This morning I discovered a bunch of failed login attempts to HamWAN routers coming from other HamWAN routers. When checking the list of logged in users, there weren't any. Apparently something was able to remotely execute code on HamWAN routers without logging in. I think it may be related to this: https://forum.mikrotik.com/viewtopic.php?t=119255. Nigel and I worked to identify the traffic and patch the hole. We were able to stop it through a combination of firewall rules, disabling services, and upgrading software. One casualty is that upgrading the software on Seattle-ER1 broke the OPP IPsec configuration. We haven't figured out how to fix this, so OPP is down for now. To protect your equipment from this exploit, you can disable unnecessary services like this: /ip service disable telnet,ftp,www,api,winbox,api-ssl Make sure to do this from SSH so that you know it's working before disabling Winbox! This is a reminder of the importance of strict firewall rules. Nigel is a wise man. Tom
Seattle-ER1 has been rolled back to a snapshot and is serving OPP again. If your tunnel is still down, please complain. --Bart On 3/24/2018 5:28 PM, Tom Hayward wrote:
This morning I discovered a bunch of failed login attempts to HamWAN routers coming from other HamWAN routers. When checking the list of logged in users, there weren't any. Apparently something was able to remotely execute code on HamWAN routers without logging in. I think it may be related to this: https://forum.mikrotik.com/viewtopic.php?t=119255. Nigel and I worked to identify the traffic and patch the hole. We were able to stop it through a combination of firewall rules, disabling services, and upgrading software.
One casualty is that upgrading the software on Seattle-ER1 broke the OPP IPsec configuration. We haven't figured out how to fix this, so OPP is down for now.
To protect your equipment from this exploit, you can disable unnecessary services like this:
/ip service disable telnet,ftp,www,api,winbox,api-ssl
Make sure to do this from SSH so that you know it's working before disabling Winbox!
This is a reminder of the importance of strict firewall rules. Nigel is a wise man.
Tom
_______________________________________________ PSDR mailing list PSDR@hamwan.org http://mail.hamwan.net/mailman/listinfo/psdr
You may want to check out: The Mikrotik RouterOS-Based Botnet https://security.radware.com/ddos-threats-attacks/threat-advisories-attack-r... Hajime Botnet Makes a Comeback With Massive Scan for MikroTik Routers https://www.bleepingcomputer.com/news/security/hajime-botnet-makes-a-comebac... Joe From: PSDR <psdr-bounces@hamwan.org> On Behalf Of Bart Kus Sent: Saturday, March 24, 2018 6:19 PM To: psdr@hamwan.org Subject: Re: [HamWAN PSDR] OPP outage and vulnerability warning Seattle-ER1 has been rolled back to a snapshot and is serving OPP again. If your tunnel is still down, please complain. --Bart On 3/24/2018 5:28 PM, Tom Hayward wrote: This morning I discovered a bunch of failed login attempts to HamWAN routers coming from other HamWAN routers. When checking the list of logged in users, there weren't any. Apparently something was able to remotely execute code on HamWAN routers without logging in. I think it may be related to this: https://forum.mikrotik.com/viewtopic.php?t=119255. Nigel and I worked to identify the traffic and patch the hole. We were able to stop it through a combination of firewall rules, disabling services, and upgrading software. One casualty is that upgrading the software on Seattle-ER1 broke the OPP IPsec configuration. We haven't figured out how to fix this, so OPP is down for now. To protect your equipment from this exploit, you can disable unnecessary services like this: /ip service disable telnet,ftp,www,api,winbox,api-ssl Make sure to do this from SSH so that you know it's working before disabling Winbox! This is a reminder of the importance of strict firewall rules. Nigel is a wise man. Tom _______________________________________________ PSDR mailing list PSDR@hamwan.org<mailto:PSDR@hamwan.org> http://mail.hamwan.net/mailman/listinfo/psdr
I am naturally suspicious of anything with "win" in its name, such as "winbox". Tony W7EFS On 03/28/2018 10:18 AM, JOSEPH WOMACK wrote:
You may want to check out:
The Mikrotik RouterOS-Based Botnet
https://security.radware.com/ddos-threats-attacks/threat-advisories-attack-r...
Hajime Botnet Makes a Comeback With Massive Scan for MikroTik Routers
https://www.bleepingcomputer.com/news/security/hajime-botnet-makes-a-comebac...
Joe
*From:*PSDR <psdr-bounces@hamwan.org> *On Behalf Of *Bart Kus *Sent:* Saturday, March 24, 2018 6:19 PM *To:* psdr@hamwan.org *Subject:* Re: [HamWAN PSDR] OPP outage and vulnerability warning
Seattle-ER1 has been rolled back to a snapshot and is serving OPP again. If your tunnel is still down, please complain.
--Bart
On 3/24/2018 5:28 PM, Tom Hayward wrote:
This morning I discovered a bunch of failed login attempts to HamWAN routers coming from other HamWAN routers. When checking the list of logged in users, there weren't any. Apparently something was able to remotely execute code on HamWAN routers without logging in. I think it may be related to this: https://forum.mikrotik.com/viewtopic.php?t=119255. Nigel and I worked to identify the traffic and patch the hole. We were able to stop it through a combination of firewall rules, disabling services, and upgrading software.
One casualty is that upgrading the software on Seattle-ER1 broke the OPP IPsec configuration. We haven't figured out how to fix this, so OPP is down for now.
To protect your equipment from this exploit, you can disable unnecessary services like this:
/ip service disable telnet,ftp,www,api,winbox,api-ssl
Make sure to do this from SSH so that you know it's working before disabling Winbox!
This is a reminder of the importance of strict firewall rules. Nigel is a wise man.
Tom
_______________________________________________
PSDR mailing list
PSDR@hamwan.org <mailto:PSDR@hamwan.org>
http://mail.hamwan.net/mailman/listinfo/psdr
_______________________________________________ PSDR mailing list PSDR@hamwan.org http://mail.hamwan.net/mailman/listinfo/psdr
Might be related to the recent US-CERT advisory... National Cyber Awareness System: TA18-086A: Brute Force Attacks Conducted by Cyber Actors 03/27/2018 06:00 PM EDT Original release date: March 27, 2018 Systems Affected Networked systems -----Original Message----- From: "Tom Hayward" <tom@tomh.us> Sent: 3/24/2018 5:29 PM To: "Puget Sound Data Ring" <psdr@hamwan.org> Subject: [HamWAN PSDR] OPP outage and vulnerability warning This morning I discovered a bunch of failed login attempts to HamWAN routers coming from other HamWAN routers. When checking the list of logged in users, there weren't any. Apparently something was able to remotely execute code on HamWAN routers without logging in. I think it may be related to this: https://forum.mikrotik.com/viewtopic.php?t=119255. Nigel and I worked to identify the traffic and patch the hole. We were able to stop it through a combination of firewall rules, disabling services, and upgrading software. One casualty is that upgrading the software on Seattle-ER1 broke the OPP IPsec configuration. We haven't figured out how to fix this, so OPP is down for now. To protect your equipment from this exploit, you can disable unnecessary services like this: /ip service disable telnet,ftp,www,api,winbox,api-ssl Make sure to do this from SSH so that you know it's working before disabling Winbox! This is a reminder of the importance of strict firewall rules. Nigel is a wise man. Tom
participants (5)
-
Bart Kus -
Ed Morin -
JOSEPH WOMACK -
Tom Hayward -
Tony Ross