Merai/Meris attack via MikroTiks?
Have just read this and am a bit confused. https://blog.qrator.net/en/meris-botnet-climbing-to-the-record_142/ I can't figure out whether the attackers are abusing Mikrotik features that the owner has nor disabled or blocked, or whether this is an actual vulnerability - i.e., something exploitable even if the owner of the device has followed best practice. Does anyone have more information about this issue? Is it even an issue at all? Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: 9FB6 C08F 91CB 5093 30EF 3E2F 8C94 EEBD 117C 4A10 Old fingerprint: CF68 0C56 EEE4 CC19 28D4 03B3 BCE0 E800 E31F 7254
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Karl Auer Sent: Friday, 10 September 2021 9:03 AM To: MikroTik Public <public@talk.mikrotik.com.au> Subject: [MT-AU Public] Merai/Meris attack via MikroTiks?
Have just read this and am a bit confused.
https://blog.qrator.net/en/meris-botnet-climbing-to-the-record_142/
I can't figure out whether the attackers are abusing Mikrotik features
It is difficult to be certain based on the detail provided, but the general points provide some simple diagnostics to check for a potential infection: 1. if socks service is not running, then you're probably OK 2. add a input filter rule to match TCP port 5678 (neighbour discovery is UDP so there is no valid reason why your routers should be accepting TCP on that port) - log the hits. 3. btest server running and accessible from remote According to the report, all three points will be present for an infected device. Regarding "is it something that can happen even if the owner followed best practice" then my assessment is 'probably not' - because if you are following best practice, your firewall will not accept any /input/ packets on /any/ port that are initiated (new) on insecure interfaces or from unknown remote addresses. Cheers! Mike. that the
owner has nor disabled or blocked, or whether this is an actual vulnerability - i.e., something exploitable even if the owner of the device has followed best practice.
Does anyone have more information about this issue? Is it even an issue at all?
Regards, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160
GPG fingerprint: 9FB6 C08F 91CB 5093 30EF 3E2F 8C94 EEBD 117C 4A10 Old fingerprint: CF68 0C56 EEE4 CC19 28D4 03B3 BCE0 E800 E31F 7254
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
participants (2)
-
Karl Auer
-
Mike Everest