Could it be a device being NATed behind the MT that is a source? Are they doing any port-forwarding?
On Tue, Aug 14, 2018 at 2:03 AM, TJ Trout <[email protected]> wrote: > I have the tiks on the latest current with everything locked down and the > forward chain has all commonly abused services filtered as well. Can > someone give me an idea what I need to do here? > > On Tue, Aug 14, 2018, 12:57 PM Mike Hammett <[email protected]> wrote: > >> Unimus should tell you what's changed in the router's config. >> >> >> >> ----- >> Mike Hammett >> Intelligent Computing Solutions <http://www.ics-il.com/> >> <https://www.facebook.com/ICSIL> >> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >> <https://www.linkedin.com/company/intelligent-computing-solutions> >> <https://twitter.com/ICSIL> >> Midwest Internet Exchange <http://www.midwest-ix.com/> >> <https://www.facebook.com/mdwestix> >> <https://www.linkedin.com/company/midwest-internet-exchange> >> <https://twitter.com/mdwestix> >> The Brothers WISP <http://www.thebrotherswisp.com/> >> <https://www.facebook.com/thebrotherswisp> >> >> >> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> >> ------------------------------ >> *From: *"TJ Trout" <[email protected]> >> *To: *[email protected] >> *Sent: *Monday, August 13, 2018 6:00:21 PM >> *Subject: *[AFMUG] Fwd: Your server 162.222.29.1 has been registered as >> an attack source >> >> Anyone know of a mikrotik exploit or what this traffic capture might mean? >> >> I have my router locked down and all common abuse ports/services filtered >> in both router and pass thru to customers.... >> >> ---------- Forwarded message --------- >> From: BitNinja <[email protected]> >> Date: Tue, Aug 14, 2018, 10:58 AM >> Subject: Your server 162.222.29.1 has been registered as an attack source >> To: <[email protected]> >> >> >> >> >> >> Dear Provider, >> >> >> I’m George Egri, the Co-Founder and CEO of BitNinja Server Security. I’m >> writing to inform you that we have detected malicious requests from the IP >> 162.222.29.1 directed at our clients’ servers. >> >> >> As a result of these attacks, we have added your IP to our greylist to >> prevent it from attacking our clients’ servers. >> >> >> Servers are increasingly exposed as the targets of botnet attacks and you >> might not be aware that your server is being used as a “bot” to send >> malicious attacks over the Internet. >> >> >> I've collected the 3 earliest logs below, and you can find the freshest >> 100, that may help you disinfect your server, under the link. The timezone >> is UTC +2:00. >> http://bitninja.io/incidentReport.php?details=7281f016fb83701789 >> <http://bitninja.io/incidentReport.php?details=7281f016fb83701789?utm_source=incident&utm_content=publicpage> >> <http://bitninja.io/incidentReport.php?details=7281f016fb83701789> >> >> { >> "PORT HIT": "162.222.29.1:32862->94.46.59.143:8080", >> "MESSAGES": "Array >> ( >> [11:34:08] => GET / HTTP/1.1 >> Host: 94.46.59.143:8080 >> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) >> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36 >> Content-Length: 0 >> >> >> ) >> " >> } >> >> { >> "PORT HIT": "162.222.29.1:57131->37.187.190.61:8080", >> "MESSAGES": "Array >> ( >> [19:06:48] => GET / HTTP/1.1 >> Host: 37.187.190.61:8080 >> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) >> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 >> Content-Length: 0 >> >> >> ) >> " >> } >> >> { >> "PORT HIT": "162.222.29.1:56717->104.128.74.105:8080", >> "MESSAGES": "Array >> ( >> [16:26:25] => GET / HTTP/1.1 >> Host: 104.128.74.105:8080 >> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) >> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 >> Content-Length: 0 >> >> >> ) >> " >> } >> >> >> >> Please keep in mind that after the first intrusion we log all traffic >> between your server and the BitNinja-protected servers until the IP is >> removed from the greylist. This means you may see valid logs beside the >> malicious actions in the link above. If you need help finding the malicious >> logs, please don’t hesitate to contact our incident experts by replying to >> this e-mail. >> >> For more information on analyzing and understanding outbound traffic, >> check out this: >> https://doc.bitninja.io/_images/bitninja-incident-report-1.jpg? >> <https://doc.bitninja.io/_images/bitninja-incident-report-1.jpg?utm_source=incident&utm_campaign=investigation&utm_content=image> >> >> >> <https://bitninja.io/wp-content/uploads/2016/07/bitninja-incident-report-1.jpg>We’ve >> also dedicated an entire site help people prevent their server from sending >> malicious attacks: >> https://doc.bitninja.io/investigations.html >> <https://doc.bitninja.io/investigations.html?utm_source=incident&utm_campaign=investigation&utm_content=documentation> >> >> >> Our incident experts are also happy to help you and can provide detailed >> logs if needed. Please, feel free to connect me with the administrator or >> technical team responsible for managing your server. >> >> >> Thank you for helping us make the Internet a safer place! >> >> >> Regards, >> >> >> *George Egri* >> CEO at BitNinja.io >> >> BitNinja.io @ BusinessInsider UK >> <http://uk.businessinsider.com/cylons-grace-cassy-says-companies-fighting-asymmetric-warfare-against-hackers-2015-12> >> >> BitNinja.io hits the WHIR.com >> >> <http://www.thewhir.com/web-hosting-news/canadian-web-hosting-partners-with-bitninja-for-security>BitNinja >> @ CodeMash conference <https://www.youtube.com/watch?v=fomS_3Q7520> >> >> >> >> >> >> Partnered by: >> >> >> -- >> AF mailing list >> [email protected] >> http://af.afmug.com/mailman/listinfo/af_af.afmug.com >> >> -- >> AF mailing list >> [email protected] >> http://af.afmug.com/mailman/listinfo/af_af.afmug.com >> > > -- > AF mailing list > [email protected] > http://af.afmug.com/mailman/listinfo/af_af.afmug.com > >
-- AF mailing list [email protected] http://af.afmug.com/mailman/listinfo/af_af.afmug.com
