[Mikrotik] Canned malware attacking MikroTiks?

Grand Avenue Broadband Fri, 29 Sep 2017 17:21:08 -0700

I had absolutely the weirdest experience Wednesday.

I drove out to one of my long-time subscribers, one of the few remaining sites 
still using a legacy CPE from 2009 instead of a MikroTik, in order to upgrade 
her to a MikroTik unit.


I swapped out the radio and power supply, and as soon as I logged into it, I 
noticed bizarre activity in the log — her home PC had almost immediately begun 
issuing rapid-fire FTP login attempts against the MikroTik CPE, using various 
IDs and passwords (see attached).

I figured she must have picked up some sort of latent malware designed to 
attack MikroTik devices, so I downloaded a fresh copy of Malwarebytes onto her 
PC and ran it.  Malwarebytes found absolutely nothing (itself a wonder, as most 
units I run this against have at least adware on them).

Has anyone ever encountered such malware?  Or does somebody have a better 
explanation for this behavior that I haven't thought of?

* * *

sep/26 21:42:23 system,info router rebooted 
sep/26 21:42:31 wireless,debug wwan-ptp: must select network 
sep/26 21:42:31 wireless,debug 6C:3B:6B:AB:A8:5F: on 2412 AP: yes SSID 
7883(MT-W) caps 0x431 rates 0xCCK:1-11 OFDM:6-48 BW:1x SGI:1x HT:0-6,8-14 basic 
0xCCK:1 OFDM:6 MT: yes 
…
26 21:42:31 wireless,info 6C:3B:6B:AB:A8:5F@wwan-ptp established connection on 
2412000, SSID 7883(MT-W) 
sep/27 12:32:59 system,info sntp change time Sep/26/2017 21:42:32 => 
Sep/27/2017 12:32:59 
sep/27 12:33:12 system,info sntp change time Sep/27/2017 12:33:13 => 
Sep/27/2017 12:33:12 
sep/27 12:33:17 interface,info ether link up (speed 100M, full duplex) 
sep/27 12:33:35 interface,info ether link down 
sep/27 12:33:37 interface,info ether link up (speed 100M, full duplex) 
sep/27 12:34:02 dhcp,info subscriber assigned 192.168.10.130 to 
50:7A:55:F0:7F:5C 
sep/27 12:34:12 dhcp,info subscriber assigned 192.168.10.100 to 
64:00:6A:45:96:D2 
sep/27 12:34:41 system,error,critical login failure for user admin from 
192.168.10.100 via ftp 
sep/27 12:34:42 system,error,critical login failure for user admin from 
192.168.10.100 via ftp 
sep/27 12:34:43 system,error,critical login failure for user Admin from 
192.168.10.100 via ftp 
sep/27 12:34:44 system,error,critical login failure for user Admin from 
192.168.10.100 via ftp 
sep/27 12:34:45 system,error,critical login failure for user Administrator from 
192.168.10.100 via ftp 
sep/27 12:34:46 system,error,critical login failure for user Administrator from 
192.168.10.100 via ftp 
sep/27 12:34:47 system,error,critical login failure for user administrator from 
192.168.10.100 via ftp 
sep/27 12:34:48 dhcp,info subscriber assigned 192.168.10.101 to 
AC:BC:32:CF:7F:A7 
sep/27 12:34:48 system,error,critical login failure for user administrator from 
192.168.10.100 via ftp 
sep/27 12:34:49 system,error,critical login failure for user root from 
192.168.10.100 via ftp 
sep/27 12:34:50 system,error,critical login failure for user root from 
192.168.10.100 via ftp 
sep/27 12:34:51 system,error,critical login failure for user Admin from 
192.168.10.100 via ftp 
sep/27 12:34:51 dhcp,info subscriber assigned 192.168.10.125 to 
AC:BC:32:CF:7F:A7 
sep/27 12:34:52 system,error,critical login failure for user Admin from 
192.168.10.100 via ftp 
sep/27 12:34:53 system,error,critical login failure for user Administrator from 
192.168.10.100 via ftp 
sep/27 12:34:54 system,error,critical login failure for user Administrator from 
192.168.10.100 via ftp 
sep/27 12:34:55 system,error,critical login failure for user User from 
192.168.10.100 via ftp 
sep/27 12:34:56 system,error,critical login failure for user User from 
192.168.10.100 via ftp 
sep/27 12:34:57 system,error,critical login failure for user Username from 
192.168.10.100 via ftp 
sep/27 12:34:58 system,error,critical login failure for user adm from 
192.168.10.100 via ftp 
sep/27 12:34:59 system,error,critical login failure for user admim from 
192.168.10.100 via ftp 
sep/27 12:35:00 system,error,critical login failure for user admin2 from 
192.168.10.100 via ftp 
sep/27 12:35:01 system,error,critical login failure for user admin2 from 
192.168.10.100 via ftp 
sep/27 12:35:02 system,error,critical login failure for user admin from 
192.168.10.100 via ftp 
sep/27 12:35:03 system,error,critical login failure for user admin from 
