44net

44net@mailman.ampr.org

3194 discussions

GL-AR300 Mini router support IPIP ?
by R P 29 Mar '18

29 Mar '18

Hi there Does anyone know if this router https://www.gl-inet.com/ar300m/ [https://www.gl-inet.com/wordpress/wp-content/uploads/2017/11/ar300m_shop-1.…]<https://www.gl-inet.com/ar300m/> GL-AR300M – GL.iNet<https://www.gl-inet.com/ar300m/> Let's Get In Touch! For business collaborations, OEM, ODM and bulk orders, please write to: service(a)gl-inet.com www.gl-inet.com support IPIP native (without need to compile and add software to it ) ? Thanks Forward Ronen -4Z4ZQ http://www.ronen.org Ronen Pinchooks (4Z4ZQ) WebSite<http://www.ronen.org/> ronen.org (Ronen Pinchooks (4Z4ZQ) WebSite) is hosted by domainavenue.com www.ronen.org

1 0

Re: [44net] MikroTik worm - please check your RouterOS version!
by Rob Janssen 29 Mar '18

29 Mar '18

> I recommend disabling the access to unneeded management services and to > the remaining ones, restricting the access to them from the networks > used by the administrators. Of course. And we had that already in place on the routers inside our own part of the network (which was deployed to facilitate our co-channel diversity repeater network). However, above I was discussing the settings on our internet gateway. I cannot control what all the individual amateurs, with varying networking skills, do on their routers at home, but by filtering inbound connects to port 8291 I can protect them from the current problem. There now are 430.000 addresses in the scan I did last night. only net-44 addresses: 44.140.129.12 44-25-128-124.ip.hamwan.net[44.25.128.124] 44.34.131.144 But of course, when people start filtering outbound 8291 connections, it is not a complete picture. Rob

1 0

Re: [44net] MikroTik worm - please check your RouterOS version!
by Rob Janssen 29 Mar '18

29 Mar '18

> it is not wise to block port 8291, because the exploitable service is > on http port 80 tcp. The worm uses port 8291 to identify possible victims (when it can connect to port 8291 it assumes there is a MikroTik router on that address), then attacks it on port 80 and some other ports that people may likely have set as an alternative for HTTP access to the router (8080 etc). So blocking port 8291 effectively blocks the worm in its current version, while not destroying the useful port 80. Of course experience with earlier events like this shows that such a worm typically evolves and may skip the port 8291 scan later, rendering this block ineffective. For now, I have blocked access to port 8291 from addresses outside AMPRnet on our gateway. Of course this restriction will be lifted when/if this worm stops operation. It appears to be controlled via a peer-to-peer network and it looks like it is a version of an existing worm that has been active on network cameras/recorders, routers from other manufacturers, etc, all running embedded Linux. Rob

3 2

MikroTik worm - please check your RouterOS version!
by Rob Janssen 28 Mar '18

28 Mar '18

> All these should be good now, I've check the upgrade and it's on the newest > code. Please let me know if you see anything else. I'll run another scan (actually: a trace) tonight. It has to run for about 8-10 hours to catch everything, it appears. I just trace for SYN to port 8291 and get the source addresses. Unfortunately it cannot be done using a simple tshark -i eth0 -f "tcp dst port 8291" because tshark collects session state information and its memory use balloons under the millions of session open attempts it sees. So I use: while true do tshark -i eth0 -f "tcp dst port 8291" -c 20000 | fgrep '[SYN]' | sed -e 's/ ->.*//' -e 's/.* //' >>/tmp/syn8291 done Of course it would also be possible to limit it to AMPRnet: tshark -i eth0 -f "tcp dst port 8291 and src net 44.0.0.0/8" Rob

4 3

acc bitte löschen
by Torsten Rh 28 Mar '18

28 Mar '18

acc bitte löschen mfg DE1TRF

1 0

Re: [44net] MikroTik worm - please check your RouterOS version!
by Rob Janssen 28 Mar '18

28 Mar '18

> A central syslog and firewalled 8291 ports with logging would be a better solution imho :) > Grep seems less of a strain than tshark and would be quicker I imagine If you would want to do this permanently, yes. But this is only something I would run maybe for 3-4 days and then be bored. First night I did the tshark logging without the postprocessing (so file gets the 1-line-per-packet trace info) and it collected 500MB in a single night. Maybe you don't want that all in the syslog... Now I keep only the source addresses, Rob

1 0

Re: [44net] MikroTik worm - please check your RouterOS version!
by Rob Janssen 28 Mar '18

28 Mar '18

> It appears that only these two addresses are still infected: > 44.25.64.73 ether1.ap.beacon.hamwan.net > 44.98.249.7 AP-A-250.tampa.flscg.org A little too optimistic, a longer scan yields this list: 44.140.129.12 44-25-128-124.ip.hamwan.net[44.25.128.124] ether1.ap.beacon.hamwan.net[44.25.64.73] 44.34.131.144 AP-000.StPete.flscg.org[44.98.249.66] AP-120.StPete.flscg.org[44.98.249.67] AP-240.StPete.flscg.org[44.98.249.68] AP-A-250.tampa.flscg.org[44.98.249.7] Rob

2 1

Re: [44net] MikroTik worm - please check your RouterOS version!
by Rob Janssen 27 Mar '18

27 Mar '18

It appears that only these two addresses are still infected: 44.25.64.73 ether1.ap.beacon.hamwan.net 44.98.249.7 AP-A-250.tampa.flscg.org Good work in containing this outbreak... Rob

1 0

Re: [44net] MikroTik worm - please check your RouterOS version! Ryan Elliott Turner ryan.e.t at gmail.com
by Rob Janssen 27 Mar '18

27 Mar '18

> All of the hosts I can control in 44.34/21 have been updated this evening. > Please let me know if you notice any other troublemakers there. Thanks for > the report. This is the latest packet to TCP port 8291 I have seen from addresses in the 44.34 network: 01:13:28.014665 44.34.128.100 04:04:59.569058 44.34.128.101 01:21:03.741867 44.34.128.102 01:11:34.822173 44.34.128.34 00:21:39.834057 44.34.128.35 01:53:00.697869 44.34.128.39 03:36:45.895350 44.34.128.94 07:13:36.922146 44.34.129.114 04:22:32.850903 44.34.129.117 03:32:09.935080 44.34.129.40 02:27:34.360165 44.34.129.41 01:51:02.516010 44.34.129.42 01:18:43.892712 44.34.129.73 Times are UTC+2 When you have updated those devices after those times it should be OK Rob

1 0

Re: [44net] MikroTik worm - please check your RouterOS version!
by Rob Janssen 26 Mar '18

26 Mar '18

> When you know who owns one of the above systems, please advise them that their router is > compromised and that they have to update it. > As it seems now, updating will also remove the worm, but in my opinion it is safer to cleanly > re-install it using netinstall and restore your backed-up configuration. > (you make backups, don't you??) In the message I used the word "router" a couple of times, but it does not matter if it is a router or WiFi device, they all run the same software. When your device is on the above list, it has already been compromised. (probably at least one device on AMPRnet has been infected from internet and now it is infecting other devices inside AMPRnet, so you can be affected even when you have no internet access at all) However, the good news is that it appears that updating the RouterOS to 6.40.6 (bugfix) or 6.41.3 (current) is going to render the worm ineffective, it appears there is no real need to netinstall. When you have internet access, updating is a simple matter of clicking "check for updates" in the system->packages menu, select "current" or "bugfix" channel and click "download&install". Of course this does not work when you have no internet access, but then you can still download the desired npk files from mikrotik.com, upload them in the device and reboot. Rob

2 1

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

44net