Yeah, they pulled passwords in plain text. So if you don't change the pass they will get back in. Ours was compromised weeks ago, and we still see daily attempts to login using the old username. I changed the username as well. I also notice that most of the brute force attempts are all lowercase words. Mix it up! Change your username AND passwords.
On Tue, Sep 25, 2018 at 4:55 PM Ken Hohhof <af...@kwisp.com> wrote: > Yeah, 6.40.8 bugfix only got patched, but that doesn’t mean anything with > a higher rev than 6.40.8 was patched. 6.42 probably pre-dated the patch. > I forget which current or beta FW got the fix. > > > > Assume they grabbed your admin password. Also look for accounts they may > have added. > > > > > > *From:* AF <af-boun...@af.afmug.com> *On Behalf Of *Josh Luthman > *Sent:* Tuesday, September 25, 2018 3:37 PM > *To:* AnimalFarm Microwave Users Group <af@af.afmug.com> > *Subject:* Re: [AFMUG] Mikrotiks exploited on latest firmware? > > > > 6.42 has some known exploits. Not sure if 6.43 does...yet... > > > > > Josh Luthman > Office: 937-552-2340 > Direct: 937-552-2343 > 1100 Wayne St > Suite 1337 > Troy, OH 45373 > > > > On Tue, Sep 25, 2018 at 4:20 PM, TJ Trout <t...@voltbb.com> wrote: > > These are mostly customer routers on old firmware ~v5-v6, they are on the > latest stable/current which I thought cured the exploit, the stuff I am > seeing is usually socks or webproxy enabled for reflection attacks or smtp > spam. > > > > I restored the configs back to virgin and they got back in again somehow, > I'm going to see if somehow any of the above recommendations were the > cause... > > > > On Tue, Sep 25, 2018 at 1:13 PM Jon Langeler <jon-ispli...@michwave.net> > wrote: > > From what version to what versions? > > Jon Langeler > Michwave Technologies, Inc. > > > > On Sep 25, 2018, at 3:52 PM, TJ Trout <t...@voltbb.com> wrote: > > > > I had many mikrotiks exploited, we cleaned them up and disabled all > services except winbox and http, updated to the latest firmware and changed > passwords. > > > > Most have input firewall and are unaffected but the ones sitting on the > internet seem to keep getting compromised > > > > Any idea why this could still be occurring? My ASSumption is that the > latest release cures the exploit from happening again but I'm confused why > this keeps reoccurring? > > > > Thanks > > > > TJ > > -- > > AF mailing list > > AF@af.afmug.com > > http://af.afmug.com/mailman/listinfo/af_af.afmug.com > > -- > AF mailing list > AF@af.afmug.com > http://af.afmug.com/mailman/listinfo/af_af.afmug.com > > > -- > AF mailing list > AF@af.afmug.com > http://af.afmug.com/mailman/listinfo/af_af.afmug.com > > > -- > AF mailing list > AF@af.afmug.com > http://af.afmug.com/mailman/listinfo/af_af.afmug.com >
-- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com
