Should I have specific concerns with the routers coming back online after a firmware upgrade?
Coordinating access to one of my locations takes some effort, and particularly for after-hours work. I don't want to have an unnecessary daytime outage to upgrade while on-site. I've upgraded on the bench without a second thought, but want to plan accordingly. I'd rather upgrade while on-site if there is any real concern about equipment not coming back. I regularly upgrade other equipment without a second thought. tim On Wed, Jul 18, 2018 at 10:42 AM Wireless Administrator <[email protected]> wrote: > Am I correct to assume that input firewall rules limiting access to the > router (Network Admin static IP) minimizes/eliminates the exposure or does > this hack somehow bypass filter rules? > > > > Steve B. > > > > *From:* AF [mailto:[email protected]] *On Behalf Of *Dave > *Sent:* Tuesday, July 17, 2018 4:07 PM > *To:* [email protected] > *Subject:* Re: [AFMUG] Unauthorized Mikrotik winbox Login made changes > > > > My power router v4 is still on 6.27 because of some hardware driver issue > for support of sfp modules. > Last time I made the move to upgrade to 6.40 all of my sfp ports started > flapping and would not stabilize no matter what I tried. > Ive been watching the change logs and it seems there were some driver > upgrades between 6.39 -6.42 > > I have ordered all new sfp modules in hopes of correcting this on the next > upgrade. > > On 07/17/2018 08:43 AM, Dennis Burgess wrote: > > Correct, need to get those updated. > > > > > > > > *Dennis Burgess, Mikrotik Certified Trainer * > > Author of "Learn RouterOS- Second Edition” > > *Link Technologies, Inc* -- Mikrotik & WISP Support Services > > *Office*: 314-735-0270 Website: http://www.linktechs.net > > Create Wireless Coverage’s with www.towercoverage.com > > > > *From:* AF <[email protected]> <[email protected]> *On Behalf > Of *Nick W > *Sent:* Tuesday, July 17, 2018 5:45 AM > *To:* [email protected] > *Subject:* Re: [AFMUG] Unauthorized Mikrotik winbox Login made changes > > > > Based on those versions you listed, it sounds like the Winbox > vulnerability described here: > https://forum.mikrotik.com/viewtopic.php?t=133533 > > > > Password complexity isn't really the issue since they could connect and > download the unencrypted user database file. Firewall off Winbox and/or > upgrade. Run 6.40.8+ for bugfix or 6.42.1+ for current. > > > > > > On Mon, Jul 16, 2018 at 11:01 PM Nate Burke <[email protected]> wrote: > > I just happened to be looking through the Logs of a couple Mikrotiks > that I didn't have Winbox Firewalled off From the outside world. Someone > from the outside world logged into winbox today. I had what I 'thought' > were strong passwords on them. The only active service on the router is > the Winbox Service. > > The only changes that were made was they enabled the 'socks' server, and > added input firewall rule for the socks port. They were in and out of > the router in a matter of seconds, so it looks like it was scripted > somehow. > > I'm going through now and changing passwords and verifying all routers > are locked from the outside. On the routers that I've found this on, > all the logins were sourced from this same IP Address. So far the > affected routers I've found were running versions 6.39-6.41.3 > > Might be a good time to check your logs and access controls. > > > jul/15 02:29:14 system,info,account user admin logged in from > 194.40.240.254 via winbox > jul/15 02:29:17 system,info,account user admin logged in from > 194.40.240.254 via telnet > jul/15 02:29:18 system,info socks config changed by admin > jul/15 02:29:18 system,info filter rule added by admin > jul/15 02:29:19 system,info,account user admin logged out from > 194.40.240.254 via winbox > jul/15 02:29:19 system,info,account user admin logged out from > 194.40.240.254 via telnet > > > > > -- > AF mailing list > [email protected] > http://af.afmug.com/mailman/listinfo/af_af.afmug.com > > > > > > -- > -- > AF mailing list > [email protected] > http://af.afmug.com/mailman/listinfo/af_af.afmug.com > -- Tim Cailloux Southern Internet -- Locally Owned and Operated [email protected] (404) 406-9911
-- AF mailing list [email protected] http://af.afmug.com/mailman/listinfo/af_af.afmug.com
