compromised configuration part
- do netinstall of device
- load configuration from sanitized configuration file
- make sure you rigorously filter any connectivity possibilities to your router from internet. If your really need webfig/winbox/any_other_admin access, limit it to a few known remote IP addresses that you (kind of) have under control
- put device back on-line
Re: Hacked-Rogue DNS?
I confirm this issue for
- Netcore Routers
- Next Routers
I recommend to blackhole all traffic to 128.14.6.0/24 or the whole /17 block from zenlayer Inc
- Netcore Routers
- Next Routers
I recommend to blackhole all traffic to 128.14.6.0/24 or the whole /17 block from zenlayer Inc
-
-
stamatis123
just joined
- Posts: 14
- Joined:
Re: Hacked-Rogue DNS?
Thanks for the tips!
Checked the script, all is clear, changed default username and hardened my password. Hopefully this will keep them out
Checked the script, all is clear, changed default username and hardened my password. Hopefully this will keep them out
Re: Hacked-Rogue DNS?
You need to:
- keep your RouterOS uptodate
- improve your firewall settings. the default firewall will be OK
- keep your RouterOS uptodate
- improve your firewall settings. the default firewall will be OK
Re: Hacked-Rogue DNS?
More options:
- Use Port Knocking for administrative ports
- Use L2TP/IPSec and not expose administrative ports
- Use aggressive firewall. Ban all IPs that try to connect to ports with no services listening.
For the last one, it seems hackers are using distributed port scans. For my routers, about 1000 unique IPs are slowly checking my ports. I ban these IPs. My rule to block banned IPs says about 10,000 TCP/SYN packets are dropped daily. The rule is near the top, so the banned IPs don't get to connect to ports that are actually open.
- Use Port Knocking for administrative ports
- Use L2TP/IPSec and not expose administrative ports
- Use aggressive firewall. Ban all IPs that try to connect to ports with no services listening.
For the last one, it seems hackers are using distributed port scans. For my routers, about 1000 unique IPs are slowly checking my ports. I ban these IPs. My rule to block banned IPs says about 10,000 TCP/SYN packets are dropped daily. The rule is near the top, so the banned IPs don't get to connect to ports that are actually open.
Re: Hacked-Rogue DNS?
How do you do this? Do you have a script?- Use aggressive firewall. Ban all IPs that try to connect to ports with no services listening.
Will this add much CPU load?
I can see from my log that hacker are hammering on many ports, but mainly on 23 (telnet)
Re: Hacked-Rogue DNS?
I use this as "first line barrier".
Proper WAN ports should be added to WAN_LIST and port 65432 in the first rule should be set to port which Winbox access is set to
Proper WAN ports should be added to WAN_LIST and port 65432 in the first rule should be set to port which Winbox access is set to
Code: Select all
/interface list
add name=WAN_LIST
/ip firewall raw
add action=accept chain=prerouting dst-port=65432 protocol=tcp
add action=add-src-to-address-list address-list=RAWATTACK2 address-list-timeout=27m chain=prerouting comment=RAW2ADD in-interface-list=WAN_LIST log-prefix="RAW2ADD: " src-address-list=RAWATTACK
add action=drop chain=prerouting comment=RAW2 in-interface-list=WAN_LIST log-prefix="RAW2: " src-address-list=RAWATTACK2
add action=add-src-to-address-list address-list=RAWATTACK address-list-timeout=17m chain=prerouting comment=RAW1ADD dst-port=8291,22,23,2000,7547,11211,135,137-139,548,80,8080,81,37215 in-interface-list=WAN_LIST log=yes log-prefix="RAW1: " protocol=tcp
add action=add-src-to-address-list address-list=RAWATTACK address-list-timeout=17m chain=prerouting comment=RAW1ADD dst-port=8291,22,23,2000,7547,11211,135,137-139,548,80,8080,81,37215 in-interface-list=WAN_LIST log=yes log-prefix="RAW1: " protocol=udp
add action=drop chain=prerouting comment=RAW1 in-interface-list=WAN_LIST log-prefix="RAW1: " src-address-list=RAWATTACKRe: Hacked-Rogue DNS?
