Re: [AFMUG] Unauthorized Mikrotik winbox Login made changes

Tue, 17 Jul 2018 13:04:11 -0700 

Abuse email address for that ip glengineer...@wilsonnc.org

On 07/17/2018 02:51 PM, Nate Burke wrote:
FWIW, 216.152.5.42 has been hammering my network scanning for the winbox port for over 24 hours.  Ok, Hammering as in 10 packets per second. 

On 7/17/2018 1:24 PM, Philip Rankin wrote:

I had same thing. Same IP addr
On Mon, Jul 16, 2018 at 10:01 PM Nate Burke <n...@blastcomm.com <mailto:n...@blastcomm.com>> wrote: 

    I just happened to be looking through the Logs of a couple Mikrotiks
    that I didn't have Winbox Firewalled off From the outside world.
    Someone
    from the outside world logged into winbox today.  I had what I
    'thought'
    were strong passwords on them.  The only active service on the
    router is
    the Winbox Service.

    The only changes that were made was they enabled the 'socks'
    server, and
    added input firewall rule for the socks port.  They were in and
    out of
    the router in a matter of seconds, so it looks like it was scripted
    somehow.

    I'm going through now and changing passwords and verifying all
    routers
    are locked from the outside.  On the routers that I've found this on,
    all the logins were sourced from this same IP Address.  So far the
    affected routers I've found were running versions 6.39-6.41.3

    Might be a good time to check your logs and access controls.


    jul/15 02:29:14 system,info,account user admin logged in from
    194.40.240.254 via winbox
    jul/15 02:29:17 system,info,account user admin logged in from
    194.40.240.254 via telnet
    jul/15 02:29:18 system,info socks config changed by admin
    jul/15 02:29:18 system,info filter rule added by admin
    jul/15 02:29:19 system,info,account user admin logged out from
    194.40.240.254 via winbox
    jul/15 02:29:19 system,info,account user admin logged out from
    194.40.240.254 via telnet
-- AF mailing list 
    AF@af.afmug.com <mailto:AF@af.afmug.com>
    http://af.afmug.com/mailman/listinfo/af_af.afmug.com

--
   Phil

Philip J. Rankin, CEO
Wireless Telecommunications, Corp.
A division of;
Mobilcom Wireless Services
PO Box 24
Pittsburg, KS  66762
620-231-8188








--
AF mailing list
AF@af.afmug.com
http://af.afmug.com/mailman/listinfo/af_af.afmug.com

Reply via email to