MikroTik

Hello guys! It's been a long since I don't write in this forum.

Yesterday I got contacted by 4 different users, all with the same problem: all the full users became read-only and there is a new "X" user with full privileges.
So far I've seen it on RouterOS versions 6.49.7, 6.49.10, 6.48.5 and 6.48.6. The only service exposed to public interfaces is Winbox in the default port.

Can't tell if the admin pass was weak.

Has anyone else experienced the same?

The only thing we can do is netinstall the unit and restore latest backup (and add more restricted firewall now, of course).

Thanks in advanced!

Besides the described restore plan, you might as well want to consider closing the Winbox port. Using vpn would add an additional layer of security.

And disable the admin account, after creating the correct accounts.

Does the system log contain a successful login by admin user before all that happened what your history shows?

erlinden wrote: ↑Tue May 14, 2024 11:38 am Besides the described restore plan, you might as well want to consider closing the Winbox port. Using vpn would add an additional layer of security.

And disable the admin account, after creating the correct accounts.

Yes! Disabling IP Services, moving the default ports to new ones, protect them from unknown IP Addresses, improve firewall. All of this will be done now, but the question is... is this a new vulnerability / attack or has anyone seen this before?

Your post is somewhat confusing you are asking for assistance on routers that dont appear to be under your monitoring or config responsibilities......
Why is this your problem???

In any case, without knowing how the configs were setup with some detail, it is not really possible to say much.
Yes, netinstall is the only way to proceed at this point for each router.
6.49.13 long term stable or the latest 7 version for better security, if you want to switch versions.

some obvious red flags

1. old version
2. winbox port open to world
3. "admin" user used

infabo wrote: ↑Tue May 14, 2024 11:42 am Does the system log contain a successful login by admin user before all that happened what your history shows?

erlinden wrote: ↑Tue May 14, 2024 11:38 am Besides the described restore plan, you might as well want to consider closing the Winbox port. Using vpn would add an additional layer of security.

And disable the admin account, after creating the correct accounts.

CONSIDER?, are you mad?
Let me rephrase that LOL
CONSIDER? You are bongo nutso!

This is a MUST SHALL DO, it a probably the vector for compromise.
The only secure method of accessing winbox, aka the config, is internally from the LAN, via LAN user or incoming VPN users (as in wireguard for example )

we need as many supout.rif files as you can get. send them to support, not the forum

If the router has been compromised, assuming NORMIS or others would know??

I mean besides netinstall and using VPN to access config externally, and
a. changing admin user to something not default
b. changing winbox port so something not default

What actions may have to be done on all devices behind that router?
People PCs for example?
What are the ramifications to the users behind the router and what actions they should take ???

Generic advice:

Obviously there are no known vulnerabilities right now. It does not mean something will not be discovered in the future. So always make a new user, and delete admin. Disable all services to internet, only allow strong VPN. and also protect the router from LAN if there are regular users there. Some Windows malware can also be used to bruteforce your router login.

Mario: send your RIF files to support@ please

Mikrotik certified trainer with telnet exposed from WAN.
Say no more...

to be fair, he said those are not his routers, but random people that contacted him

normis wrote: ↑Tue May 14, 2024 11:59 am we need as many supout.rif files as you can get. send them to support, not the forum

Hi Normis! Can't create suppout.rif file now. All the users have read-only access.

baragoon wrote: ↑Tue May 14, 2024 12:09 pm Mikrotik certified trainer with telnet exposed from WAN.
Say no more...

Can you read the entire post before saying something else? Those are not my routers! I got contacted yesterday!

if they have read-only, they can make a full verbose export in the terminal and send us the config at least

marioclep wrote: ↑Tue May 14, 2024 12:23 pm

baragoon wrote: ↑Tue May 14, 2024 12:09 pm Mikrotik certified trainer with telnet exposed from WAN.
Say no more...

Can you read the entire post before saying something else? Those are not my routers! I got contacted yesterday!

To be fair, you didn't mention anywhere that these "4 users" are not in an existing customer relationship with you, and therefore, the routers in question are not ones you are managing or have configured.

marioclep wrote: ↑Tue May 14, 2024 11:56 am

infabo wrote: ↑Tue May 14, 2024 11:42 am Does the system log contain a successful login by admin user before all that happened what your history shows?

Screenshot showing "logged in via telnet"

Well, Logins via WinBox say "logged in via winbox". So the public facing Winbox port was not the entrypoint? Or has WinBox some hidden feature to connect as telnet?

marioclep wrote: ↑Tue May 14, 2024 11:35 am The only service exposed to public interfaces is Winbox in the default port.

So most probably telnet port (23) was open as well - when login was via telnet from a public IP 81.x.x.x....

There could be various reasons for this

1. router passwords were compromised in earlier versions. now some bot just used a leaked database
2. customer is not truthful about their config
3. some new unknown vulnerability is not out of question, but it would be strange, if it only affects a few people

telnet user/password sniffed on some network while connecting from WAN