Re: [AFMUG] mikrotik hacked.....again

Sun, 05 Aug 2018 18:05:43 -0700

They were infecting web content streams with bit coin mining code that then ran on systems that had gone through the hacked routers for content.. 

On 8/5/18 5:06 PM, CBB - Jay Fuller wrote:


Again....anyone know what the hackers are doing?

Sent from my smartphone

----- Reply message -----
From: "Josh Baird" <joshba...@gmail.com>
To: "AnimalFarm Microwave Users Group" <af@af.afmug.com>
Subject: [AFMUG] mikrotik hacked.....again
Date: Sun, Aug 5, 2018 6:12 PM


This.  It really should be a no-brainer to protect your devices by only 
allowing management from specific management networks.  If you don’t, 
you are asking for trouble.



On Aug 5, 2018, at 1:06 PM, Jesse DuPont <jesse.dup...@celeritycorp.net 
<mailto:jesse.dup...@celeritycorp.net>> wrote:



Exactly what Lewis said. We take an "allow specific things, block 
everything else" approach. We only allow a small list of IP addresses 
to access Winbox or SSH on a router. And aside from a small list of 
other services the router needs to respond on (rate-limited ICMP, 
established/related, DHCP on some interfaces, OSPF or LDP on some 
interfaces, BGP from IP ranges of internal routers), everything else 
in the INPUT chain is explicitly dropped.


On 8/5/18 1:32 PM, Lewis Bergman wrote:

It can be inconvenient, but we only allow connections from our ip at 
work. If you want in, you have to VPN there first.



On Sun, Aug 5, 2018, 1:12 PM CBB - Jay Fuller 
<par...@cyberbroadband.net <mailto:par...@cyberbroadband.net>> wrote:


    Looking through all of our routers, most running the latest
    firmware, most running non-standard winbox ports, i still see the
    following today:
    * accept rule in firewall  (for port 10438 i think, same port
    enabled on ip -> socks)
    * account added called "service"
    * socks config changed ; enabled
    * log entries changed to only show one line
    anyone else seeing this?  What are they doing?

    -- 
    AF mailing list

    AF@af.afmug.com <mailto:AF@af.afmug.com>
    http://af.afmug..com/mailman/listinfo/af_af.afmug.com
    <http://af.afmug.com/mailman/listinfo/af_af.afmug.com>





--
AF mailing list
AF@af.afmug.com <mailto:AF@af.afmug.com>
http://af.afmug.com/mailman/listinfo/af_af.afmug.com





--
AF mailing list
AF@af.afmug.com
http://af.afmug.com/mailman/listinfo/af_af.afmug.com






















					Reply via email to