I had an unpatched Mikrotik that was an unintentional honeypot (no customer traffic; just sitting on an 18-month old release with a public IP), and saw:
* DNS changed * Local logging disabled * Remote logging enabled with all logs shipped offsite * SOCKS enabled * Additional users created * Scheduled tasks created * Scripts added * Files added * Firewall rules added/modified tim On Mon, Oct 15, 2018 at 1:21 PM Ken Hohhof <[email protected]> wrote: > We’ve had a handful of customer routers leased from us that we somehow > weren’t billing for, and therefore were off our radar and not getting > updated. Until recently, we would be able to log into the hacked router > remotely, remove the SOCKS proxy and a few other items, update the > firmware, and all was good. There might have been a second admin account > added, but we could just delete it. > > > > More recently, we’ve found a few that we’ve been locked out of, our login > credentials don’t work. We still have SNMP read access, and can see that > the firmware has been updated. Maybe it’s the guy in the article. If so, > I don’t think he’s doing us any favors. Basically we end up shipping the > customer a whole new router, because it’s simpler than picking up the old > one, bringing it back and doing a netinstall (once it’s been hacked this > bad I don’t trust any other method), then configuring it and getting it > back to the customer. So all this guy is doing is costing us a bunch of > money replacing routers. I don’t like the vigilante’s assumption that the > fix is to firewall the router so only the customer can manage it, that’s > not helpful if the customer expects the ISP to be able to access the > router. The article says he is installing firewall rules, but what I’m > seeing is credentials changed, so maybe there’s more than one vigilante? > > > > I also think the description of what the hacked routers is being used for > is not correct, at least that’s not what I’ve seen on our customer routers > that have been hacked. I haven’t seen any evidence of cryptocurrency > mining or DNS redirection. I think they are being used as proxy servers to > stream video from the US to other countries. That would explain the SOCKS > proxy and the upstream traffic around what a Netflix or Hulu stream would > use. > > > > > > *From:* AF <[email protected]> *On Behalf Of *Eric Muehleisen > *Sent:* Monday, October 15, 2018 9:48 AM > *To:* [email protected] > *Subject:* [AFMUG] A mysterious grey-hat is patching people's outdated > MikroTik routers > > > > > https://www.zdnet.com/article/a-mysterious-grey-hat-is-patching-peoples-outdated-mikrotik-routers/ > > > > Alright! Which one of you guys is this? > -- > AF mailing list > [email protected] > http://af.afmug.com/mailman/listinfo/af_af.afmug.com > -- Tim Cailloux Southern Internet -- Locally Owned and Operated [email protected] (404) 406-9911
-- AF mailing list [email protected] http://af.afmug.com/mailman/listinfo/af_af.afmug.com
