Yes seen this and yes its an exploit in mikrotik.. not sure exactly what
but its malacious as in slowing down the router making it a hop for
something bad.
We just turn off all unused services and lock down any access from
outside restricting only to our internal office network so even our
local techs have to VPN to office to access anything on our network.
Port 80 is where this is coming from.
Should of done this in the beginning but stuff happens. Lessons learned.
On 8/13/2018 6:00 PM, TJ Trout wrote:
Anyone know of a mikrotik exploit or what this traffic capture might
mean?
I have my router locked down and all common abuse ports/services
filtered in both router and pass thru to customers....
---------- Forwarded message ---------
From: *BitNinja* <[email protected]
<mailto:[email protected]>>
Date: Tue, Aug 14, 2018, 10:58 AM
Subject: Your server 162.222.29.1 has been registered as an attack source
To: <[email protected] <mailto:[email protected]>>
Dear Provider,
I’m George Egri, the Co-Founder and CEO of BitNinja Server Security.
I’m writing to inform you that we have detected malicious requests
from the IP 162.222.29.1 directed at our clients’ servers.
As a result of these attacks, we have added your IP to our greylist to
prevent it from attacking our clients’ servers.
Servers are increasingly exposed as the targets of botnet attacks and
you might not be aware that your server is being used as a “bot” to
send malicious attacks over the Internet.
I've collected the 3 earliest logs below, and you can find the
freshest 100, that may help you disinfect your server, under the link.
The timezone is UTC +2:00.
http://bitninja.io/incidentReport.php?details=7281f016fb83701789
<http://bitninja.io/incidentReport.php?details=7281f016fb83701789?utm_source=incident&utm_content=publicpage>
{
"PORT HIT": "162.222.29.1:32862->94.46.59.143:8080
<http://94.46.59.143:8080>",
"MESSAGES": "Array
(
[11:34:08] => GET / HTTP/1.1
Host:94.46.59.143:8080 <http://94.46.59.143:8080>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
Content-Length: 0
)
"
}
{
"PORT HIT": "162.222.29.1:57131->37.187.190.61:8080
<http://37.187.190.61:8080>",
"MESSAGES": "Array
(
[19:06:48] => GET / HTTP/1.1
Host:37.187.190.61:8080 <http://37.187.190.61:8080>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Content-Length: 0
)
"
}
{
"PORT HIT": "162.222.29.1:56717->104.128.74.105:8080
<http://104.128.74.105:8080>",
"MESSAGES": "Array
(
[16:26:25] => GET / HTTP/1.1
Host:104.128.74.105:8080 <http://104.128.74.105:8080>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Content-Length: 0
)
"
}
Please keep in mind that after the first intrusion we log all traffic
between your server and the BitNinja-protected servers until the IP is
removed from the greylist. This means you may see valid logs beside
the malicious actions in the link above. If you need help finding the
malicious logs, please don’t hesitate to contact our incident experts
by replying to this e-mail.
For more information on analyzing and understanding outbound traffic,
check out this:
https://doc.bitninja.io/_images/bitninja-incident-report-1.jpg?
<https://doc.bitninja.io/_images/bitninja-incident-report-1.jpg?utm_source=incident&utm_campaign=investigation&utm_content=image>
We’ve also dedicated an entire site help people prevent their server
from sending malicious attacks:
https://doc.bitninja.io/investigations.html
<https://doc.bitninja.io/investigations.html?utm_source=incident&utm_campaign=investigation&utm_content=documentation>
Our incident experts are also happy to help you and can provide
detailed logs if needed. Please, feel free to connect me with the
administrator or technical team responsible for managing your server.
Thank you for helping us make the Internet a safer place!
Regards,
*George Egri*
CEO at BitNinja.io
BitNinja.io @ BusinessInsider UK
<http://uk.businessinsider.com/cylons-grace-cassy-says-companies-fighting-asymmetric-warfare-against-hackers-2015-12>
BitNinja.io hits the WHIR.com
<http://www.thewhir.com/web-hosting-news/canadian-web-hosting-partners-with-bitninja-for-security>BitNinja
@ CodeMash conference <https://www.youtube.com/watch?v=fomS_3Q7520>
Partnered by:
--
AF mailing list
[email protected]
http://af.afmug.com/mailman/listinfo/af_af.afmug.com
