Create a firewall rule in the outbound and forward tables to log and/or block outgoing connections to tcp port 8080. This can help you identify where the traffic is coming from.
-Rob On Tue, Aug 14, 2018 at 2:18 PM, TJ Trout <[email protected]> wrote: > No socks enabled, no addl user accounts, config looks good (nothing new). > Strange. > > Possibly a few behind nat, that could be it but I'm getting notifications > on multiple mikrotiks... > > TJ > > On Tue, Aug 14, 2018 at 8:02 AM, Colin Stanners <[email protected]> > wrote: > >> Could it be a device being NATed behind the MT that is a source? Are they >> doing any port-forwarding? >> >> On Tue, Aug 14, 2018 at 2:03 AM, TJ Trout <[email protected]> wrote: >> >>> I have the tiks on the latest current with everything locked down and >>> the forward chain has all commonly abused services filtered as well. Can >>> someone give me an idea what I need to do here? >>> >>> On Tue, Aug 14, 2018, 12:57 PM Mike Hammett <[email protected]> wrote: >>> >>>> Unimus should tell you what's changed in the router's config. >>>> >>>> >>>> >>>> ----- >>>> Mike Hammett >>>> Intelligent Computing Solutions <http://www.ics-il.com/> >>>> <https://www.facebook.com/ICSIL> >>>> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >>>> <https://www.linkedin.com/company/intelligent-computing-solutions> >>>> <https://twitter.com/ICSIL> >>>> Midwest Internet Exchange <http://www.midwest-ix.com/> >>>> <https://www.facebook.com/mdwestix> >>>> <https://www.linkedin.com/company/midwest-internet-exchange> >>>> <https://twitter.com/mdwestix> >>>> The Brothers WISP <http://www.thebrotherswisp.com/> >>>> <https://www.facebook.com/thebrotherswisp> >>>> >>>> >>>> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> >>>> ------------------------------ >>>> *From: *"TJ Trout" <[email protected]> >>>> *To: *[email protected] >>>> *Sent: *Monday, August 13, 2018 6:00:21 PM >>>> *Subject: *[AFMUG] Fwd: Your server 162.222.29.1 has been registered >>>> as an attack source >>>> >>>> Anyone know of a mikrotik exploit or what this traffic capture might >>>> mean? >>>> >>>> I have my router locked down and all common abuse ports/services >>>> filtered in both router and pass thru to customers.... >>>> >>>> ---------- Forwarded message --------- >>>> From: BitNinja <[email protected]> >>>> Date: Tue, Aug 14, 2018, 10:58 AM >>>> Subject: Your server 162.222.29.1 has been registered as an attack >>>> source >>>> To: <[email protected]> >>>> >>>> >>>> >>>> >>>> >>>> Dear Provider, >>>> >>>> >>>> I’m George Egri, the Co-Founder and CEO of BitNinja Server Security. >>>> I’m writing to inform you that we have detected malicious requests from the >>>> IP 162.222.29.1 directed at our clients’ servers. >>>> >>>> >>>> As a result of these attacks, we have added your IP to our greylist to >>>> prevent it from attacking our clients’ servers. >>>> >>>> >>>> Servers are increasingly exposed as the targets of botnet attacks and >>>> you might not be aware that your server is being used as a “bot” to send >>>> malicious attacks over the Internet. >>>> >>>> >>>> I've collected the 3 earliest logs below, and you can find the freshest >>>> 100, that may help you disinfect your server, under the link. The timezone >>>> is UTC +2:00. >>>> http://bitninja.io/incidentReport.php?details=7281f016fb83701789 >>>> <http://bitninja.io/incidentReport.php?details=7281f016fb83701789?utm_source=incident&utm_content=publicpage> >>>> <http://bitninja.io/incidentReport.php?details=7281f016fb83701789> >>>> >>>> { >>>> "PORT