The vulnerability in question was fixed in March 2017:Thanks for the heads-up.
Is there a specific version from which this malware is able to infect a mikrotik?
How about RouterOS 5.22 for example or 6.27?
please read the first post in this thread.Hi Normis,
Found this IT News Article today saying Mikrotik devices are in the list for being at risk to being Hacked. What’s your take on this article??
https://www.itnews.com.au/news/hackers- ... ces-491582
We do have in-depth analysis materials from the Cisco Talos team. They also said they think it is using the same vulnerability that was pubished/known. We also have conducted a thorough code review after the previous vulnerability.Hopefully my comment won't come through as rude, but to me it seems a bit irresponsible (or at least over-confident) to say "we are highly certain" without having an actual sample of the malware to analyze and confirm that it was exploiting the old vulnerability and not some new one you might not yet be aware of.
Also, with security threats constantly on the rise, it would be nice if there was a dedicated Security sub-forum or some kind of channel / RSS / mailing list which would discuss only security and which we could subscribe to be notified of things like this.
Thanks for the quick response, that is good to know and quite reassuring.We do have in-depth analysis materials from the Cisco Talos team. They also said they think it is using the same vulnerability that was pubished/known. We also have conducted a thorough code review after the previous vulnerability.Hopefully my comment won't come through as rude, but to me it seems a bit irresponsible (or at least over-confident) to say "we are highly certain" without having an actual sample of the malware to analyze and confirm that it was exploiting the old vulnerability and not some new one you might not yet be aware of.
Also, with security threats constantly on the rise, it would be nice if there was a dedicated Security sub-forum or some kind of channel / RSS / mailing list which would discuss only security and which we could subscribe to be notified of things like this.
Any RouterOS version with firewall on the www port from untrusted networks was always safe. The original vunlerability that was fixed in march 2017 was only affecting you, if the www port 80 (webfig) was open to untrusted networks.Thanks for the prompt response Normis.
I assume people that were using the quickset dynamic dns vpn and appropriate firewall rules + updated fw would have been invunerable to these attacks ?
Isn't strange that all these news inform that many devices are volunerable but CISCO ones are free from the problem?.....Found this IT News Article today saying Mikrotik devices are in the list for being at risk to being Hacked. ....
For me it seems to be some kind of "gray PR" (gray means that I do not want use the "black" word yet) but it resambles a little the "Volkswagengate" in the USA.investigating the malware, which targets devices from Linksys, MikroTik, Netgear, TP-Link and QNAP, advising users to install security updates. .... Cisco Systems, which has been investigating the threat for several months....
Nokia-Alcatel-Lucent has strong presence in Poland with numerous competence centers, Juniper perhaps doesn'tBartosP are you working for juniper ;-P
You mean Roland or PPoland They are on the slippery slope of being pwned by he who shall not be named!! No happy face! - makes me sad.Nokia-Alcatel-Lucent has strong presence in Poland with numerous competence centers, Juniper perhaps doesn'tBartosP are you working for juniper ;-P
Anav ... problems with reading? What do you want to be explained more?You mean Roland or PPoland ....... in Poland ....
That´s a fraud/fake call, google for that one that wants you to pay him.The question in the next I was phoned by the cyberpolicy and said that my router is infected with a virus, that I need to reset my device and set it up which I do not really want to do.
Will I have enough passwords and firmware updates?
.Can somebody please tell me what this log information is (in dark red below containing warning denied winbox/dude connect from?
** Is this log indicating remote IP addresses trying to get into my CHR via a potential vulnerability which has been discussed many times here ? **
Or - is this a log from my btest fw rules which auto-blocks lengthy btest connections then later auto-removes them. I do see some of the above IP address in my fw Connections list (which are auto added & auto removed an hour later).
North Idaho Tom Jones
Tom, let me apologize. I defined your btest server as a host in my local DNS, and gave it a box in my dude configuration, so I could more easily run infrequent tests when needed without having to remember all your IP information. Apparently, this causes grief in your log, because my IP is one of the ones you listed. Also apparently, a whole lot of other MikroTik admins have done the same thing I did, and they are generating all the other IP addresses. In order to run MikroTik speed tests, I had to tell the Dude that you were a MikroTik device, and it looks like that causes it to bother you with Dude queries.Can somebody please tell me what this log information is (in dark red below containing warning denied winbox/dude connect from?
