Given that 6.36 is vulnerable to the winbox auth bypass, it’s absolutely 100% part of a botnet by now (you should have upgraded it in 2018 when the vuln was released???). Nuke it and install fresh with current RouterOS :) On Mon, 7 Nov 2022 at 7:54 pm, Karl Auer <kauer@nullarbor.com.au> wrote:
I'm wondering if I have fundamentally misunderstood something. In fact I am rather hoping I have.
An outside agency has reported seeing telnet connection attempts coming from the outside IPv4 address of a client's router. They have provided info that shows quite clearly that these are attacks coming from the router.
To see where in the network they were originating, I added these lines at the front of each of the input, output and forward "/ip firewall filter" chains:
chain=xxx action=drop \ protocol=tcp dst-port=23 \ log=yes \ log-prefix="TEL_xxx"
My log output shows exclusively lines with "TEL_output". I wasn't expecting any "TEL_input" lines, but I was definitely expecting some "TEL_forward" lines, assuming the miscreant is inside the network.
Here is a sample (a.b.c.d is the outside address of the router, w.x.y.z is the destination address):
18:44:35 firewall,info TEL_output output: in:(none) out:e1-uplink, proto TCP (SYN), a.b.c.d:54315->w.x.y.z:23, len 40
I.e., the packets seem to be sourced at the router. Does this mean that the router is the source of this nefariousness?!? Or am I missing something?
There are quite a few of these, I'm seeing about 20 per minute.
The router version is old and should be upgraded: 6.36 (stable).
It appears that an earlier colleague added three mangle/passthrough statements, but these as I understand it are effectively just counters. There are no other mangle statements.
Regards, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
-- Damien Gardner Jnr VK2TDG. Dip EE. GradIEAust rendrag@rendrag.net - http://www.rendrag.net/ -- We rode on the winds of the rising storm, We ran to the sounds of thunder. We danced among the lightning bolts, and tore the world asunder