28 Mar
2018
28 Mar
'18
5:43 p.m.
All these should be good now, I've check the
upgrade and it's on the newest
code. Please let me know if you see anything else.
I'll run another scan (actually: a trace) tonight.
It has to run for about 8-10 hours to catch everything, it appears.
I just trace for SYN to port 8291 and get the source addresses. Unfortunately it cannot
be done using a simple
tshark -i eth0 -f "tcp dst port 8291"
because tshark collects session state information and its memory use balloons under
the millions of session open attempts it sees.
So I use:
while true
do
tshark -i eth0 -f "tcp dst port 8291" -c 20000 | fgrep '[SYN]' |
sed -e 's/ ->.*//' -e 's/.* //' >>/tmp/syn8291
done
Of course it would also be possible to limit it to AMPRnet:
tshark -i eth0 -f "tcp dst port 8291 and src net 44.0.0.0/8"
Rob
28 Mar
28 Mar
5:59 p.m.
A central syslog and firewalled 8291 ports with logging would be a better solution imho
:)
Grep seems less of a strain than tshark and would be quicker I imagine
-----Original Message-----
From: 44Net <44net-bounces+on3rvh=on3rvh.be(a)mailman.ampr.org> On Behalf Of Rob
Janssen
Sent: woensdag 28 maart 2018 18:44
To: 44net(a)mailman.ampr.org
Subject: [44net] MikroTik worm - please check your RouterOS version!
All these should be good now, I've check the
upgrade and it's on the
newest code. Please let me know if you see anything else.
I'll run another scan (actually: a trace) tonight.
It has to run for about 8-10 hours to catch everything, it appears.
I just trace for SYN to port 8291 and get the source addresses. Unfortunately it cannot
be done using a simple
tshark -i eth0 -f "tcp dst port 8291"
because tshark collects session state information and its memory use balloons under the
millions of session open attempts it sees.
So I use:
while true
do
tshark -i eth0 -f "tcp dst port 8291" -c 20000 | fgrep '[SYN]' |
sed -e 's/ ->.*//' -e 's/.* //' >>/tmp/syn8291 done
Of course it would also be possible to limit it to AMPRnet:
tshark -i eth0 -f "tcp dst port 8291 and src net 44.0.0.0/8"
Rob
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net
7:05 p.m.
On Wed, Mar 28, 2018 at 9:59 AM, Ruben ON3RVH <on3rvh(a)on3rvh.be> wrote:
A central syslog and firewalled 8291 ports with
logging would be a better
solution imho :)
Grep seems less of a strain than tshark and would be quicker I imagine
44.24.240.0/20 and 44.25.0.0/16 do both of these things. Port 8291 is now
blocked at the edge routers. This could be why they dropped off of Rob's
list, although we also upgraded the RouterOS version.
Tom
8:20 p.m.
On Wed, Mar 28, 2018 at 11:05:53AM -0700, Tom Hayward wrote:
On Wed, Mar 28, 2018 at 9:59 AM, Ruben ON3RVH
<on3rvh(a)on3rvh.be> wrote:
it is not wise to block port 8291, because the exploitable service is
on http port 80 tcp.
also, port 8291 is the winbox admin iface, which most sysop's use, when they
are not firm in using the ssh console. if they'd like to issue a firmware
upgrade for the security update, but can't use the program they normaly use,
it's a bit contra productive..
blocking tcp port 80 on core routers is also not a really good idea ;)
..except if you like discuss what's the most harmful protocol and the dead
of the internet ;))
vy 73,
- Thomas dl9sau
A central syslog and firewalled 8291 ports with
logging would be a better
solution imho :)
Grep seems less of a strain than tshark and would be quicker I imagine
44.24.240.0/20 and 44.25.0.0/16 do both of these things. Port 8291 is now
blocked at the edge routers. This could be why they dropped off of Rob's
list, although we also upgraded the RouterOS version.
2233
days inactive
2233
days old
3 comments
4 participants
participants (4)
-
Rob Janssen -
Ruben ON3RVH -
Thomas Osterried -
Tom Hayward