Mikrotik : Potential Zero day

PPLdude

PPLdude

Expert Member
Joined
Oct 3, 2011
Messages
1,716
Reaction score
663
Location
South
Information can be found here:

Blog — Mēris botnet, climbing to the record

End of June 2021, Qrator Labs started to see signs of a new assaulting force on the Internet – a botnet of a new kind. That is a joint research we conducted together with Yandex to elaborate on the specifics of the DDoS attacks enabler emerging in almost real-time.
blog.qrator.net blog.qrator.net

Port in question:

tcp 5678


I'd close this port for now. Looks like all versions are in question.
 
If you port scan and see tcp 5678 is open on your mikrotik, it might be a sign that you've been compromised
 
Are people specifically opening up their input rules to allow this? default config only allows established connections
 
Leno said:
Are people specifically opening up their input rules to allow this? default config only allows established connections
Click to expand...

If it's open, then the device was probably compromised years ago. See here for more information about IOC:

forum.mikrotik.com

Mēris botnet information

Many of you have asked, what is this Mēris botnet that some news outlets are discussing right now, and if there is any new vulnerability in RouterOS. As far as we have seen, these attacks use the same routers that were compromised in 2018, when MikroTik RouterOS had a vulnerability, that was...
forum.mikrotik.com forum.mikrotik.com
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X