I have a burn-in box - running 6.42 that I neglected to block 8291 on. My logs show a single failed auth attempt and 1 second later a successful log in. After that they disabled all the firewall rules, all service ports (except winbox) and then uploaded some files. This is definitely something different than a brute force...
On 23 Apr 2018, at 17:04, Mike Everest <mike@duxtel.com> wrote:
Hi Tim, thanks for posting!
MikroTik themselves made an official announcement about it a few weeks back, and there has been much discussion about it (even in this list I think?)
To be honest, I'm amazed that RouterOS has been able to remain inconspicuous for so long and why this has not happened before now is a total mystery to me ;-) I regularly present MTCNA certification training a couple of times a year, and when we get to the topic about securing routerOS admin interfaces I always make a point of talking about how leaving port 22 open give a literally 100% chance of taking brute force crack attempts within hours (or minutes!) of the router getting a public address. In the same breath, I also mention that it is only a matter of time that those crack attempts start attempting 'admin/blank' blank credentials too - now I can say it is already happening! ;-)
There are two points worth noting about this recent activity:
1) it is very probably attempts to exploit 'slingshot' vulnerability that has been widely reported recently 2) it is here to stay - so YES, lock down the ports (should always be doing it anyway ;)
Cheers!
Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Timothy Neilen Sent: Monday, 23 April 2018 4:19 PM To: public@talk.mikrotik.com.au Subject: [MT-AU Public] [BYPASS} Potential external Winbox vulnerability
A colleague passed this one to me from the Mikrotik forums (https://forum.mikrotik.com/viewtopic.php?f=2&t=133438).
Might be an idea to block access to 20, 80, 8291 externally unless from trusted sources if you don't already.
TN
Regards,Timothy Neilen - Systems Engineer | +61 7 3123 7929Answers IT | 6/192 Evans RoadPh +61 7 3123 7929 | www.answersit.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au