You're obviously going to want to change the passwords, and check over the config to make sure nothing was added that could give somebody a way back in, but I don't think there's too much to worry about beyond that.
On Wed, Jul 18, 2018 at 9:58 AM, Tim Cailloux <t...@southern-internet.com> wrote: > Should I have specific concerns with the routers coming back online after > a firmware upgrade? > > Coordinating access to one of my locations takes some effort, and > particularly for after-hours work. I don't want to have an unnecessary > daytime outage to upgrade while on-site. I've upgraded on the bench > without a second thought, but want to plan accordingly. I'd rather upgrade > while on-site if there is any real concern about equipment not coming > back. I regularly upgrade other equipment without a second thought. > > tim > > On Wed, Jul 18, 2018 at 10:42 AM Wireless Administrator <wirel...@htn.net> > wrote: > >> Am I correct to assume that input firewall rules limiting access to the >> router (Network Admin static IP) minimizes/eliminates the exposure or does >> this hack somehow bypass filter rules? >> >> >> >> Steve B. >> >> >> >> *From:* AF [mailto:af-boun...@af.afmug.com] *On Behalf Of *Dave >> *Sent:* Tuesday, July 17, 2018 4:07 PM >> *To:* af@af.afmug.com >> *Subject:* Re: [AFMUG] Unauthorized Mikrotik winbox Login made changes >> >> >> >> My power router v4 is still on 6.27 because of some hardware driver issue >> for support of sfp modules. >> Last time I made the move to upgrade to 6.40 all of my sfp ports started >> flapping and would not stabilize no matter what I tried. >> Ive been watching the change logs and it seems there were some driver >> upgrades between 6.39 -6.42 >> >> I have ordered all new sfp modules in hopes of correcting this on the >> next upgrade. >> >> On 07/17/2018 08:43 AM, Dennis Burgess wrote: >> >> Correct, need to get those updated. >> >> >> >> >> >> >> >> *Dennis Burgess, Mikrotik Certified Trainer * >> >> Author of "Learn RouterOS- Second Edition” >> >> *Link Technologies, Inc* -- Mikrotik & WISP Support Services >> >> *Office*: 314-735-0270 Website: http://www.linktechs.net >> >> Create Wireless Coverage’s with www.towercoverage.com >> >> >> >> *From:* AF <af-boun...@af.afmug.com> <af-boun...@af.afmug.com> *On >> Behalf Of *Nick W >> *Sent:* Tuesday, July 17, 2018 5:45 AM >> *To:* af@af.afmug.com >> *Subject:* Re: [AFMUG] Unauthorized Mikrotik winbox Login made changes >> >> >> >> Based on those versions you listed, it sounds like the Winbox >> vulnerability described here: https://forum.mikrotik. >> com/viewtopic.php?t=133533 >> >> >> >> Password complexity isn't really the issue since they could connect and >> download the unencrypted user database file. Firewall off Winbox and/or >> upgrade. Run 6.40.8+ for bugfix or 6.42.1+ for current. >> >> >> >> >> >> On Mon, Jul 16, 2018 at 11:01 PM Nate Burke <n...@blastcomm.com> wrote: >> >> I just happened to be looking through the Logs of a couple Mikrotiks >> that I didn't have Winbox Firewalled off From the outside world. Someone >> from the outside world logged into winbox today. I had what I 'thought' >> were strong passwords on them. The only active service on the router is >> the Winbox Service. >> >> The only changes that were made was they enabled the 'socks' server, and >> added input firewall rule for the socks port. They were in and out of >> the router in a matter of seconds, so it looks like it was scripted >> somehow. >> >> I'm going through now and changing passwords and verifying all routers >> are locked from the outside. On the routers that I've found this on, >> all the logins were sourced from this same IP Address. So far the >> affected routers I've found were running versions 6.39-6.41.3 >> >> Might be a good time to check your logs and access controls. >> >> >> jul/15 02:29:14 system,info,account user admin logged in from >> 194.40.240.254 via winbox >> jul/15 02:29:17 system,info,account user admin logged in from >> 194.40.240.254 via telnet >> jul/15 02:29:18 system,info socks config changed by admin >> jul/15 02:29:18 system,info filter rule added by admin >> jul/15 02:29:19 system,info,account user admin logged out from >> 194.40.240.254 via winbox >> jul/15 02:29:19 system,info,account user admin logged out from >> 194.40.240.254 via telnet >> >> >> >> >> -- >> AF mailing list >> AF@af.afmug.com >> http://af.afmug.com/mailman/listinfo/af_af.afmug.com >> >> >> >> >> >> -- >> -- >> AF mailing list >> AF@af.afmug.com >> http://af.afmug.com/mailman/listinfo/af_af.afmug.com >> > > > -- > Tim Cailloux > Southern Internet -- Locally Owned and Operated > t...@southern-internet.com > (404) 406-9911 > > -- > AF mailing list > AF@af.afmug.com > http://af.afmug.com/mailman/listinfo/af_af.afmug.com > >
-- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com