No socks enabled, no addl user accounts, config looks good (nothing new). Strange.
Possibly a few behind nat, that could be it but I'm getting notifications on multiple mikrotiks... TJ On Tue, Aug 14, 2018 at 8:02 AM, Colin Stanners <[email protected]> wrote: > Could it be a device being NATed behind the MT that is a source? Are they > doing any port-forwarding? > > On Tue, Aug 14, 2018 at 2:03 AM, TJ Trout <[email protected]> wrote: > >> I have the tiks on the latest current with everything locked down and the >> forward chain has all commonly abused services filtered as well. Can >> someone give me an idea what I need to do here? >> >> On Tue, Aug 14, 2018, 12:57 PM Mike Hammett <[email protected]> wrote: >> >>> Unimus should tell you what's changed in the router's config. >>> >>> >>> >>> ----- >>> Mike Hammett >>> Intelligent Computing Solutions <http://www.ics-il.com/> >>> <https://www.facebook.com/ICSIL> >>> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >>> <https://www.linkedin.com/company/intelligent-computing-solutions> >>> <https://twitter.com/ICSIL> >>> Midwest Internet Exchange <http://www.midwest-ix.com/> >>> <https://www.facebook.com/mdwestix> >>> <https://www.linkedin.com/company/midwest-internet-exchange> >>> <https://twitter.com/mdwestix> >>> The Brothers WISP <http://www.thebrotherswisp.com/> >>> <https://www.facebook.com/thebrotherswisp> >>> >>> >>> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> >>> ------------------------------ >>> *From: *"TJ Trout" <[email protected]> >>> *To: *[email protected] >>> *Sent: *Monday, August 13, 2018 6:00:21 PM >>> *Subject: *[AFMUG] Fwd: Your server 162.222.29.1 has been registered as >>> an attack source >>> >>> Anyone know of a mikrotik exploit or what this traffic capture might >>> mean? >>> >>> I have my router locked down and all common abuse ports/services >>> filtered in both router and pass thru to customers.... >>> >>> ---------- Forwarded message --------- >>> From: BitNinja <[email protected]> >>> Date: Tue, Aug 14, 2018, 10:58 AM >>> Subject: Your server 162.222.29.1 has been registered as an attack source >>> To: <[email protected]> >>> >>> >>> >>> >>> >>> Dear Provider, >>> >>> >>> I’m George Egri, the Co-Founder and CEO of BitNinja Server Security. I’m >>> writing to inform you that we have detected malicious requests from the IP >>> 162.222.29.1 directed at our clients’ servers. >>> >>> >>> As a result of these attacks, we have added your IP to our greylist to >>> prevent it from attacking our clients’ servers. >>> >>> >>> Servers are increasingly exposed as the targets of botnet attacks and >>> you might not be aware that your server is being used as a “bot” to send >>> malicious attacks over the Internet. >>> >>> >>> I've collected the 3 earliest logs below, and you can find the freshest >>> 100, that may help you disinfect your server, under the link. The timezone >>> is UTC +2:00. >>> http://bitninja.io/incidentReport.php?details=7281f016fb83701789 >>> <http://bitninja.io/incidentReport.php?details=7281f016fb83701789?utm_source=incident&utm_content=publicpage> >>> <http://bitninja.io/incidentReport.php?details=7281f016fb83701789> >>> >>> { >>> "PORT HIT": "162.222.29.1:32862->94.46.59.143:8080", >>> "MESSAGES": "Array >>> ( >>> [11:34:08] => GET / HTTP/1.1 >>> Host: 94.46.59.143:8080 >>> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) >>> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36 >>> Content-Length: 0 >>> >>> >>> ) >>> " >>> } >>> >>> { >>> "PORT HIT": "162.222.29.1:57131->37.187.190.61:8080", >>> "MESSAGES": "Array >>> ( >>> [19:06:48] => GET / HTTP/1.1 >>> Host: 37.187.190.61:8080 >>> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) >>> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 >>> Content-Length: 0 >>> >>> >>> ) >>> " >>> } >>> >>> { >>> "PORT HIT": "162.222.29.1:56717->104.128.74.105:8080", >>> "MESSAGES": "Array >>> ( >>> [16:26:25] => GET / HTTP/1.1 >>> Host: 104.128.74.105:8080 >>> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) >>> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 >>> Content-Length: 0 >>> >>> >>> ) >>> " >>> } >>> >>> >>> >>> Please keep in mind that after the first intrusion we log all traffic >>> between your server and the BitNinja-protected servers until the IP is >>> removed from the greylist. This means you may see valid logs beside the >>> malicious actions in the link above. If you need help finding the malicious >>> logs, please don’t hesitate to contact our incident experts by replying to >>> this e-mail. >>> >>> For more information on analyzing and understanding outbound traffic, >>> check out this: >>> https://doc.bitninja.io/_images/bitninja-incident-report-1.jpg? >>> <https://doc.bitninja.io/_images/bitninja-incident-report-1.jpg?utm_source=incident&utm_campaign=investigation&utm_content=image> >>> >>> >>> <https://bitninja.io/wp-content/uploads/2016/07/bitninja-incident-report-1.jpg>We’ve >>> also dedicated an entire site help people prevent their server from sending >>> malicious attacks: >>> https://doc.bitninja.io/investigations.html >>> <https://doc.bitninja.io/investigations.html?utm_source=incident&utm_campaign=investigation&utm_content=documentation> >>> >>> >>> Our incident experts are also happy to help you and can provide detailed >>> logs if needed. Please, feel free to connect me with the administrator or >>> technical team responsible for managing your server. >>> >>> >>> Thank you for helping us make the Internet a safer place! >>> >>> >>> Regards, >>> >>> >>> *George Egri* >>> CEO at BitNinja.io >>> >>> BitNinja.io @ BusinessInsider UK >>> <http://uk.businessinsider.com/cylons-grace-cassy-says-companies-fighting-asymmetric-warfare-against-hackers-2015-12> >>> >>> BitNinja.io hits the WHIR.com >>> >>> <http://www.thewhir.com/web-hosting-news/canadian-web-hosting-partners-with-bitninja-for-security>BitNinja >>> @ CodeMash conference <https://www.youtube.com/watch?v=fomS_3Q7520> >>> >>> >>> >>> >>> >>> Partnered by: >>> >>> >>> -- >>> AF mailing list >>> [email protected] >>> http://af.afmug.com/mailman/listinfo/af_af.afmug.com >>> >>> -- >>> AF mailing list >>> [email protected] >>> http://af.afmug.com/mailman/listinfo/af_af.afmug.com >>> >> >> -- >> AF mailing list >> [email protected] >> http://af.afmug.com/mailman/listinfo/af_af.afmug.com >> >> > > -- > AF mailing list > [email protected] > http://af.afmug.com/mailman/listinfo/af_af.afmug.com > >
-- AF mailing list [email protected] http://af.afmug.com/mailman/listinfo/af_af.afmug.com
