As Emily Litella says, "Never mind." In fact this is surely malware. A web search for some of the more unique user IDs in this attack list discloses several sites carrying source for a hacking tool called "Router Hunter" which does precisely what the log shows.
So the only mystery left is why Malwarebytes isn't finding it, and I'm working that angle with them. > On Sep 29, 2017, at 5:20 PM, Grand Avenue Broadband > <[email protected]> wrote: > > I had absolutely the weirdest experience Wednesday. > > I drove out to one of my long-time subscribers, one of the few remaining > sites still using a legacy CPE from 2009 instead of a MikroTik, in order to > upgrade her to a MikroTik unit. > > I swapped out the radio and power supply, and as soon as I logged into it, I > noticed bizarre activity in the log — her home PC had almost immediately > begun issuing rapid-fire FTP login attempts against the MikroTik CPE, using > various IDs and passwords (see attached). > > I figured she must have picked up some sort of latent malware designed to > attack MikroTik devices, so I downloaded a fresh copy of Malwarebytes onto > her PC and ran it. Malwarebytes found absolutely nothing (itself a wonder, > as most units I run this against have at least adware on them). > > Has anyone ever encountered such malware? Or does somebody have a better > explanation for this behavior that I haven't thought of? > > * * * > > sep/26 21:42:23 system,info router rebooted > sep/26 21:42:31 wireless,debug wwan-ptp: must select network > sep/26 21:42:31 wireless,debug 6C:3B:6B:AB:A8:5F: on 2412 AP: yes SSID > 7883(MT-W) caps 0x431 rates 0xCCK:1-11 OFDM:6-48 BW:1x SGI:1x HT:0-6,8-14 > basic 0xCCK:1 OFDM:6 MT: yes > … > 26 21:42:31 wireless,info 6C:3B:6B:AB:A8:5F@wwan-ptp established connection > on 2412000, SSID 7883(MT-W) > sep/27 12:32:59 system,info sntp change time Sep/26/2017 21:42:32 => > Sep/27/2017 12:32:59 > sep/27 12:33:12 system,info sntp change time Sep/27/2017 12:33:13 => > Sep/27/2017 12:33:12 > sep/27 12:33:17 interface,info ether link up (speed 100M, full duplex) > sep/27 12:33:35 interface,info ether link down > sep/27 12:33:37 interface,info ether link up (speed 100M, full duplex) > sep/27 12:34:02 dhcp,info subscriber assigned 192.168.10.130 to > 50:7A:55:F0:7F:5C > sep/27 12:34:12 dhcp,info subscriber assigned 192.168.10.100 to > 64:00:6A:45:96:D2 > sep/27 12:34:41 system,error,critical login failure for user admin from > 192.168.10.100 via ftp > sep/27 12:34:42 system,error,critical login failure for user admin from > 192.168.10.100 via ftp > sep/27 12:34:43 system,error,critical login failure for user Admin from > 192.168.10.100 via ftp > sep/27 12:34:44 system,error,critical login failure for user Admin from > 192.168.10.100 via ftp > sep/27 12:34:45 system,error,critical login failure for user Administrator > from 192.168.10.100 via ftp > sep/27 12:34:46 system,error,critical login failure for user Administrator > from 192.168.10.100 via ftp > sep/27 12:34:47 system,error,critical login failure for user administrator > from 192.168.10.100 via ftp > sep/27 12:34:48 dhcp,info subscriber assigned 192.168.10.101 to > AC:BC:32:CF:7F:A7 > sep/27 12:34:48 system,error,critical login failure for user administrator > from 192.168.10.100 via ftp > sep/27 12:34:49 system,error,critical login failure for user root from > 192.168.10.100 via ftp > sep/27 12:34:50 system,error,critical login failure for user root from > 192.168.10.100 via ftp > sep/27 12:34:51 system,error,critical login failure for user Admin from > 192.168.10.100 via ftp > sep/27 12:34:51 dhcp,info subscriber assigned 192.168.10.125 to > AC:BC:32:CF:7F:A7 > sep/27 12:34:52 system,error,critical login failure for user Admin from > 192.168.10.100 via ftp > sep/27 12:34:53 system,error,critical login failure for user Administrator > from 192.168.10.100 via ftp > sep/27 12:34:54 system,error,critical login failure for user Administrator > from 192.168.10.100 via ftp > sep/27 12:34:55 system,error,critical login failure for user User from > 192.168.10.100 via ftp > sep/27 12:34:56 system,error,critical login failure for user User from > 192.168.10.100 via ftp > sep/27 12:34:57 system,error,critical login failure for user Username from > 192.168.10.100 via ftp > sep/27 12:34:58 system,error,critical login failure for user adm from > 192.168.10.100 via ftp > sep/27 12:34:59 system,error,critical login failure for user admim from > 192.168.10.100 via ftp > sep/27 12:35:00 system,error,critical login failure for user admin2 from > 192.168.10.100 via ftp > sep/27 12:35:01 system,error,critical login failure for user admin2 from > 192.168.10.100 via ftp > sep/27 12:35:02 system,error,critical login failure for user admin from > 192.168.10.100 via ftp > sep/27 12:35:03 system,error,critical login failure for