See if some proxy services are turned on (socks ? ) Try Torch to see if you can see the traffic in your router .. See if there are any user accounts created which should not be there.
Regards. Faisal Imtiaz Snappy Internet & Telecom http://www.snappytelecom.net Tel: 305 663 5518 x 232 Help-desk: (305)663-5518 Option 2 or Email: [email protected] > From: "TJ Trout" <[email protected]> > To: "AnimalFarm Microwave Users Group" <[email protected]> > Sent: Tuesday, August 14, 2018 3:03:34 AM > Subject: Re: [AFMUG] Fwd: Your server 162.222.29.1 has been registered as an > attack source > I have the tiks on the latest current with everything locked down and the > forward chain has all commonly abused services filtered as well. Can someone > give me an idea what I need to do here? > On Tue, Aug 14, 2018, 12:57 PM Mike Hammett < [email protected] > wrote: >> Unimus should tell you what's changed in the router's config. >> ----- >> Mike Hammett >> Intelligent Computing Solutions >> Midwest Internet Exchange >> The Brothers WISP >> From: "TJ Trout" < [email protected] > >> To: [email protected] >> Sent: Monday, August 13, 2018 6:00:21 PM >> Subject: [AFMUG] Fwd: Your server 162.222.29.1 has been registered as an >> attack >> source >> Anyone know of a mikrotik exploit or what this traffic capture might mean? >> I have my router locked down and all common abuse ports/services filtered in >> both router and pass thru to customers.... >> ---------- Forwarded message --------- >> From: BitNinja < [email protected] > >> Date: Tue, Aug 14, 2018, 10:58 AM >> Subject: Your server 162.222.29.1 has been registered as an attack source >> To: < [email protected] > >> Dear Provider, >> I’m George Egri, the Co-Founder and CEO of BitNinja Server Security. I’m >> writing >> to inform you that we have detected malicious requests from the IP >> 162.222.29.1 >> directed at our clients’ servers. >> As a result of these attacks, we have added your IP to our greylist to >> prevent >> it from attacking our clients’ servers. >> Servers are increasingly exposed as the targets of botnet attacks and you >> might >> not be aware that your server is being used as a “bot” to send malicious >> attacks over the Internet. >> I've collected the 3 earliest logs below, and you can find the freshest 100, >> that may help you disinfect your server, under the link. The timezone is UTC >> +2:00. >> http://bitninja.io/incidentReport.php?details=7281f016fb83701789 >> { >> "PORT HIT": "162.222.29.1:32862-> 94.46.59.143:8080 ", >> "MESSAGES": "Array >> ( >> [11:34:08] => GET / HTTP/1.1 >> Host: 94.46.59.143:8080 User-Agent: Mozilla/5.0 (Windows NT >> 6.1; WOW64) >> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 >> Safari/537.36 >> Content-Length: 0 >> ) >> " >> } >> { >> "PORT HIT": "162.222.29.1:57131-> 37.187.190.61:8080 ", >> "MESSAGES": "Array >> ( >> [19:06:48] => GET / HTTP/1.1 >> Host: 37.187.190.61:8080 User-Agent: Mozilla/5.0 (Windows NT >> 6.1; WOW64) >> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 >> Safari/537.36 >> Content-Length: 0 >> ) >> " >> } >> { >> "PORT HIT": "162.222.29.1:56717-> 104.128.74.105:8080 ", >> "MESSAGES": "Array >> ( >> [16:26:25] => GET / HTTP/1.1 >> Host: 104.128.74.105:8080 User-Agent: Mozilla/5.0 (Windows NT >> 6.1; WOW64) >> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 >> Safari/537.36 >> Content-Length: 0 >> ) >> " >> } >> Please keep in mind that after the first intrusion we log all traffic between >> your server and the BitNinja-protected servers until the IP is removed from >> the >> greylist. This means you may see valid logs beside the malicious actions in >> the >> link above. If you need help finding the malicious logs, please don’t >> hesitate >> to contact our incident experts by replying to this e-mail. >> For more information on analyzing and understanding outbound traffic, check >> out >> this: >> https://doc.bitninja.io/_images/bitninja-incident-report-1.jpg? >> We’ve also dedicated an entire site help people prevent their server from >> sending malicious attacks: >> https://doc.bitninja.io/investigations.html >> Our incident experts are also happy to help you and can provide detailed >> logs if >> needed. Please, feel free to connect me with the administrator or technical >> team responsible for managing your server. >> Thank you for helping us make the Internet a safer place! >> Regards, >> George Egri >> CEO at BitNinja.io >> BitNinja.io @ BusinessInsider UK >> BitNinja.io hits the WHIR.com >> BitNinja @ CodeMash conference >> Partnered by: >> -- >> AF mailing list >> [email protected] >> http://af.afmug.com/mailman/listinfo/af_af.afmug.com >> -- >> AF mailing list >> [email protected] >> http://af.afmug.com/mailman/listinfo/af_af.afmug.com > -- > AF mailing list > [email protected] > http://af.afmug.com/mailman/listinfo/af_af.afmug.com
-- AF mailing list [email protected] http://af.afmug.com/mailman/listinfo/af_af.afmug.com