HIT": "162.222.29.1:32862->94.46.59.143:8080", >>>> "MESSAGES": "Array >>>> ( >>>> [11:34:08] => GET / HTTP/1.1 >>>> Host: 94.46.59.143:8080 >>>> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) >>>> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36 >>>> Content-Length: 0 >>>> >>>> >>>> ) >>>> " >>>> } >>>> >>>> { >>>> "PORT HIT": "162.222.29.1:57131->37.187.190.61:8080", >>>> "MESSAGES": "Array >>>> ( >>>> [19:06:48] => GET / HTTP/1.1 >>>> Host: 37.187.190.61:8080 >>>> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) >>>> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 >>>> Content-Length: 0 >>>> >>>> >>>> ) >>>> " >>>> } >>>> >>>> { >>>> "PORT HIT": "162.222.29.1:56717->104.128.74.105:8080", >>>> "MESSAGES": "Array >>>> ( >>>> [16:26:25] => GET / HTTP/1.1 >>>> Host: 104.128.74.105:8080 >>>> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) >>>> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 >>>> Content-Length: 0 >>>> >>>> >>>> ) >>>> " >>>> } >>>> >>>> >>>> >>>> Please keep in mind that after the first intrusion we log all traffic >>>> between your server and the BitNinja-protected servers until the IP is >>>> removed from the greylist. This means you may see valid logs beside the >>>> malicious actions in the link above. If you need help finding the malicious >>>> logs, please don’t hesitate to contact our incident experts by replying to >>>> this e-mail. >>>> >>>> For more information on analyzing and understanding outbound traffic, >>>> check out this: >>>> https://doc.bitninja.io/_images/bitninja-incident-report-1.jpg? >>>> <https://doc.bitninja.io/_images/bitninja-incident-report-1.jpg?utm_source=incident&utm_campaign=investigation&utm_content=image> >>>> >>>> >>>> <https://bitninja.io/wp-content/uploads/2016/07/bitninja-incident-report-1.jpg>We’ve >>>> also dedicated an entire site help people prevent their server from sending >>>> malicious attacks: >>>> https://doc.bitninja.io/investigations.html >>>> <https://doc.bitninja.io/investigations.html?utm_source=incident&utm_campaign=investigation&utm_content=documentation> >>>> >>>> >>>> Our incident experts are also happy to help you and can provide >>>> detailed logs if needed. Please, feel free to connect me with the >>>> administrator or technical team responsible for managing your server. >>>> >>>> >>>> Thank you for helping us make the Internet a safer place! >>>> >>>> >>>> Regards, >>>> >>>> >>>> *George Egri* >>>> CEO at BitNinja.io >>>> >>>> BitNinja.io @ BusinessInsider UK >>>> <http://uk.businessinsider.com/cylons-grace-cassy-says-companies-fighting-asymmetric-warfare-against-hackers-2015-12> >>>> >>>> BitNinja.io hits the WHIR.com >>>> >>>> <http://www.thewhir.com/web-hosting-news/canadian-web-hosting-partners-with-bitninja-for-security>BitNinja >>>> @ CodeMash conference <https://www.youtube.com/watch?v=fomS_3Q7520> >>>> >>>> >>>> >>>> >>>> >>>> Partnered by: >>>> >>>> >>>> -- >>>> AF mailing list >>>> [email protected] >>>> http://af.afmug.com/mailman/listinfo/af_af.afmug.com >>>> >>>> -- >>>> AF mailing list >>>> [email protected] >>>> http://af.afmug.com/mailman/listinfo/af_af.afmug.com >>>> >>> >>> -- >>> AF mailing list >>> [email protected] >>> http://af.afmug.com/mailman/listinfo/af_af.afmug.com >>> >>> >> >> -- >> AF mailing list >> [email protected] >> http://af.afmug.com/mailman/listinfo/af_af.afmug.com >> >> > > -- > AF mailing list > [email protected] > http://af.afmug.com/mailman/listinfo/af_af.afmug.com > >
-- AF mailing list [email protected] http://af.afmug.com/mailman/listinfo/af_af.afmug.com
