Damn! Just saw that too - just when we were talking about unknown unknowns too :-l More reasons to protect those admin interfaces! :-o Cheers, Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Shane Clay Sent: Monday, 23 April 2018 10:00 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] [BYPASS} Potential external Winbox vulnerability
Posted by Mikrotik on their forums today... This is probably what you are seeing and why it didn't require a "brute force":
https://forum.mikrotik.com/viewtopic.php?f=21&t=133533
Shane
On 23/4/18, 5:52 pm, "Public on behalf of Tim Warnock" <public- bounces@talk.mikrotik.com.au on behalf of timoid@timoid.org> wrote:
I have a burn-in box - running 6.42 that I neglected to block 8291 on.
My logs show a single failed auth attempt and 1 second later a successful log in.
After that they disabled all the firewall rules, all service ports (except winbox) and then uploaded some files.
This is definitely something different than a brute force...
> On 23 Apr 2018, at 17:04, Mike Everest <mike@duxtel.com> wrote: > > Hi Tim, thanks for posting! > > MikroTik themselves made an official announcement about it a few weeks back, > and there has been much discussion about it (even in this list I think?) > > To be honest, I'm amazed that RouterOS has been able to remain inconspicuous > for so long and why this has not happened before now is a total mystery to > me ;-) I regularly present MTCNA certification training a couple of times a > year, and when we get to the topic about securing routerOS admin interfaces > I always make a point of talking about how leaving port 22 open give a > literally 100% chance of taking brute force crack attempts within hours (or > minutes!) of the router getting a public address. In the same breath, I > also mention that it is only a matter of time that those crack attempts > start attempting 'admin/blank' blank credentials too - now I can say it is > already happening! ;-) > > There are two points worth noting about this recent activity: > > 1) it is very probably attempts to exploit 'slingshot' vulnerability that > has been widely reported recently > 2) it is here to stay - so YES, lock down the ports (should always be doing > it anyway ;) > > Cheers! > > Mike. > >> -----Original Message----- >> From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of >> Timothy Neilen >> Sent: Monday, 23 April 2018 4:19 PM >> To: public@talk.mikrotik.com.au >> Subject: [MT-AU Public] [BYPASS} Potential external Winbox vulnerability >> >> A colleague passed this one to me from the Mikrotik forums >> (https://forum.mikrotik.com/viewtopic.php?f=2&t=133438). >> >> Might be an idea to block access to 20, 80, 8291 externally unless from >> trusted sources if you don't already. >> >> >> TN >> >> >> >> Regards,Timothy Neilen - Systems Engineer | +61 7 3123 >> 7929Answers IT | 6/192 Evans RoadPh +61 7 3123 7929 | >> www.answersit.com.au >> _______________________________________________ >> Public mailing list >> Public@talk.mikrotik.com.au >> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au > > > _______________________________________________ > Public mailing list > Public@talk.mikrotik.com.au > http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au