192.168.10.100 via ftp 
sep/27 12:35:04 system,error,critical login failure for user admin from 
192.168.10.100 via ftp 
sep/27 12:35:05 system,error,critical login failure for user admin from 
192.168.10.100 via ftp 
sep/27 12:35:06 system,error,critical login failure for user admin from 
192.168.10.100 via ftp 
sep/27 12:35:07 system,error,critical login failure for user admin from 
192.168.10.100 via ftp 
sep/27 12:35:08 system,error,critical login failure for user admin from 
192.168.10.100 via ftp 
sep/27 12:35:09 system,error,critical login failure for user admin from 
192.168.10.100 via ftp 
sep/27 12:35:10 system,info,account user management logged in from 
192.168.10.125 via winbox 
sep/27 12:35:10 system,info,account user management logged in from 
192.168.10.125 via telnet 
sep/27 12:35:10 system,error,critical login failure for user admin from 
192.168.10.100 via ftp 
sep/27 12:35:11 system,error,critical login failure for user admin from 
192.168.10.100 via ftp 
sep/27 12:35:12 system,error,critical login failure for user admin from 
192.168.10.100 via ftp 
sep/27 12:35:13 system,error,critical login failure for user admin from 
192.168.10.100 via ftp 
sep/27 12:35:14 system,error,critical login failure for user admin from 
192.168.10.100 via ftp 
sep/27 12:35:15 system,error,critical login failure for user admin from 
192.168.10.100 via ftp 
sep/27 12:35:16 system,error,critical login failure for user admin from 
192.168.10.100 via ftp 
sep/27 12:35:17 system,error,critical login failure for user admin from 
192.168.10.100 via ftp 
sep/27 12:35:18 system,error,critical login failure for user admin from 
192.168.10.100 via ftp 
sep/27 12:35:19 system,error,critical login failure for user admin from 
192.168.10.100 via ftp 
sep/27 12:35:20 system,error,critical login failure for user admin from 
192.168.10.100 via ftp 
sep/27 12:35:21 system,error,critical login failure for user admin from 
192.168.10.100 via ftp 
sep/27 12:35:22 system,error,critical login failure for user admin from 
192.168.10.100 via ftp 
sep/27 12:35:23 system,error,critical login failure for user admin from 
192.168.10.100 via ftp 
sep/27 12:35:24 system,error,critical login failure for user admin from 
192.168.10.100 via ftp 
sep/27 12:35:25 system,error,critical login failure for user admin from 
192.168.10.100 via ftp 
sep/27 12:35:26 system,error,critical login failure for user admin from 
192.168.10.100 via ftp 
sep/27 12:35:27 system,error,critical login failure for user TMARDLKT93319 from 
192.168.10.100 via ftp 
sep/27 12:35:28 system,error,critical login failure for user ZXDSL from 
192.168.10.100 via ftp 
sep/27 12:35:29 system,error,critical login failure for user DXDSL from 
192.168.10.100 via ftp 
sep/27 12:35:30 system,error,critical login failure for user ADSL from 
192.168.10.100 via ftp 
sep/27 12:35:31 system,error,critical login failure for user comcast from 
192.168.10.100 via ftp 
sep/27 12:35:32 system,error,critical login failure for user cusadmin from 
192.168.10.100 via ftp 
sep/27 12:35:33 system,error,critical login failure for user customer from 
192.168.10.100 via ftp 
sep/27 12:35:35 system,error,critical login failure for user default from 
192.168.10.100 via ftp 
sep/27 12:35:36 system,error,critical login failure for user login from 
192.168.10.100 via ftp 
sep/27 12:35:37 system,error,critical login failure for user login from 
192.168.10.100 via ftp 
sep/27 12:35:38 system,error,critical login failure for user login from 
192.168.10.100 via ftp 
sep/27 12:35:39 system,error,critical login failure for user manager from 
192.168.10.100 via ftp 
sep/27 12:35:40 system,error,critical login failure for user operator from 
192.168.10.100 via ftp 
sep/27 12:35:41 system,error,critical login failure for user root from 
192.168.10.100 via ftp 

-- 
  Grand Avenue Broadband -- Wireless Internet Service
     Circle City to Wickenburg and surrounding areas
                          http://grandavebb.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: 
<http://mail.butchevans.com/pipermail/mikrotik/attachments/20170929/56cc9449/attachment.html>
_______________________________________________
Mikrotik mailing list
[email protected]
http://mail.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

[Mikrotik] Canned malware attacking MikroTiks?

Reply via email to