I had absolutely the weirdest experience Wednesday.
I drove out to one of my long-time subscribers, one of the few remaining sites
still using a legacy CPE from 2009 instead of a MikroTik, in order to upgrade
her to a MikroTik unit.
I swapped out the radio and power supply, and as soon as I logged into it, I
noticed bizarre activity in the log — her home PC had almost immediately begun
issuing rapid-fire FTP login attempts against the MikroTik CPE, using various
IDs and passwords (see attached).
I figured she must have picked up some sort of latent malware designed to
attack MikroTik devices, so I downloaded a fresh copy of Malwarebytes onto her
PC and ran it. Malwarebytes found absolutely nothing (itself a wonder, as most
units I run this against have at least adware on them).
Has anyone ever encountered such malware? Or does somebody have a better
explanation for this behavior that I haven't thought of?
* * *
sep/26 21:42:23 system,info router rebooted
sep/26 21:42:31 wireless,debug wwan-ptp: must select network
sep/26 21:42:31 wireless,debug 6C:3B:6B:AB:A8:5F: on 2412 AP: yes SSID
7883(MT-W) caps 0x431 rates 0xCCK:1-11 OFDM:6-48 BW:1x SGI:1x HT:0-6,8-14 basic
0xCCK:1 OFDM:6 MT: yes
…
26 21:42:31 wireless,info 6C:3B:6B:AB:A8:5F@wwan-ptp established connection on
2412000, SSID 7883(MT-W)
sep/27 12:32:59 system,info sntp change time Sep/26/2017 21:42:32 =>
Sep/27/2017 12:32:59
sep/27 12:33:12 system,info sntp change time Sep/27/2017 12:33:13 =>
Sep/27/2017 12:33:12
sep/27 12:33:17 interface,info ether link up (speed 100M, full duplex)
sep/27 12:33:35 interface,info ether link down
sep/27 12:33:37 interface,info ether link up (speed 100M, full duplex)
sep/27 12:34:02 dhcp,info subscriber assigned 192.168.10.130 to
50:7A:55:F0:7F:5C
sep/27 12:34:12 dhcp,info subscriber assigned 192.168.10.100 to
64:00:6A:45:96:D2
sep/27 12:34:41 system,error,critical login failure for user admin from
192.168.10.100 via ftp
sep/27 12:34:42 system,error,critical login failure for user admin from
192.168.10.100 via ftp
sep/27 12:34:43 system,error,critical login failure for user Admin from
192.168.10.100 via ftp
sep/27 12:34:44 system,error,critical login failure for user Admin from
192.168.10.100 via ftp
sep/27 12:34:45 system,error,critical login failure for user Administrator from
192.168.10.100 via ftp
sep/27 12:34:46 system,error,critical login failure for user Administrator from
192.168.10.100 via ftp
sep/27 12:34:47 system,error,critical login failure for user administrator from
192.168.10.100 via ftp
sep/27 12:34:48 dhcp,info subscriber assigned 192.168.10.101 to
AC:BC:32:CF:7F:A7
sep/27 12:34:48 system,error,critical login failure for user administrator from
192.168.10.100 via ftp
sep/27 12:34:49 system,error,critical login failure for user root from
192.168.10.100 via ftp
sep/27 12:34:50 system,error,critical login failure for user root from
192.168.10.100 via ftp
sep/27 12:34:51 system,error,critical login failure for user Admin from
192.168.10.100 via ftp
sep/27 12:34:51 dhcp,info subscriber assigned 192.168.10.125 to
AC:BC:32:CF:7F:A7
sep/27 12:34:52 system,error,critical login failure for user Admin from
192.168.10.100 via ftp
sep/27 12:34:53 system,error,critical login failure for user Administrator from
192.168.10.100 via ftp
sep/27 12:34:54 system,error,critical login failure for user Administrator from
192.168.10.100 via ftp
sep/27 12:34:55 system,error,critical login failure for user User from
192.168.10.100 via ftp
sep/27 12:34:56 system,error,critical login failure for user User from
192.168.10.100 via ftp
sep/27 12:34:57 system,error,critical login failure for user Username from
192.168.10.100 via ftp
sep/27 12:34:58 system,error,critical login failure for user adm from
192.168.10.100 via ftp
sep/27 12:34:59 system,error,critical login failure for user admim from
192.168.10.100 via ftp
sep/27 12:35:00 system,error,critical login failure for user admin2 from
192.168.10.100 via ftp
sep/27 12:35:01 system,error,critical login failure for user admin2 from
192.168.10.100 via ftp
sep/27 12:35:02 system,error,critical login failure for user admin from
192.168.10.100 via ftp
sep/27 12:35:03 system,error,critical login failure for user admin from
