I have the tiks on the latest current with everything locked down and the forward chain has all commonly abused services filtered as well. Can someone give me an idea what I need to do here?
On Tue, Aug 14, 2018, 12:57 PM Mike Hammett <af...@ics-il.net> wrote: > Unimus should tell you what's changed in the router's config. > > > > ----- > Mike Hammett > Intelligent Computing Solutions <http://www.ics-il.com/> > <https://www.facebook.com/ICSIL> > <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> > <https://www.linkedin.com/company/intelligent-computing-solutions> > <https://twitter.com/ICSIL> > Midwest Internet Exchange <http://www.midwest-ix.com/> > <https://www.facebook.com/mdwestix> > <https://www.linkedin.com/company/midwest-internet-exchange> > <https://twitter.com/mdwestix> > The Brothers WISP <http://www.thebrotherswisp.com/> > <https://www.facebook.com/thebrotherswisp> > > > <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> > ------------------------------ > *From: *"TJ Trout" <t...@voltbb.com> > *To: *af@af.afmug.com > *Sent: *Monday, August 13, 2018 6:00:21 PM > *Subject: *[AFMUG] Fwd: Your server 162.222.29.1 has been registered as > an attack source > > Anyone know of a mikrotik exploit or what this traffic capture might mean? > > I have my router locked down and all common abuse ports/services filtered > in both router and pass thru to customers.... > > ---------- Forwarded message --------- > From: BitNinja <incident-rep...@bitninja.io> > Date: Tue, Aug 14, 2018, 10:58 AM > Subject: Your server 162.222.29.1 has been registered as an attack source > To: <exp...@gmail.com> > > > > > > Dear Provider, > > > I’m George Egri, the Co-Founder and CEO of BitNinja Server Security. I’m > writing to inform you that we have detected malicious requests from the IP > 162.222.29.1 directed at our clients’ servers. > > > As a result of these attacks, we have added your IP to our greylist to > prevent it from attacking our clients’ servers. > > > Servers are increasingly exposed as the targets of botnet attacks and you > might not be aware that your server is being used as a “bot” to send > malicious attacks over the Internet. > > > I've collected the 3 earliest logs below, and you can find the freshest > 100, that may help you disinfect your server, under the link. The timezone > is UTC +2:00. > http://bitninja.io/incidentReport.php?details=7281f016fb83701789 > <http://bitninja.io/incidentReport.php?details=7281f016fb83701789?utm_source=incident&utm_content=publicpage> > <http://bitninja.io/incidentReport.php?details=7281f016fb83701789> > > { > "PORT HIT": "162.222.29.1:32862->94.46.59.143:8080", > "MESSAGES": "Array > ( > [11:34:08] => GET / HTTP/1.1 > Host: 94.46.59.143:8080 > User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) > AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36 > Content-Length: 0 > > > ) > " > } > > { > "PORT HIT": "162.222.29.1:57131->37.187.190.61:8080", > "MESSAGES": "Array > ( > [19:06:48] => GET / HTTP/1.1 > Host: 37.187.190.61:8080 > User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) > AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 > Content-Length: 0 > > > ) > " > } > > { > "PORT HIT": "162.222.29.1:56717->104.128.74.105:8080", > "MESSAGES": "Array > ( > [16:26:25] => GET / HTTP/1.1 > Host: 104.128.74.105:8080 > User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) > AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 > Content-Length: 0 > > > ) > " > } > > > > Please keep in mind that after the first intrusion we log all traffic > between your server and the BitNinja-protected servers until the IP is > removed from the greylist. This means you may see valid logs beside the > malicious actions in the link above. If you need help finding the malicious > logs, please don’t hesitate to contact our incident experts by replying to > this e-mail. > > For more information on analyzing and understanding outbound traffic, > check out this: > https://doc.bitninja.io/_images/bitninja-incident-report-1.jpg? > <https://doc.bitninja.io/_images/bitninja-incident-report-1.jpg?utm_source=incident&utm_campaign=investigation&utm_content=image> > > > <https://bitninja.io/wp-content/uploads/2016/07/bitninja-incident-report-1.jpg>We’ve > also dedicated an entire site help people prevent their server from sending > malicious attacks: > https://doc.bitninja.io/investigations.html > <https://doc.bitninja.io/investigations.html?utm_source=incident&utm_campaign=investigation&utm_content=documentation> > > > Our incident experts are also happy to help you and can provide detailed > logs if needed. Please, feel free to connect me with the administrator or > technical team responsible for managing your server. > > > Thank you for helping us make the Internet a safer place! > > > Regards, > > > *George Egri* > CEO at BitNinja.io > > BitNinja.io @ BusinessInsider UK > <http://uk.businessinsider.com/cylons-grace-cassy-says-companies-fighting-asymmetric-warfare-against-hackers-2015-12> > > BitNinja.io hits the WHIR.com > > <http://www.thewhir.com/web-hosting-news/canadian-web-hosting-partners-with-bitninja-for-security>BitNinja > @ CodeMash conference <https://www.youtube.com/watch?v=fomS_3Q7520> > > > > > > Partnered by: > > > -- > AF mailing list > AF@af.afmug.com > http://af.afmug.com/mailman/listinfo/af_af.afmug.com > > -- > AF mailing list > AF@af.afmug.com > http://af.afmug.com/mailman/listinfo/af_af.afmug.com >
-- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com