user admin from > 192.168.10.100 via ftp > sep/27 12:35:04 system,error,critical login failure for user admin from > 192.168.10.100 via ftp > sep/27 12:35:05 system,error,critical login failure for user admin from > 192.168.10.100 via ftp > sep/27 12:35:06 system,error,critical login failure for user admin from > 192.168.10.100 via ftp > sep/27 12:35:07 system,error,critical login failure for user admin from > 192.168.10.100 via ftp > sep/27 12:35:08 system,error,critical login failure for user admin from > 192.168.10.100 via ftp > sep/27 12:35:09 system,error,critical login failure for user admin from > 192.168.10.100 via ftp > sep/27 12:35:10 system,info,account user management logged in from > 192.168.10.125 via winbox > sep/27 12:35:10 system,info,account user management logged in from > 192.168.10.125 via telnet > sep/27 12:35:10 system,error,critical login failure for user admin from > 192.168.10.100 via ftp > sep/27 12:35:11 system,error,critical login failure for user admin from > 192.168.10.100 via ftp > sep/27 12:35:12 system,error,critical login failure for user admin from > 192.168.10.100 via ftp > sep/27 12:35:13 system,error,critical login failure for user admin from > 192.168.10.100 via ftp > sep/27 12:35:14 system,error,critical login failure for user admin from > 192.168.10.100 via ftp > sep/27 12:35:15 system,error,critical login failure for user admin from > 192.168.10.100 via ftp > sep/27 12:35:16 system,error,critical login failure for user admin from > 192.168.10.100 via ftp > sep/27 12:35:17 system,error,critical login failure for user admin from > 192.168.10.100 via ftp > sep/27 12:35:18 system,error,critical login failure for user admin from > 192.168.10.100 via ftp > sep/27 12:35:19 system,error,critical login failure for user admin from > 192.168.10.100 via ftp > sep/27 12:35:20 system,error,critical login failure for user admin from > 192.168.10.100 via ftp > sep/27 12:35:21 system,error,critical login failure for user admin from > 192.168.10.100 via ftp > sep/27 12:35:22 system,error,critical login failure for user admin from > 192.168.10.100 via ftp > sep/27 12:35:23 system,error,critical login failure for user admin from > 192.168.10.100 via ftp > sep/27 12:35:24 system,error,critical login failure for user admin from > 192.168.10.100 via ftp > sep/27 12:35:25 system,error,critical login failure for user admin from > 192.168.10.100 via ftp > sep/27 12:35:26 system,error,critical login failure for user admin from > 192.168.10.100 via ftp > sep/27 12:35:27 system,error,critical login failure for user TMARDLKT93319 > from 192.168.10.100 via ftp > sep/27 12:35:28 system,error,critical login failure for user ZXDSL from > 192.168.10.100 via ftp > sep/27 12:35:29 system,error,critical login failure for user DXDSL from > 192.168.10.100 via ftp > sep/27 12:35:30 system,error,critical login failure for user ADSL from > 192.168.10.100 via ftp > sep/27 12:35:31 system,error,critical login failure for user comcast from > 192.168.10.100 via ftp > sep/27 12:35:32 system,error,critical login failure for user cusadmin from > 192.168.10.100 via ftp > sep/27 12:35:33 system,error,critical login failure for user customer from > 192.168.10.100 via ftp > sep/27 12:35:35 system,error,critical login failure for user default from > 192.168.10.100 via ftp > sep/27 12:35:36 system,error,critical login failure for user login from > 192.168.10.100 via ftp > sep/27 12:35:37 system,error,critical login failure for user login from > 192.168.10.100 via ftp > sep/27 12:35:38 system,error,critical login failure for user login from > 192.168.10.100 via ftp > sep/27 12:35:39 system,error,critical login failure for user manager from > 192.168.10.100 via ftp > sep/27 12:35:40 system,error,critical login failure for user operator from > 192.168.10.100 via ftp > sep/27 12:35:41 system,error,critical login failure for user root from > 192.168.10.100 via ftp > > -- > Grand Avenue Broadband -- Wireless Internet Service > Circle City to Wickenburg and surrounding areas > http://grandavebb.com > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > <http://mail.butchevans.com/pipermail/mikrotik/attachments/20170929/56cc9449/attachment.html> > _______________________________________________ > Mikrotik mailing list > [email protected] > http://mail.butchevans.com/mailman/listinfo/mikrotik > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS -- Grand Avenue Broadband -- Wireless Internet Service Circle City to Wickenburg and surrounding areas http://grandavebb.com -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.butchevans.com/pipermail/mikrotik/attachments/20170929/df10752d/attachment.html> _______________________________________________ Mikrotik mailing list [email protected] http://mail.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
