<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
I am naturally suspicious of anything with "win" in its name, such
as "winbox".<br>
<br>
Tony W7EFS<br>
<br>
<div class="moz-cite-prefix">On 03/28/2018 10:18 AM, JOSEPH WOMACK
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CY4PR12MB14451234837A50735E17B35AECA30@CY4PR12MB1445.namprd12.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.MsoNoSpacing, li.MsoNoSpacing, div.MsoNoSpacing
{mso-style-priority:1;
margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Times New Roman",serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="font-family:"Times New
Roman",serif;color:windowtext">You may want to check
out:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New
Roman",serif;color:windowtext">The Mikrotik
RouterOS-Based Botnet<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New
Roman",serif;color:windowtext"><a
href="https://security.radware.com/ddos-threats-attacks/threat-advisories-attack-reports/mikrotik-botnet/"
moz-do-not-send="true">https://security.radware.com/ddos-threats-attacks/threat-advisories-attack-reports/mikrotik-botnet/</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New
Roman",serif;color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New
Roman",serif;color:windowtext">Hajime Botnet Makes a
Comeback With Massive Scan for MikroTik Routers<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New
Roman",serif;color:windowtext"><a
href="https://www.bleepingcomputer.com/news/security/hajime-botnet-makes-a-comeback-with-massive-scan-for-mikrotik-routers/"
moz-do-not-send="true">https://www.bleepingcomputer.com/news/security/hajime-botnet-makes-a-comeback-with-massive-scan-for-mikrotik-routers/</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New
Roman",serif;color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New
Roman",serif;color:windowtext">Joe<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Times New
Roman",serif;color:windowtext"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="color:windowtext">From:</span></b><span
style="color:windowtext"> PSDR
<a class="moz-txt-link-rfc2396E" href="mailto:psdr-bounces@hamwan.org"><psdr-bounces@hamwan.org></a>
<b>On Behalf Of </b>Bart Kus<br>
<b>Sent:</b> Saturday, March 24, 2018 6:19 PM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:psdr@hamwan.org">psdr@hamwan.org</a><br>
<b>Subject:</b> Re: [HamWAN PSDR] OPP outage and
vulnerability warning<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">Seattle-ER1
has been rolled back to a snapshot and is serving OPP again.
If your tunnel is still down, please complain.<br>
<br>
--Bart<br>
<br>
<o:p></o:p></p>
<div>
<p class="MsoNormal">On 3/24/2018 5:28 PM, Tom Hayward wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">This morning I discovered a bunch of
failed login attempts to HamWAN routers coming from other
HamWAN routers. When checking the list of logged in users,
there weren't any. Apparently something was able to
remotely execute code on HamWAN routers without logging
in. I think it may be related to this: <a
href="https://forum.mikrotik.com/viewtopic.php?t=119255"
moz-do-not-send="true">https://forum.mikrotik.com/viewtopic.php?t=119255</a>.
Nigel and I worked to identify the traffic and patch the
hole. We were able to stop it through a combination of
firewall rules, disabling services, and upgrading
software.
<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">One casualty is that upgrading the
software on Seattle-ER1 broke the OPP IPsec
configuration. We haven't figured out how to fix this,
so OPP is down for now.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">To protect your equipment from this
exploit, you can disable unnecessary services like this:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"><span
style="font-family:"Courier New"">/ip
service disable telnet,ftp,www,api,winbox,api-ssl</span><o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Make sure to do this from SSH so that
you know it's working before disabling Winbox!<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">This is a reminder of the importance
of strict firewall rules. Nigel is a wise man.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Tom<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><br>
<br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>PSDR mailing list<o:p></o:p></pre>
<pre><a href="mailto:PSDR@hamwan.org" moz-do-not-send="true">PSDR@hamwan.org</a><o:p></o:p></pre>
<pre><a href="http://mail.hamwan.net/mailman/listinfo/psdr" moz-do-not-send="true">http://mail.hamwan.net/mailman/listinfo/psdr</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
PSDR mailing list
<a class="moz-txt-link-abbreviated" href="mailto:PSDR@hamwan.org">PSDR@hamwan.org</a>
<a class="moz-txt-link-freetext" href="http://mail.hamwan.net/mailman/listinfo/psdr">http://mail.hamwan.net/mailman/listinfo/psdr</a>
</pre>
</blockquote>
<br>
</body>
</html>