unfortunately, i am seeing this too. ----- Original Message ----- From: Adam Moffett To: [email protected] Sent: Tuesday, July 17, 2018 12:11 AM Subject: Re: [AFMUG] Unauthorized Mikrotik winbox Login made changes
Ex employee? Password compromised by phishing? I'd hope there isn't another vulnerability. On 7/16/2018 10:57 PM, Nate Burke wrote: > I just happened to be looking through the Logs of a couple Mikrotiks > that I didn't have Winbox Firewalled off From the outside world. > Someone from the outside world logged into winbox today. I had what I > 'thought' were strong passwords on them. The only active service on > the router is the Winbox Service. > > The only changes that were made was they enabled the 'socks' server, > and added input firewall rule for the socks port. They were in and > out of the router in a matter of seconds, so it looks like it was > scripted somehow. > > I'm going through now and changing passwords and verifying all routers > are locked from the outside. On the routers that I've found this on, > all the logins were sourced from this same IP Address. So far the > affected routers I've found were running versions 6.39-6.41.3 > > Might be a good time to check your logs and access controls. > > > jul/15 02:29:14 system,info,account user admin logged in from > 194.40.240.254 via winbox > jul/15 02:29:17 system,info,account user admin logged in from > 194.40.240.254 via telnet > jul/15 02:29:18 system,info socks config changed by admin > jul/15 02:29:18 system,info filter rule added by admin > jul/15 02:29:19 system,info,account user admin logged out from > 194.40.240.254 via winbox > jul/15 02:29:19 system,info,account user admin logged out from > 194.40.240.254 via telnet > > > > -- AF mailing list [email protected] http://af.afmug.com/mailman/listinfo/af_af.afmug.com
-- AF mailing list [email protected] http://af.afmug.com/mailman/listinfo/af_af.afmug.com
