Am I correct to assume that input firewall rules limiting access to the router (Network Admin static IP) minimizes/eliminates the exposure or does this hack somehow bypass filter rules?
Steve B. From: AF [mailto:[email protected]] On Behalf Of Dave Sent: Tuesday, July 17, 2018 4:07 PM To: [email protected] Subject: Re: [AFMUG] Unauthorized Mikrotik winbox Login made changes My power router v4 is still on 6.27 because of some hardware driver issue for support of sfp modules. Last time I made the move to upgrade to 6.40 all of my sfp ports started flapping and would not stabilize no matter what I tried. Ive been watching the change logs and it seems there were some driver upgrades between 6.39 -6.42 I have ordered all new sfp modules in hopes of correcting this on the next upgrade. On 07/17/2018 08:43 AM, Dennis Burgess wrote: Correct, need to get those updated. Dennis Burgess, Mikrotik Certified Trainer Author of "Learn RouterOS- Second Edition” Link Technologies, Inc -- Mikrotik & WISP Support Services Office: 314-735-0270 Website: <http://www.linktechs.net/> http://www.linktechs.net Create Wireless Coverage’s with www.towercoverage.com From: AF <mailto:[email protected]> <[email protected]> On Behalf Of Nick W Sent: Tuesday, July 17, 2018 5:45 AM To: [email protected] Subject: Re: [AFMUG] Unauthorized Mikrotik winbox Login made changes Based on those versions you listed, it sounds like the Winbox vulnerability described here: https://forum.mikrotik.com/viewtopic.php?t=133533 Password complexity isn't really the issue since they could connect and download the unencrypted user database file. Firewall off Winbox and/or upgrade. Run 6.40.8+ for bugfix or 6.42.1+ for current. On Mon, Jul 16, 2018 at 11:01 PM Nate Burke <[email protected]> wrote: I just happened to be looking through the Logs of a couple Mikrotiks that I didn't have Winbox Firewalled off From the outside world. Someone from the outside world logged into winbox today. I had what I 'thought' were strong passwords on them. The only active service on the router is the Winbox Service. The only changes that were made was they enabled the 'socks' server, and added input firewall rule for the socks port. They were in and out of the router in a matter of seconds, so it looks like it was scripted somehow. I'm going through now and changing passwords and verifying all routers are locked from the outside. On the routers that I've found this on, all the logins were sourced from this same IP Address. So far the affected routers I've found were running versions 6.39-6.41.3 Might be a good time to check your logs and access controls. jul/15 02:29:14 system,info,account user admin logged in from 194.40.240.254 via winbox jul/15 02:29:17 system,info,account user admin logged in from 194.40.240.254 via telnet jul/15 02:29:18 system,info socks config changed by admin jul/15 02:29:18 system,info filter rule added by admin jul/15 02:29:19 system,info,account user admin logged out from 194.40.240.254 via winbox jul/15 02:29:19 system,info,account user admin logged out from 194.40.240.254 via telnet -- AF mailing list [email protected] http://af.afmug.com/mailman/listinfo/af_af.afmug.com --
-- AF mailing list [email protected] http://af.afmug.com/mailman/listinfo/af_af.afmug.com