192.168.10.100 via ftp
sep/27 12:35:04 system,error,critical login failure for user admin from
192.168.10.100 via ftp
sep/27 12:35:05 system,error,critical login failure for user admin from
192.168.10.100 via ftp
sep/27 12:35:06 system,error,critical login failure for user admin from
192.168.10.100 via ftp
sep/27 12:35:07 system,error,critical login failure for user admin from
192.168.10.100 via ftp
sep/27 12:35:08 system,error,critical login failure for user admin from
192.168.10.100 via ftp
sep/27 12:35:09 system,error,critical login failure for user admin from
192.168.10.100 via ftp
sep/27 12:35:10 system,info,account user management logged in from
192.168.10.125 via winbox
sep/27 12:35:10 system,info,account user management logged in from
192.168.10.125 via telnet
sep/27 12:35:10 system,error,critical login failure for user admin from
192.168.10.100 via ftp
sep/27 12:35:11 system,error,critical login failure for user admin from
192.168.10.100 via ftp
sep/27 12:35:12 system,error,critical login failure for user admin from
192.168.10.100 via ftp
sep/27 12:35:13 system,error,critical login failure for user admin from
192.168.10.100 via ftp
sep/27 12:35:14 system,error,critical login failure for user admin from
192.168.10.100 via ftp
sep/27 12:35:15 system,error,critical login failure for user admin from
192.168.10.100 via ftp
sep/27 12:35:16 system,error,critical login failure for user admin from
192.168.10.100 via ftp
sep/27 12:35:17 system,error,critical login failure for user admin from
192.168.10.100 via ftp
sep/27 12:35:18 system,error,critical login failure for user admin from
192.168.10.100 via ftp
sep/27 12:35:19 system,error,critical login failure for user admin from
192.168.10.100 via ftp
sep/27 12:35:20 system,error,critical login failure for user admin from
192.168.10.100 via ftp
sep/27 12:35:21 system,error,critical login failure for user admin from
192.168.10.100 via ftp
sep/27 12:35:22 system,error,critical login failure for user admin from
192.168.10.100 via ftp
sep/27 12:35:23 system,error,critical login failure for user admin from
192.168.10.100 via ftp
sep/27 12:35:24 system,error,critical login failure for user admin from
192.168.10.100 via ftp
sep/27 12:35:25 system,error,critical login failure for user admin from
192.168.10.100 via ftp
sep/27 12:35:26 system,error,critical login failure for user admin from
192.168.10.100 via ftp
sep/27 12:35:27 system,error,critical login failure for user TMARDLKT93319 from
192.168.10.100 via ftp
sep/27 12:35:28 system,error,critical login failure for user ZXDSL from
192.168.10.100 via ftp
sep/27 12:35:29 system,error,critical login failure for user DXDSL from
192.168.10.100 via ftp
sep/27 12:35:30 system,error,critical login failure for user ADSL from
192.168.10.100 via ftp
sep/27 12:35:31 system,error,critical login failure for user comcast from
192.168.10.100 via ftp
sep/27 12:35:32 system,error,critical login failure for user cusadmin from
192.168.10.100 via ftp
sep/27 12:35:33 system,error,critical login failure for user customer from
192.168.10.100 via ftp
sep/27 12:35:35 system,error,critical login failure for user default from
192.168.10.100 via ftp
sep/27 12:35:36 system,error,critical login failure for user login from
192.168.10.100 via ftp
sep/27 12:35:37 system,error,critical login failure for user login from
192.168.10.100 via ftp
sep/27 12:35:38 system,error,critical login failure for user login from
192.168.10.100 via ftp
sep/27 12:35:39 system,error,critical login failure for user manager from
192.168.10.100 via ftp
sep/27 12:35:40 system,error,critical login failure for user operator from
192.168.10.100 via ftp
sep/27 12:35:41 system,error,critical login failure for user root from
192.168.10.100 via ftp
--
Grand Avenue Broadband -- Wireless Internet Service
Circle City to Wickenburg and surrounding areas
http://grandavebb.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://mail.butchevans.com/pipermail/mikrotik/attachments/20170929/56cc9449/attachment.html>
_______________________________________________
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://mail.butchevans.com/mailman/listinfo/mikrotik
Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
