44net

44net@mailman.ampr.org

3192 discussions

Re: [44net] MikroTik worm - please check your RouterOS version!

by Rob Janssen

> it is not wise to block port 8291, because the exploitable service is > on http port 80 tcp. The worm uses port 8291 to identify possible victims (when it can connect to port 8291 it assumes there is a MikroTik router on that address), then attacks it on port 80 and some other ports that people may likely have set as an alternative for HTTP access to the router (8080 etc). So blocking port 8291 effectively blocks the worm in its current version, while not destroying the useful port 80. Of course experience with earlier events like this shows that such a worm typically evolves and may skip the port 8291 scan later, rendering this block ineffective. For now, I have blocked access to port 8291 from addresses outside AMPRnet on our gateway. Of course this restriction will be lifted when/if this worm stops operation. It appears to be controlled via a peer-to-peer network and it looks like it is a version of an existing worm that has been active on network cameras/recorders, routers from other manufacturers, etc, all running embedded Linux. Rob

8 years, 1 month

MikroTik worm - please check your RouterOS version!

by Rob Janssen

> All these should be good now, I've check the upgrade and it's on the newest > code. Please let me know if you see anything else. I'll run another scan (actually: a trace) tonight. It has to run for about 8-10 hours to catch everything, it appears. I just trace for SYN to port 8291 and get the source addresses. Unfortunately it cannot be done using a simple tshark -i eth0 -f "tcp dst port 8291" because tshark collects session state information and its memory use balloons under the millions of session open attempts it sees. So I use: while true do tshark -i eth0 -f "tcp dst port 8291" -c 20000 | fgrep '[SYN]' | sed -e 's/ ->.*//' -e 's/.* //' >>/tmp/syn8291 done Of course it would also be possible to limit it to AMPRnet: tshark -i eth0 -f "tcp dst port 8291 and src net 44.0.0.0/8" Rob

8 years, 1 month

acc bitte löschen

by Torsten Rh

acc bitte löschen mfg DE1TRF

8 years, 1 month

Re: [44net] MikroTik worm - please check your RouterOS version!

by Rob Janssen

> A central syslog and firewalled 8291 ports with logging would be a better solution imho :) > Grep seems less of a strain than tshark and would be quicker I imagine If you would want to do this permanently, yes. But this is only something I would run maybe for 3-4 days and then be bored. First night I did the tshark logging without the postprocessing (so file gets the 1-line-per-packet trace info) and it collected 500MB in a single night. Maybe you don't want that all in the syslog... Now I keep only the source addresses, Rob

8 years, 1 month

Re: [44net] MikroTik worm - please check your RouterOS version!

by Rob Janssen

> It appears that only these two addresses are still infected: > 44.25.64.73 ether1.ap.beacon.hamwan.net > 44.98.249.7 AP-A-250.tampa.flscg.org A little too optimistic, a longer scan yields this list: 44.140.129.12 44-25-128-124.ip.hamwan.net[44.25.128.124] ether1.ap.beacon.hamwan.net[44.25.64.73] 44.34.131.144 AP-000.StPete.flscg.org[44.98.249.66] AP-120.StPete.flscg.org[44.98.249.67] AP-240.StPete.flscg.org[44.98.249.68] AP-A-250.tampa.flscg.org[44.98.249.7] Rob

8 years, 1 month

Re: [44net] MikroTik worm - please check your RouterOS version!

by Rob Janssen

It appears that only these two addresses are still infected: 44.25.64.73 ether1.ap.beacon.hamwan.net 44.98.249.7 AP-A-250.tampa.flscg.org Good work in containing this outbreak... Rob

8 years, 1 month

Re: [44net] MikroTik worm - please check your RouterOS version! Ryan Elliott Turner ryan.e.t at gmail.com

by Rob Janssen

> All of the hosts I can control in 44.34/21 have been updated this evening. > Please let me know if you notice any other troublemakers there. Thanks for > the report. This is the latest packet to TCP port 8291 I have seen from addresses in the 44.34 network: 01:13:28.014665 44.34.128.100 04:04:59.569058 44.34.128.101 01:21:03.741867 44.34.128.102 01:11:34.822173 44.34.128.34 00:21:39.834057 44.34.128.35 01:53:00.697869 44.34.128.39 03:36:45.895350 44.34.128.94 07:13:36.922146 44.34.129.114 04:22:32.850903 44.34.129.117 03:32:09.935080 44.34.129.40 02:27:34.360165 44.34.129.41 01:51:02.516010 44.34.129.42 01:18:43.892712 44.34.129.73 Times are UTC+2 When you have updated those devices after those times it should be OK Rob

8 years, 1 month

Re: [44net] MikroTik worm - please check your RouterOS version!

