Re: [AFMUG] Unauthorized Mikrotik winbox Login made changes

Tue, 17 Jul 2018 13:04:53 -0700

My power router v4 is still on 6.27 because of some hardware driver issue for support of sfp modules. Last time I made the move to upgrade to 6.40 all of my sfp ports started flapping and would not stabilize no matter what I tried. Ive been watching the change logs and it seems there were some driver upgrades between 6.39 -6.42
I have ordered all new sfp modules in hopes of correcting this on the next upgrade. 


On 07/17/2018 08:43 AM, Dennis Burgess wrote:


Correct, need to get those updated.

*Dennis Burgess, Mikrotik Certified Trainer *

Author of "Learn RouterOS- Second Edition”

*Link Technologies, Inc*-- Mikrotik & WISP Support Services


*Office*: 314-735-0270  Website: http://www.linktechs.net 
<http://www.linktechs.net/>


Create Wireless Coverage’s with www.towercoverage.com

*From:*AF <[email protected]> *On Behalf Of *Nick W
*Sent:* Tuesday, July 17, 2018 5:45 AM
*To:* [email protected]
*Subject:* Re: [AFMUG] Unauthorized Mikrotik winbox Login made changes


Based on those versions you listed, it sounds like the Winbox 
vulnerability described here: 
https://forum.mikrotik.com/viewtopic.php?t=133533



Password complexity isn't really the issue since they could connect 
and download the unencrypted user database file. Firewall off Winbox 
and/or upgrade. Run 6.40.8+ for bugfix or 6.42.1+ for current.



On Mon, Jul 16, 2018 at 11:01 PM Nate Burke <[email protected] 
<mailto:[email protected]>> wrote:


    I just happened to be looking through the Logs of a couple Mikrotiks
    that I didn't have Winbox Firewalled off From the outside world.
    Someone
    from the outside world logged into winbox today.  I had what I
    'thought'
    were strong passwords on them.  The only active service on the
    router is
    the Winbox Service.

    The only changes that were made was they enabled the 'socks'
    server, and
    added input firewall rule for the socks port.  They were in and
    out of
    the router in a matter of seconds, so it looks like it was scripted
    somehow.

    I'm going through now and changing passwords and verifying all
    routers
    are locked from the outside.  On the routers that I've found this on,
    all the logins were sourced from this same IP Address. So far the
    affected routers I've found were running versions 6.39-6.41.3

    Might be a good time to check your logs and access controls.


    jul/15 02:29:14 system,info,account user admin logged in from
    194.40.240.254 via winbox
    jul/15 02:29:17 system,info,account user admin logged in from
    194.40.240.254 via telnet
    jul/15 02:29:18 system,info socks config changed by admin
    jul/15 02:29:18 system,info filter rule added by admin
    jul/15 02:29:19 system,info,account user admin logged out from
    194.40.240.254 via winbox
    jul/15 02:29:19 system,info,account user admin logged out from
    194.40.240.254 via telnet





    -- 
    AF mailing list

    [email protected] <mailto:[email protected]>
    http://af.afmug.com/mailman/listinfo/af_af.afmug.com





--

-- 
AF mailing list
[email protected]
http://af.afmug.com/mailman/listinfo/af_af.afmug.com






















					Reply via email to