All these should be good now, I've check the upgrade and it's on the newest code. Please let me know if you see anything else.
I'll run another scan (actually: a trace) tonight. It has to run for about 8-10 hours to catch everything, it appears.
I just trace for SYN to port 8291 and get the source addresses. Unfortunately it cannot be done using a simple
tshark -i eth0 -f "tcp dst port 8291"
because tshark collects session state information and its memory use balloons under the millions of session open attempts it sees.
So I use:
while true do tshark -i eth0 -f "tcp dst port 8291" -c 20000 | fgrep '[SYN]' | sed -e 's/ ->.*//' -e 's/.* //' >>/tmp/syn8291 done
Of course it would also be possible to limit it to AMPRnet:
tshark -i eth0 -f "tcp dst port 8291 and src net 44.0.0.0/8"
Rob
A central syslog and firewalled 8291 ports with logging would be a better solution imho :) Grep seems less of a strain than tshark and would be quicker I imagine
-----Original Message----- From: 44Net 44net-bounces+on3rvh=on3rvh.be@mailman.ampr.org On Behalf Of Rob Janssen Sent: woensdag 28 maart 2018 18:44 To: 44net@mailman.ampr.org Subject: [44net] MikroTik worm - please check your RouterOS version!
All these should be good now, I've check the upgrade and it's on the newest code. Please let me know if you see anything else.
I'll run another scan (actually: a trace) tonight. It has to run for about 8-10 hours to catch everything, it appears.
I just trace for SYN to port 8291 and get the source addresses. Unfortunately it cannot be done using a simple
tshark -i eth0 -f "tcp dst port 8291"
because tshark collects session state information and its memory use balloons under the millions of session open attempts it sees.
So I use:
while true do tshark -i eth0 -f "tcp dst port 8291" -c 20000 | fgrep '[SYN]' | sed -e 's/ ->.*//' -e 's/.* //' >>/tmp/syn8291 done
Of course it would also be possible to limit it to AMPRnet:
tshark -i eth0 -f "tcp dst port 8291 and src net 44.0.0.0/8"
Rob
_________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
On Wed, Mar 28, 2018 at 9:59 AM, Ruben ON3RVH on3rvh@on3rvh.be wrote:
A central syslog and firewalled 8291 ports with logging would be a better solution imho :) Grep seems less of a strain than tshark and would be quicker I imagine
44.24.240.0/20 and 44.25.0.0/16 do both of these things. Port 8291 is now blocked at the edge routers. This could be why they dropped off of Rob's list, although we also upgraded the RouterOS version.
Tom
On Wed, Mar 28, 2018 at 11:05:53AM -0700, Tom Hayward wrote:
On Wed, Mar 28, 2018 at 9:59 AM, Ruben ON3RVH on3rvh@on3rvh.be wrote:
A central syslog and firewalled 8291 ports with logging would be a better solution imho :) Grep seems less of a strain than tshark and would be quicker I imagine
44.24.240.0/20 and 44.25.0.0/16 do both of these things. Port 8291 is now blocked at the edge routers. This could be why they dropped off of Rob's list, although we also upgraded the RouterOS version.
it is not wise to block port 8291, because the exploitable service is on http port 80 tcp. also, port 8291 is the winbox admin iface, which most sysop's use, when they are not firm in using the ssh console. if they'd like to issue a firmware upgrade for the security update, but can't use the program they normaly use, it's a bit contra productive..
blocking tcp port 80 on core routers is also not a really good idea ;) ..except if you like discuss what's the most harmful protocol and the dead of the internet ;))
vy 73, - Thomas dl9sau
-
Rob Janssen -
Ruben ON3RVH -
Thomas Osterried -
Tom Hayward