Definitely need 6.42+ there are two major exploits you're open to.
Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Tue, Jul 17, 2018 at 6:44 AM, Nick W <[email protected]> wrote: > Based on those versions you listed, it sounds like the Winbox > vulnerability described here: https://forum.mikrotik. > com/viewtopic.php?t=133533 > > Password complexity isn't really the issue since they could connect and > download the unencrypted user database file. Firewall off Winbox and/or > upgrade. Run 6.40.8+ for bugfix or 6.42.1+ for current. > > > > On Mon, Jul 16, 2018 at 11:01 PM Nate Burke <[email protected]> wrote: > >> I just happened to be looking through the Logs of a couple Mikrotiks >> that I didn't have Winbox Firewalled off From the outside world. Someone >> from the outside world logged into winbox today. I had what I 'thought' >> were strong passwords on them. The only active service on the router is >> the Winbox Service. >> >> The only changes that were made was they enabled the 'socks' server, and >> added input firewall rule for the socks port. They were in and out of >> the router in a matter of seconds, so it looks like it was scripted >> somehow. >> >> I'm going through now and changing passwords and verifying all routers >> are locked from the outside. On the routers that I've found this on, >> all the logins were sourced from this same IP Address. So far the >> affected routers I've found were running versions 6.39-6.41.3 >> >> Might be a good time to check your logs and access controls. >> >> >> jul/15 02:29:14 system,info,account user admin logged in from >> 194.40.240.254 via winbox >> jul/15 02:29:17 system,info,account user admin logged in from >> 194.40.240.254 via telnet >> jul/15 02:29:18 system,info socks config changed by admin >> jul/15 02:29:18 system,info filter rule added by admin >> jul/15 02:29:19 system,info,account user admin logged out from >> 194.40.240.254 via winbox >> jul/15 02:29:19 system,info,account user admin logged out from >> 194.40.240.254 via telnet >> >> >> >> >> -- >> AF mailing list >> [email protected] >> http://af.afmug.com/mailman/listinfo/af_af.afmug.com >> > > -- > AF mailing list > [email protected] > http://af.afmug.com/mailman/listinfo/af_af.afmug.com > >
-- AF mailing list [email protected] http://af.afmug.com/mailman/listinfo/af_af.afmug.com
