I believe that this is specific to Winbox, if Winbox is accessible to
the internet and it's running versions between 6.29 and 6.42.1 then you
are vulnerable.
On 7/17/2018 11:27 AM, Mathew Howard wrote:
So does the problem actually come from having the API service exposed
to the internet, not winbox (i.e. if you have winbox exposed to the
internet, but API is disabled, you should be fine)?
I think I have API disabled on all of our Mikrotiks that are exposed
to the internet, and all the other services are blocked, so we should
be safe on anything that's still running old firmware anyway.
On Tue, Jul 17, 2018 at 10:52 AM, Dennis Burgess
<[email protected] <mailto:[email protected]>> wrote:
DO NOT USE API without a SSL. :) !!!!
Now client sends username and password in first message.
Password is sent in plain text.
in case of error, reply contains =message=error message.
In case of successful login client can start to issue commands.
Dennis Burgess, Mikrotik Certified Trainer
Author of "Learn RouterOS- Second Edition"
Link Technologies, Inc -- Mikrotik & WISP Support Services
Office: 314-735-0270 Website: http://www.linktechs.net
Create Wireless Coverage's with www.towercoverage.com
<http://www.towercoverage.com>
-----Original Message-----
From: AF <[email protected]
<mailto:[email protected]>> On Behalf Of Justin Wilson
Sent: Tuesday, July 17, 2018 10:47 AM
To: AnimalFarm Microwave Users Group <[email protected]
<mailto:[email protected]>>
Subject: Re: [AFMUG] Unauthorized Mikrotik winbox Login made changes
What's new in 6.43rc44 (2018-Jul-11 07:45):
MAJOR CHANGES IN v6.43:
----------------------
!) api - changed authentication process
(https://wiki.mikrotik.com/wiki/Manual:API#Initial_login
<https://wiki.mikrotik.com/wiki/Manual:API#Initial_login>);
Justin Wilson
[email protected] <mailto:[email protected]>
www.mtin.net <http://www.mtin.net>
www.midwest-ix.com <http://www.midwest-ix.com>
> On Jul 16, 2018, at 10:57 PM, Nate Burke <[email protected]
<mailto:[email protected]>> wrote:
>
> I just happened to be looking through the Logs of a couple
Mikrotiks that I didn't have Winbox Firewalled off From the
outside world. Someone from the outside world logged into winbox
today. I had what I 'thought' were strong passwords on them. The
only active service on the router is the Winbox Service.
>
> The only changes that were made was they enabled the 'socks'
server, and added input firewall rule for the socks port. They
were in and out of the router in a matter of seconds, so it looks
like it was scripted somehow.
>
> I'm going through now and changing passwords and verifying all
routers are locked from the outside. On the routers that I've
found this on, all the logins were sourced from this same IP
Address. So far the affected routers I've found were running
versions 6.39-6.41.3
>
> Might be a good time to check your logs and access controls.
>
>
> jul/15 02:29:14 system,info,account user admin logged in from
194.40.240.254 via winbox
> jul/15 02:29:17 system,info,account user admin logged in from
194.40.240.254 via telnet
> jul/15 02:29:18 system,info socks config changed by admin
> jul/15 02:29:18 system,info filter rule added by admin
> jul/15 02:29:19 system,info,account user admin logged out from
194.40.240.254 via winbox
> jul/15 02:29:19 system,info,account user admin logged out from
194.40.240.254 via telnet
>
>
>
>
> --
> AF mailing list
> [email protected] <mailto:[email protected]>
> http://af.afmug.com/mailman/listinfo/af_af.afmug.com
<http://af.afmug.com/mailman/listinfo/af_af.afmug.com>
>
--
AF mailing list
[email protected] <mailto:[email protected]>
http://af.afmug.com/mailman/listinfo/af_af.afmug.com
<http://af.afmug.com/mailman/listinfo/af_af.afmug.com>
--
AF mailing list
[email protected] <mailto:[email protected]>
http://af.afmug.com/mailman/listinfo/af_af.afmug.com
<http://af.afmug.com/mailman/listinfo/af_af.afmug.com>
--
AF mailing list
[email protected]
http://af.afmug.com/mailman/listinfo/af_af.afmug.com
