New Mikrotik exploit being reported

r00igev@@r

r00igev@@r

Honorary Master
Joined
Dec 14, 2009
Messages
15,640
Reaction score
14,157
Location
Draadloos Bantha poo doo in 4ways
forum.mikrotik.com

Is there an new exploit going around?

Hello Guys Earlier this morning I was hit with an dns redirect to youtube video and I like to know if anybody else seen it coming from: add action=dst-nat chain=dstnat dst-port=53 protocol=udp to-addresses= 185.117.88.13 to-ports=53 This was found in nat settings and I see nobody was able to...
forum.mikrotik.com forum.mikrotik.com

Have asked to join the facebook group mentioned but I don't have any mikrotiks direct on the Internet.
 
Hmmm,

Ive disabled both admin and SSH access. Getting really worried about Mikrotik vulnerabilities.

Both my 2 routers havent been effected.
 
We had a handful of client devices (all MT) get hit by this same thing last night, and I thought to come here to see if anyone else did and sure enough!

The attacker/bot/whatever is getting in via SSH. The source IP of the SSH login in every case so far seems to be 109.251.192.80, but the DNS redirect was to the same IP mentioned in Tim's original post.

The attacker logged in as 'admin'. The crazy part is that many of these routers had different admin passwords. And some were running 6.45+. So at this time I am thinking this might be a zero-day of some kind.

It's possible that the exploit isn't accomplished through SSH but something else, and the SSH login is achieved as a result somehow. So far, on most of these routers, it appears that 'www' service was enabled and not restricted or firewalled off.

I have to believe this is a bot because most of the ones that got hit also got hit multiple times (the same NAT rules were added more than once).
Click to expand...
Seems black holing 109.251.192.80 will work?
 
yes, Freenet in Kiev:


Zaidi Information-


  • Mtoa Huduma Ya Internet: Freenet Ltd.
  • Domain: freenet.com.ua
  • Mtandao Kasi: DSL (Broadband/Kebo/Ufumwele)
  • IDD Kiambishi Awali: 380
  • Area Kanuni: 044
  • Simu Namba Ya Nchi: -
  • Mtandao Wa Simu Kificho: -
  • Brand Ya Mkononi: -
  • Aina Ya Matumizi: ISP (Fasta Line ISP)
  • Zaidi: 109.251.192.80 Undani, 109.251.192.80 Whois
 
I have an explicit filter rule to drop port 1022 (ssh) and 8291 (winbox) packets coming from the Internet. It has blocked 18,000 packets in the last couple of months.
 
And if we disabled SSH and winbox from net? Consensus that this stops it for now?

Starting to get gatvol of these mikrotik vulnerabilities. Considering using pfSense as my gateway router now.

Dont have/use facebook so cant see what people are saying. Anything from mikrotik themselves?
 
Last edited:
Peon said:
And if we disabled SSH and winbox from net? Consensus that this stops it for now?

Starting to get gatvol of these mikrotik vulnerabilities. Considering using pfSense as my gateway router now.

Dont have/use facebook so cant see what people are saying. Anything from mikrotik themselves?
Click to expand...
I have all my network devices only accessible from a vps (debian) using a whitelist. All other traffic is dropped.
I use softether and log onto the vps using certs. The vps has a blocklist of all abuse and attacking IPs. About 75000 to 80000 unique ones per day. Only use winbox with no ssh.
Haven't seen any MT response yet.
 
Hmmm, 1 of my remote routers got its FW rules deleted. Disabled and locked down everything. Created what I thought were strong firewall rules.

Removing MT as my WAN edge devices.
 
Saw this reported last week on Reddit - checked router and nothing seemed amiss but will recheck today. Generally have all 'from-net' traffic disabled but obvs need to add more security
 
Connected a blank router to the FTTH connection at home... within minutes it was under attack... they kept trying to SSH/Telnet into the thing.
I've disabled all inbound listening ports on the device and that seems to solve it
 
ArtyLoop said:
Connected a blank router to the FTTH connection at home... within minutes it was under attack... they kept trying to SSH/Telnet into the thing.
I've disabled all inbound listening ports on the device and that seems to solve it
Click to expand...
I'm not sure what you were expecting. Mikrotik logs this stuff, other brands probably don't show logs for it, or have it blocked by default. Either way, according to Mikrotik them selves, you should never have your management tools exposed to the internet.
 
ArtyLoop said:
Connected a blank router to the FTTH connection at home... within minutes it was under attack... they kept trying to SSH/Telnet into the thing.
I've disabled all inbound listening ports on the device and that seems to solve it
Click to expand...
We've had freshly commissioned servers being brute force attempted within hours of them being started on standard ports
Bots are just trawling IP ranges and probing
 
Is this issue still present, or has it been patched?
 
Genisys said:
I'm not sure what you were expecting. Mikrotik logs this stuff, other brands probably don't show logs for it, or have it blocked by default. Either way, according to Mikrotik them selves, you should never have your management tools exposed to the internet.
Click to expand...
+1
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X