[HamWAN PSDR] OPP outage and vulnerability warning

JOSEPH WOMACK joe_womack at hotmail.com
Wed Mar 28 10:18:20 PDT 2018

You may want to check out:
The Mikrotik RouterOS-Based Botnet

Hajime Botnet Makes a Comeback With Massive Scan for MikroTik Routers


From: PSDR <psdr-bounces at hamwan.org> On Behalf Of Bart Kus
Sent: Saturday, March 24, 2018 6:19 PM
To: psdr at hamwan.org
Subject: Re: [HamWAN PSDR] OPP outage and vulnerability warning

Seattle-ER1 has been rolled back to a snapshot and is serving OPP again.  If your tunnel is still down, please complain.


On 3/24/2018 5:28 PM, Tom Hayward wrote:
This morning I discovered a bunch of failed login attempts to HamWAN routers coming from other HamWAN routers. When checking the list of logged in users, there weren't any. Apparently something was able to remotely execute code on HamWAN routers without logging in. I think it may be related to this: https://forum.mikrotik.com/viewtopic.php?t=119255. Nigel and I worked to identify the traffic and patch the hole. We were able to stop it through a combination of firewall rules, disabling services, and upgrading software.

One casualty is that upgrading the software on Seattle-ER1 broke the OPP IPsec configuration. We haven't figured out how to fix this, so OPP is down for now.

To protect your equipment from this exploit, you can disable unnecessary services like this:

/ip service disable telnet,ftp,www,api,winbox,api-ssl

Make sure to do this from SSH so that you know it's working before disabling Winbox!

This is a reminder of the importance of strict firewall rules. Nigel is a wise man.



PSDR mailing list

PSDR at hamwan.org<mailto:PSDR at hamwan.org>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.hamwan.net/pipermail/psdr/attachments/20180328/c212496f/attachment.html>

More information about the PSDR mailing list