What's new in 6.43rc44 (2018-Jul-11 07:45): MAJOR CHANGES IN v6.43: ---------------------- !) api - changed authentication process (https://wiki.mikrotik.com/wiki/Manual:API#Initial_login);
Justin Wilson [email protected] www.mtin.net www.midwest-ix.com > On Jul 16, 2018, at 10:57 PM, Nate Burke <[email protected]> wrote: > > I just happened to be looking through the Logs of a couple Mikrotiks that I > didn't have Winbox Firewalled off From the outside world. Someone from the > outside world logged into winbox today. I had what I 'thought' were strong > passwords on them. The only active service on the router is the Winbox > Service. > > The only changes that were made was they enabled the 'socks' server, and > added input firewall rule for the socks port. They were in and out of the > router in a matter of seconds, so it looks like it was scripted somehow. > > I'm going through now and changing passwords and verifying all routers are > locked from the outside. On the routers that I've found this on, all the > logins were sourced from this same IP Address. So far the affected routers > I've found were running versions 6.39-6.41.3 > > Might be a good time to check your logs and access controls. > > > jul/15 02:29:14 system,info,account user admin logged in from 194.40.240.254 > via winbox > jul/15 02:29:17 system,info,account user admin logged in from 194.40.240.254 > via telnet > jul/15 02:29:18 system,info socks config changed by admin > jul/15 02:29:18 system,info filter rule added by admin > jul/15 02:29:19 system,info,account user admin logged out from 194.40.240.254 > via winbox > jul/15 02:29:19 system,info,account user admin logged out from 194.40.240.254 > via telnet > > > > > -- > AF mailing list > [email protected] > http://af.afmug.com/mailman/listinfo/af_af.afmug.com > -- AF mailing list [email protected] http://af.afmug.com/mailman/listinfo/af_af.afmug.com