by Rob Janssen

> When you know who owns one of the above systems, please advise them that their router is > compromised and that they have to update it. > As it seems now, updating will also remove the worm, but in my opinion it is safer to cleanly > re-install it using netinstall and restore your backed-up configuration. > (you make backups, don't you??) In the message I used the word "router" a couple of times, but it does not matter if it is a router or WiFi device, they all run the same software. When your device is on the above list, it has already been compromised. (probably at least one device on AMPRnet has been infected from internet and now it is infecting other devices inside AMPRnet, so you can be affected even when you have no internet access at all) However, the good news is that it appears that updating the RouterOS to 6.40.6 (bugfix) or 6.41.3 (current) is going to render the worm ineffective, it appears there is no real need to netinstall. When you have internet access, updating is a simple matter of clicking "check for updates" in the system->packages menu, select "current" or "bugfix" channel and click "download&install". Of course this does not work when you have no internet access, but then you can still download the desired npk files from mikrotik.com, upload them in the device and reboot. Rob

8 years, 1 month

MikroTik worm - please check your RouterOS version!

by Rob Janssen

Likely unrelated to the issue with the rogue gateway servers, please note that this weekend an exploit was launched that affects MikroTik routers running RouterOS older than 6.38.5 and that has its webservice (WebFig) open to the outside network. These get infected via the webservice and start a worm that scans for other routers to infect. Once it is inside your network it may propagate to other devices. It will scan for the usual MikroTik configuration interfaces, of which port 8291 (winbox) is most easily identified. (the others, 23, 80 etc are already scanned so often that it is difficult to identify the source) I did a trace of about 10 hours on the 44.137.0.0/16 network and over that period it was scanned by over 345.000 unique IP addresses on the internet, and randomly connecting back to a few of them returns an old version RouterOS every time... Disturbingly, there are also a couple of AMPRnet IP addresses on that list! They are mainly in two different networks. Unfortunately they do not appear in ampr.org reverse-DNS. wlan1.w7hr-sunnyslope.hamwan.net[44.24.240.110] wlan.kd7tqn.hamwan.net[44.24.240.221] wlan1.baldi.we7x.hamwan.net[44.24.240.222] poe.haystack.hamwan.net[44.24.241.41] 44-25-128-124.ip.hamwan.net[44.25.128.124] r1.crystal.hamwan.net[44.25.128.169] lan.r1.beacon.hamwan.net[44.25.64.65] ether1.ap.beacon.hamwan.net[44.25.64.73] 44.34.128.100 44.34.128.101 vrrp.hil.memhamwan.net[44.34.128.102] 44.34.128.103 ptpsco.leb.memhamwan.net[44.34.128.163] ptpazo.leb.memhamwan.net[44.34.128.184] 44.34.128.34 44.34.128.35 44.34.128.36 44.34.128.39 44.34.128.62 44.34.128.94 44.34.128.99 44.34.129.114 44.34.129.117 r2.mno.memhamwan.net[44.34.129.35] ptphil.mno.memhamwan.net[44.34.129.38] sec1.mno.memhamwan.net[44.34.129.40] sec2.mno.memhamwan.net[44.34.129.41] 44.34.129.42 44.34.129.66 44.34.129.67 44.34.129.73 44.34.131.144 AP-120.StPete.flscg.org[44.98.249.67] AP-240.StPete.flscg.org[44.98.249.68] AP-A-250.tampa.flscg.org[44.98.249.7] W9CR-Mgmt.StPete.flscg.org[44.98.249.76] AP-B-330.tampa.flscg.org[44.98.249.8] AP-C-110.tampa.flscg.org[44.98.249.9] 44.103.35.26 44.140.129.12 When you know who owns one of the above systems, please advise them that their router is compromised and that they have to update it. As it seems now, updating will also remove the worm, but in my opinion it is safer to cleanly re-install it using netinstall and restore your backed-up configuration. (you make backups, don't you??) When you run a MikroTik router and have not updated RouterOS, please update it to at least 6.40.6 (select bugfix-only in the updater) or the current version 6.41.3. In the latter case, be aware of the issues around updating from 6.40 to 6.41 in complicated switched configurations. And of course, always configure a firewall that disallows access to the configuration interfaces from the internet, as always for devices like this. Rob

8 years, 1 month

Re: [44net] gateways without subnets

by Rob Janssen

.> That is correct - there are plenty of gateways in the portal that have no subnets attached to them, but they are filtered out of the encap list. Ok, then apparently these "rogue gateways" (they happen to be all from Poland) are using some method to use the encap file to load tunnel interfaces and static routes. I had expected them to use the script that Marius wrote for MikroTik, but in that case they would not receive the RIP broadcasts and so would not be able to build all those tunnels (and send MikroTik neighbor discovery on them). I suspect there has been some "how to setup an AMPRnet gateway" doc going around in Poland... Tom SP2L is already looking at it. Maybe you can just remove all gateways that have had no subnets for some time. Although that will likely not fix anything... Rob

8 years, 1 month

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

44net