Fix for winbox vulnerability

1. #!/bin/bash
2.  
3. check_password() {
4. pass=$1
5.  
6. identity=$(sshpass -p "$pass" ssh -o "ConnectTimeout 4" -p "$SSH_PORT" -MS "$ip" "$USERNAME@${ip}" ':put [/system identity get name]' 2>/dev/null)
7. return $?
8.  
9. }
10.  
11. fix_config (){
12. pass=$1
13. # https://forum.mikrotik.com/viewtopic.php?f=21&t=137572
14. checklist=(
15. # Firewall auto-fix - dangerous if you had disabled drop rules before infection (can't imagine why, though)
16. ':if ([:len [/ip firewall filter find where action=drop disabled]] > 0) do={:put "Firewall drop rules were disabled"; /ip firewall filter enable [find action=drop]}'
17. ':if ([:len [/ip firewall filter find chain=input action=accept dst-port="8291"]] > 0) do={:put "Winbox had default firewall accept rule";/ip firewall filter remove [find chain=input action=accept dst-port="8291"]}'
18. # Use this if you need to check firewall rules manually
19. #':if ([:len [/ip firewall filter find where action=drop disabled]] > 0) do={:put "Disabled firewall drop rules:"; /ip firewall filter print where action=drop disabled}'
20. # Winbox
21. ':if ([/ip service get winbox disabled] != true) do={:put "Winbox was enabled"; /ip service disable winbox}'
22. # Socks
23. ':if ([/ip socks get port] != 1080) do={:put "Socks Port was not 1080"; /ip socks set port=1080}'
24. ':if ([/ip socks get enabled] != false) do={:put "Socks was enabled"; /ip socks set enabled=no}'
25. ':if ([:len [/ip socks access find src-address~"95.154.216.128"]] > 0) do={:put "ip socks access had rule for 95.154.216.128"; /ip socks access remove [find src-address~"95.154.216.128"]}'
26. # Script and scheduler
27. ':if ([:len [/system script find source~"ikrotik.php"]] > 0) do={:put "Script containing \"ikrotik.php\" found"; :foreach s in=[/system script find source~"ikrotik.php"] do={/system scheduler remove [find on-event~[/system script get $s name]]}; /system script remove [find source~"ikrotik.php"]}'
28. # File mikrotik.php
29. ':if ([:len [/file find name="mikrotik.php"]] + [:len [/file find name="Mikrotik.php"]] > 0) do={ :put "File [Mm]ikrotik.php was found"; /file remove [find name="mikrotik.php"]; /file remove [find name="Mikrotik.php"];}'
30. # User "service"
31. ':if ([:len [/user find name="service"]] > 0) do={:put "User \"service\" existed"; /user remove [find name="service"]}'
32. # And reboot if needed
33. #'/system reboot'
34. )
35.  
36. for command in "${checklist[@]}"
37. do
38. output+="\n"
39. output+=$(sshpass -p "$pass" ssh -p "$SSH_PORT" -S "$ip" "$USERNAME@${ip}" "$command" 2>/dev/null)
40. done
41.  
42. output+="\n"
43. output=$(echo -e "$output" | tr '\r' ' ' | grep -v '^[[:space:]]*$')
44.  
45. if [[ "$output" == "" ]]
46. then
47. echo "- ok"
48. else
49. echo "- INFECTED"
50. echo "Fixing config. It won't hurt.. much. Symptoms:"
51. echo "$output"
52. echo "Don't forget to upgrade."
53. fi
54.  
55. }
56.  
57. DEFAULT_PASS="admin"
58. USERNAME="admin"
59. SSH_PORT="22"
60.  
61. ip=$1
62. password=${2:-$DEFAULT_PASS}
63.  
64. check_password $password
65. errcode=$?
66.  
67. echo -n "$ip "
68.  
69. echo -n "${identity:-unknown }" | tr '\r' ' '
70.  
71. case $errcode in
72. 0)
73. fix_config $password
74. ;;
75. 5) if check_password $DEFAULT_PASS
76. then
77. fix_config $DEFAULT_PASS
78. else
79. echo "- invalid password"
80. fi
81.  
82. ;;
83. 255) if (ping -c 2 -W 2 $ip >/dev/null 2>&1)
84. then
85. echo "- host is up, cannot connect via ssh"
86. else
87. echo "- host is down, cannot connect via ssh"
88. fi
89. ;;
90. *) echo "- unknown error $?"
91. esac