Rule 1: Chain=Input, in-interface=ether1, src-add-list=BANNED, action=dropHow do you do this? Do you have a script?- Use aggressive firewall. Ban all IPs that try to connect to ports with no services listening.
Will this add much CPU load?
Rule 2: Chain=Input, in-interface=ether1, proto=tcp, dst-ports=1-79,81-442,444-65535, connection-type=New, action=add-src-ip-to-list, list=BANNED
Rule 3: Chain=input, in-interface=ether1, proto=udp, dst-ports=1-65535, action=add-src-ip-to-list, list=BANNED
Rule 1 is straight forward, drop packets that are in banned list. I put this under my L2TP/IPSec input rule in case I ban myself, I can VPN in and remove myself.
Rule 2 applies to TCP connections with the SYN flag set and applies to all ports except my services.
Rule 3 is the same but for UDP, in my example above I'm expecting no inbound UDP packets.
I thought if since i was using the INPUT filter, that inbound NAT forwarded packets would be excluded from this rule but it seems they're not. So I explicitly define the ports that this rule applies.
With default config, a rule to allow established and related already exists. I move this up between Rule 1 and 2. Not sure if this is required.
CPU doesn't get impacted much my clients aren't load demanding. If you host a busy website you may want to do your own tests.
My banned address list sits at 15,000 entries on a HEX router. If you're concerned about memory, set the entries to use dynamic timeouts. If your device becomes unstable, just reboot it and the address list is cleared.
Re: Hacked-Rogue DNS?
Thanks for the reply.
For me these looks like three static Rules.
What I do not understand is where the IP and the BANNED list came from.
Or is there some I do understand with this?
For me these looks like three static Rules.
What I do not understand is where the IP and the BANNED list came from.
Or is there some I do understand with this?
Re: Hacked-Rogue DNS?
That is a nice exercise to see what is possible with the firewall, but for actual protection of the router it is of course completely useless.Ban all IPs that try to connect to ports with no services listening.
As it also increases the risk (memory overflowing, or locking yourself out because you are behind the same NAT as some kiddie doing a portscan)
I would advise against that. The other options mentioned are good.
Re: Hacked-Rogue DNS?
Hi,Rule 1: Chain=Input, in-interface=ether1, src-add-list=BANNED, action=dropHow do you do this? Do you have a script?- Use aggressive firewall. Ban all IPs that try to connect to ports with no services listening.
Will this add much CPU load?
Rule 2: Chain=Input, in-interface=ether1, proto=tcp, dst-ports=1-79,81-442,444-65535, connection-type=New, action=add-src-ip-to-list, list=BANNED
Rule 3: Chain=input, in-interface=ether1, proto=udp, dst-ports=1-65535, action=add-src-ip-to-list, list=BANNED
Rule 1 is straight forward, drop packets that are in banned list. I put this under my L2TP/IPSec input rule in case I ban myself, I can VPN in and remove myself.
Rule 2 applies to TCP connections with the SYN flag set and applies to all ports except my services.
Rule 3 is the same but for UDP, in my example above I'm expecting no inbound UDP packets.
I thought if since i was using the INPUT filter, that inbound NAT forwarded packets would be excluded from this rule but it seems they're not. So I explicitly define the ports that this rule applies.
With default config, a rule to allow established and related already exists. I move this up between Rule 1 and 2. Not sure if this is required.
CPU doesn't get impacted much my clients aren't load demanding. If you host a busy website you may want to do your own tests.
My banned address list sits at 15,000 entries on a HEX router. If you're concerned about memory, set the entries to use dynamic timeouts. If your device becomes unstable, just reboot it and the address list is cleared.
is this rules block only port scanners ? or blocking 1-79,81-442,444-65535 port range _?
thanks
Re: Hacked-Rogue DNS?
Port scanner is a device/person/entity which checks ports in a router so these rules block ports from being discovered and services identified.