** Is this log indicating remote IP addresses trying to get into my CHR via a potential vulnerability which has been discussed many times here ? **
This is from my public btest server. This btest server is the public 207.32.194.24 btest server that is always in use by other Mikrotik admins.
. . .
North Idaho Tom Jones
The fact is that it was the police and they did not demand money from me, the provider gave them to them because the IP address is reserved for the directorThat´s a fraud/fake call, google for that one that wants you to pay him.The question in the next I was phoned by the cyberpolicy and said that my router is infected with a virus, that I need to reset my device and set it up which I do not really want to do.
Will I have enough passwords and firmware updates?
The fact is that it was the police and they did not demand money from me, the provider gave them to them because the IP address is reserved for the directorThat´s a fraud/fake call, google for that one that wants you to pay him.The question in the next I was phoned by the cyberpolicy and said that my router is infected with a virus, that I need to reset my device and set it up which I do not really want to do.
Will I have enough passwords and firmware updates?
If it's not an attack , then I am OK with it.Tom, let me apologize. I defined your btest server as a host in my local DNS, and gave it a box in my dude configuration, so I could more easily run infrequent tests when needed without having to remember all your IP information. Apparently, this causes grief in your log, because my IP is one of the ones you listed. Also apparently, a whole lot of other MikroTik admins have done the same thing I did, and they are generating all the other IP addresses. In order to run MikroTik speed tests, I had to tell the Dude that you were a MikroTik device, and it looks like that causes it to bother you with Dude queries.Can somebody please tell me what this log information is (in dark red below containing warning denied winbox/dude connect from?
** Is this log indicating remote IP addresses trying to get into my CHR via a potential vulnerability which has been discussed many times here ? **
This is from my public btest server. This btest server is the public 207.32.194.24 btest server that is always in use by other Mikrotik admins.
. . .
North Idaho Tom Jones
/ip firewall address-list
add address=91.121.109.209 comment="TALOS" list=DROPDDOS
add address=217.12.202.40 comment="TALOS" list=DROPDDOS
add address=94.242.222.68 comment="TALOS" list=DROPDDOS
add address=82.118.242.124 comment="TALOS" list=DROPDDOS
add address=46.151.209.33 comment="TALOS" list=DROPDDOS
add address=217.79.179.14 comment="TALOS" list=DROPDDOS
add address=91.214.203.144 comment="TALOS" list=DROPDDOS
add address=95.211.198.231 comment="TALOS" list=DROPDDOS
add address=195.154.180.60 comment="TALOS" list=DROPDDOS
add address=5.149.250.13.76 comment="TALOS" list=DROPDDOS
add address=91.200.13.76 comment="TALOS" list=DROPDDOS
add address=94.185.80.82 comment="TALOS" list=DROPDDOS
add address=62.210.180.229 comment="TALOS" list=DROPDDOS
Funny how it says that it is hard to defend against it because it is hard to upgrade router firmware on the devices.Technical details of the worm here : https://blog.talosintelligence.com/2018 ... ilter.html
Nice article but ...Technical details of the worm here : https://blog.talosintelligence.com/2018 ... ilter.html
Thats not correct.Please read this article:
http://linkcom.lviv.ua/%D1%83%D0%B2%D0%B0%D0%B3%D0%B0/
https://www.facenews.ua/news/2018/407644/
They are stating that all versions prior 6.42.1 are vulnerable.
Firewall will as allways disable fastpath in your system. Setting source ip's allowed on the service is more direct lo level approach witch does not disable fastpath.Any RouterOS version with firewall on the www port from untrusted networks was always safe. The original vunlerability that was fixed in march 2017 was only affecting you, if the www port 80 (webfig) was open to untrusted networks.Thanks for the prompt response Normis.
I assume people that were using the quickset dynamic dns vpn and appropriate firewall rules + updated fw would have been invunerable to these attacks ?
Unfortunately, the DNS server does not allow restrictions using ip / services.Firewall will as allways disable fastpath in your system. Setting source ip's allowed on the service is more direct lo level approach witch does not disable fastpath.
I did reply that your version is below the one with the fix. If you have an exposed webfig interface to untrusted network, UPGRADE IMMEDIATELYHi Normis,
I still do not have a reply regarding 5.26 on R750GL, can you comment?
Best regards.