If you have any suggestions please post as config. I've also found schedulers that on startup and everyday fetch again hacker's files and there was also a packet sniffer.Īdd action=drop chain=input comment=INVALID connection-state=invalid disabled=noĪdd action=accept chain=input comment="ADMIN" disabled=no src-address-list=adminĪdd action=accept chain=input comment="Bandwidth Test" disabled=no dst-port=2000 protocol=tcpĪdd action=accept chain=input comment=ICMP disabled=no protocol=icmpĪdd action=accept chain=input comment=DNS disabled=no dst-port=53 in-interface=ether1 protocol=tcpĪdd action=accept chain=input comment=DNS disabled=no dst-port=53 in-interface=ether1 protocol=udpĪdd action=accept chain=input comment=ESTABLISHED connection-state=established disabled=noĪdd action=accept chain=input comment=RELATED connection-state=related disabled=noĪdd action=accept chain=input comment=BROADCAST disabled=no dst-address=255.255.255.255Īdmin address list has got some public and private IPs that are used for API, my Winbox connection and Dude monitoring. So I'm asking if someone experienced an hack like this and all informations about it. I need to be sure what vulnerability has been used (as I said, it has been attacked before 6.43.8, didn't know until today) and then modify my firewall to prevent. I obviously can't NetInstall every RB that I have around and updating RBs that are more than 100km far away it's always a risk, so I can't do that for 3000+ RBs at the same time and then run to change them in case of bootloop or something else.
#Winbox hacker password password#
I don't know if adding allowed addresses to local users would solve the problem, I don't know if hacker had got my password or used a vulnerability that avoids login (no log because of hacker's scripts). If I set an address list in dst-nat I should avoid the hack, unless the hacker doesn't try to hack the RB that is natting, in that case I have the same problem.
#Winbox hacker password plus#
Then I have in 192.168.88.2 an address list with my public IP, an accept rule chain input, src address list the one with my IP, action accept (everything that comes from my public IP), then rules like defconf firewall, plus ICMP accept input and TCP 2000 accept for bandwidth tests.
In this particular case I have a dst-nat with dst-port 8292 and to-ports 8291 (for example to-addresses 192.168.88.2) and no other ports forwarded. In-interface-list=WAN log=yes protocol=udp src-address-list=Solar_Panel \ You should do that all on the NAT rule.Īdd action=dst-nat chain=dstnat comment=Solar_UDP dst-port=zz \ I just wanted to comment on you seemed to indicate that you made an accept rule for your address list? Perhaps with a server of some sort that is isolated from ones LAN, that may be sufficient and assuming that the server has credentials login, BUT to the router NO EFFING WAY. However, for router access, I wouldnt count on source list protection as being a good security practice. Yes, but I don't know if it's the same vulnerability that has been spotted in April, I already found alexey attacks that blocks that vulnerability with firewall, but this isn't the case. I don't need VPN access for this, I'm the ISP of the customer.Ĥ. Winbox isn't open to the Internet, I have a firewall that accepts only connections from my address list.ģ. Was the router hacked previously and not reconfigured via netinstall?ġ.
Why would you leave WInbox open to the internet?ĭid you at least use Port Knocking techniques? It could be just as accurate to state, IM AN INSECURE ADMIN HELP. I agree, until you know more that title is speculation and unnecessary.
0 kommentar(er)
