Got it. I think part of the issue here is that since I was using it at home I left the Mikrotik default config installed - normally I wipe this and start from scratch.
On Tuesday, September 6, 2016, Ken Hohhof <af...@kwisp.com> wrote: > Unfortunately, “remote” doesn’t mean what you probably think. More like > remote and local, anything except the Mikrotik itself. So if any clients > are using this as their resolver (DNS proxy), it needs to be enabled, with > firewall rules. If you aren’t using the Mikrotik as a DNS proxy, you can > disable remote requests. > > *From:* Jason McKemie > <javascript:_e(%7B%7D,'cvml','j.mcke...@veloxinetbroadband.com');> > *Sent:* Tuesday, September 06, 2016 12:20 PM > *To:* af@afmug.com <javascript:_e(%7B%7D,'cvml','af@afmug.com');> > *Subject:* Re: [AFMUG] Mikrotik Possibly Compromised > > Well, disabling remote requests worked well enough at the moment. I'll > have to work on the firewall setup though. > > Thanks all, I'm still not working correctly from the 3 day weekend > obviously. > > On Tue, Sep 6, 2016 at 12:18 PM, Mike Hammett <af...@ics-il.net > <javascript:_e(%7B%7D,'cvml','af...@ics-il.net');>> wrote: > >> If you leave it long enough, Comcast will shut off your account. >> >> >> >> ----- >> Mike Hammett >> Intelligent Computing Solutions <http://www.ics-il.com/> >> <https://www.facebook.com/ICSIL> >> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >> <https://www.linkedin.com/company/intelligent-computing-solutions> >> <https://twitter.com/ICSIL> >> Midwest Internet Exchange <http://www.midwest-ix.com/> >> <https://www.facebook.com/mdwestix> >> <https://www.linkedin.com/company/midwest-internet-exchange> >> <https://twitter.com/mdwestix> >> The Brothers WISP <http://www.thebrotherswisp.com/> >> <https://www.facebook.com/thebrotherswisp> >> >> >> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> >> ------------------------------ >> *From: *"Jason McKemie" <j.mcke...@veloxinetbroadband.com >> <javascript:_e(%7B%7D,'cvml','j.mcke...@veloxinetbroadband.com');>> >> *To: *af@afmug.com <javascript:_e(%7B%7D,'cvml','af@afmug.com');> >> *Sent: *Tuesday, September 6, 2016 12:17:23 PM >> *Subject: *Re: [AFMUG] Mikrotik Possibly Compromised >> >> Yeah, admittedly I haven't done much other than mess around with some >> blacklists on this one. >> >> On Tue, Sep 6, 2016 at 12:16 PM, Mike Hammett <af...@ics-il.net >> <javascript:_e(%7B%7D,'cvml','af...@ics-il.net');>> wrote: >> >>> Instill some basic network security. I block input to potentially >>> harmful ports, but a better way is to only allow input on ports you want. >>> >>> >>> >>> ----- >>> Mike Hammett >>> Intelligent Computing Solutions <http://www.ics-il.com/> >>> <https://www.facebook.com/ICSIL> >>> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >>> <https://www.linkedin.com/company/intelligent-computing-solutions> >>> <https://twitter.com/ICSIL> >>> Midwest Internet Exchange <http://www.midwest-ix.com/> >>> <https://www.facebook.com/mdwestix> >>> <https://www.linkedin.com/company/midwest-internet-exchange> >>> <https://twitter.com/mdwestix> >>> The Brothers WISP <http://www.thebrotherswisp.com/> >>> <https://www.facebook.com/thebrotherswisp> >>> >>> >>> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> >>> ------------------------------ >>> *From: *"Jason McKemie" <j.mcke...@veloxinetbroadband.com >>> <javascript:_e(%7B%7D,'cvml','j.mcke...@veloxinetbroadband.com');>> >>> *To: *af@afmug.com <javascript:_e(%7B%7D,'cvml','af@afmug.com');> >>> *Sent: *Tuesday, September 6, 2016 12:14:31 PM >>> *Subject: *Re: [AFMUG] Mikrotik Possibly Compromised >>> >>> Well, disabling remote requests dropped it off steeply. I'll have to >>> look into that. Is that enabled by default? >>> >>> On Tue, Sep 6, 2016 at 12:13 PM, Bruce Robertson <br...@pooh.com >>> <javascript:_e(%7B%7D,'cvml','br...@pooh.com');>> wrote: >>> >>>> Good point. >>>> >>>> On 09/06/2016 10:11 AM, Jason McKemie wrote: >>>> >>>> I'd think that I would see some internal network activity if this were >>>> the case though. Also, the source IPs appear to be from all over the >>>> world. >>>> >>>> On Tue, Sep 6, 2016 at 12:09 PM, Bruce Robertson <br...@pooh.com >>>> <javascript:_e(%7B%7D,'cvml','br...@pooh.com');>> wrote: >>>> >>>>> In my experience, that's usually your mobile devices nattering with >>>>> the mother ship, like doing backups and uploading recent pictures. iPhones >>>>> are especially bad about this. >>>>> >>>>> On 09/06/2016 09:57 AM, Jason McKemie wrote: >>>>> >>>>>> So I've noticed some strange behavior on my home connection >>>>>> (Comcast). The Mikrotik that I am using shows a constant Tx on the WAN >>>>>> port of around 3-5Mbps and between 200-300pps, Rx is just a few kbps. >>>>>> This >>>>>> activity appears to be strictly on the WAN port. If I disable a firewall >>>>>> rule that accepts input, the activity ceases - but devices behind the >>>>>> router lose connectivity. >>>>>> >>>>>> Any ideas? I've got all IP services disabled except winbox, which is >>>>>> restricted to my local network. >>>>>> wbr>8! >>>>>> >>>>> >>>>> >>>> !DSPAM:2,57cef8d652678869110723! >>>> >>>> >>>> >>> >>> >> >> >> > >