Page 1 of 1
Firewall Input rules apperaring port 5678 tcp. Hacked.
Posted: Tue Jun 29, 2021 12:28 pm
by grumpazoid
I have a CCR1016 and it has been running 6.48.1 - now updated to 6.48.3
I have noticed two identical entries entries appearing on the input chain at the top: add action=accept chain=input disabled=no dst-port=5678 protocol=tcp
I also have two mikrotik CRS switches on the network. Any reason for this? Should I be concerned?
Re: Firewall Input rules apperaring port 5678 tcp
Posted: Tue Jun 29, 2021 12:38 pm
by rextended
If the second is not udp, someone do incomplete work.
Re: Firewall Input rules apperaring port 5678 tcp
Posted: Tue Jun 29, 2021 12:45 pm
by grumpazoid
If the second is not udp, someone do incomplete work.
Please could you elaborate?
Re: Firewall Input rules apperaring port 5678 tcp
Posted: Tue Jun 29, 2021 1:00 pm
by rextended
Please do not use "Reply with quote" without any reason, use "Post Reply" instead.
Accept incoming Neighbor Discovery protocol, but the protocol use UDP not TCP.
You can delete the rules without problems.
Re: Firewall Input rules apperaring port 5678 tcp
Posted: Tue Jun 29, 2021 4:16 pm
by grumpazoid
I had been hacked - same as here
viewtopic.php?f=2&t=172091&p=841272&hil ... tp#p841272
Although My router OS was more up to date. Big concern - Reset Time
Re: Firewall Input rules apperaring port 5678 tcp
Posted: Tue Jun 29, 2021 4:30 pm
by rextended
Use the same port for Neighbor Discovery protocol, a perfect legit service use between RouterBOARD to mask the traffic...
Probably your router is "compromised" some time ago...
Re: Firewall Input rules apperaring port 5678 tcp
Posted: Tue Jun 29, 2021 5:18 pm
by grumpazoid
Thanks. I am aware 5678 UDP is legit.
Someone was adding 5678 TCP at the top of my input chain and had set up L2TP client as documented in the aforementioned post.
Router OS has been kept up to date. I run a L2TP server so maybe compromised that way?
Re: Firewall Input rules apperaring port 5678 tcp. Hacked.
Posted: Tue Jun 29, 2021 6:32 pm
by rextended
Probably, but is hard to say.
Better make backup, NOT backup, EXPORT.
Netinstall the device, and import back the export, section by section, for search other strange thing, if any....
Re: Firewall Input rules apperaring port 5678 tcp. Hacked.
Posted: Tue Jun 29, 2021 7:10 pm
by anav
As the rextended stated, the only safe course of action is to a neintsall and put back the old confg exported back in bits, without the offending bits and especially any scripts (even if you made them they may have been modified!)
Do not use the same userID (edit: and password thank rextended) and use a different winbox port too if using winbox.
Re: Firewall Input rules apperaring port 5678 tcp. Hacked.
Posted: Tue Jun 29, 2021 9:04 pm
by rextended
P.S.: Do not use same password and change ALL your password used till now!!!!!!...
Re: Firewall Input rules apperaring port 5678 tcp. Hacked.
Posted: Wed Jun 30, 2021 11:54 am
by grumpazoid
Thanks all. Netinstall completed with new credentials
Re: Firewall Input rules apperaring port 5678 tcp. Hacked.
Posted: Wed Jun 30, 2021 5:22 pm
by anav
Well done, most people take a few times to get the hang of netinstall, seems like it worked well for you first go!
Re: Firewall Input rules apperaring port 5678 tcp. Hacked.
Posted: Mon Jul 05, 2021 3:39 pm
by grumpazoid
The first time nothing happened and the reboot button did not appear. Second attempt all worked as per the instructions on the wiki.