I'm wondering if I have fundamentally misunderstood something. In fact I am rather hoping I have. An outside agency has reported seeing telnet connection attempts coming from the outside IPv4 address of a client's router. They have provided info that shows quite clearly that these are attacks coming from the router. To see where in the network they were originating, I added these lines at the front of each of the input, output and forward "/ip firewall filter" chains: chain=xxx action=drop \ protocol=tcp dst-port=23 \ log=yes \ log-prefix="TEL_xxx" My log output shows exclusively lines with "TEL_output". I wasn't expecting any "TEL_input" lines, but I was definitely expecting some "TEL_forward" lines, assuming the miscreant is inside the network. Here is a sample (a.b.c.d is the outside address of the router, w.x.y.z is the destination address): 18:44:35 firewall,info TEL_output output: in:(none) out:e1-uplink, proto TCP (SYN), a.b.c.d:54315->w.x.y.z:23, len 40 I.e., the packets seem to be sourced at the router. Does this mean that the router is the source of this nefariousness?!? Or am I missing something? There are quite a few of these, I'm seeing about 20 per minute. The router version is old and should be upgraded: 6.36 (stable). It appears that an earlier colleague added three mangle/passthrough statements, but these as I understand it are effectively just counters. There are no other mangle statements. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160
On Mon, 2022-11-07 at 19:15 +1100, Karl Auer wrote:
I'm wondering if I have fundamentally misunderstood something.
I have no idea why I put "FTP" in the subject for this thread. My apologies. Should be "telnet". Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160
Hi, My bet would be that with an OS that old it has been compromised and any manner of things could be going on. Does it even have a decent firewall config? Post a full export of /ip firewall Andrew -----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Karl Auer Sent: Monday, 7 November 2022 4:16 PM To: MikroTik Public <public@talk.mikrotik.com.au> Subject: [MT-AU Public] Blocking FTP I'm wondering if I have fundamentally misunderstood something. In fact I am rather hoping I have. An outside agency has reported seeing telnet connection attempts coming from the outside IPv4 address of a client's router. They have provided info that shows quite clearly that these are attacks coming from the router. To see where in the network they were originating, I added these lines at the front of each of the input, output and forward "/ip firewall filter" chains: chain=xxx action=drop \ protocol=tcp dst-port=23 \ log=yes \ log-prefix="TEL_xxx" My log output shows exclusively lines with "TEL_output". I wasn't expecting any "TEL_input" lines, but I was definitely expecting some "TEL_forward" lines, assuming the miscreant is inside the network. Here is a sample (a.b.c.d is the outside address of the router, w.x.y.z is the destination address): 18:44:35 firewall,info TEL_output output: in:(none) out:e1-uplink, proto TCP (SYN), a.b.c.d:54315->w.x.y.z:23, len 40 I.e., the packets seem to be sourced at the router. Does this mean that the router is the source of this nefariousness?!? Or am I missing something? There are quite a few of these, I'm seeing about 20 per minute. The router version is old and should be upgraded: 6.36 (stable). It appears that an earlier colleague added three mangle/passthrough statements, but these as I understand it are effectively just counters. There are no other mangle statements. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Given that 6.36 is vulnerable to the winbox auth bypass, it’s absolutely 100% part of a botnet by now (you should have upgraded it in 2018 when the vuln was released???). Nuke it and install fresh with current RouterOS :) On Mon, 7 Nov 2022 at 7:54 pm, Karl Auer <kauer@nullarbor.com.au> wrote:
I'm wondering if I have fundamentally misunderstood something. In fact I am rather hoping I have.
An outside agency has reported seeing telnet connection attempts coming from the outside IPv4 address of a client's router. They have provided info that shows quite clearly that these are attacks coming from the router.
To see where in the network they were originating, I added these lines at the front of each of the input, output and forward "/ip firewall filter" chains:
chain=xxx action=drop \ protocol=tcp dst-port=23 \ log=yes \ log-prefix="TEL_xxx"
My log output shows exclusively lines with "TEL_output". I wasn't expecting any "TEL_input" lines, but I was definitely expecting some "TEL_forward" lines, assuming the miscreant is inside the network.
Here is a sample (a.b.c.d is the outside address of the router, w.x.y.z is the destination address):
18:44:35 firewall,info TEL_output output: in:(none) out:e1-uplink, proto TCP (SYN), a.b.c.d:54315->w.x.y.z:23, len 40
I.e., the packets seem to be sourced at the router. Does this mean that the router is the source of this nefariousness?!? Or am I missing something?
There are quite a few of these, I'm seeing about 20 per minute.
The router version is old and should be upgraded: 6.36 (stable).
It appears that an earlier colleague added three mangle/passthrough statements, but these as I understand it are effectively just counters. There are no other mangle statements.
Regards, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
-- Damien Gardner Jnr VK2TDG. Dip EE. GradIEAust rendrag@rendrag.net - http://www.rendrag.net/ -- We rode on the winds of the rising storm, We ran to the sounds of thunder. We danced among the lightning bolts, and tore the world asunder
Hi Karl, I actually had a very similar issue back in 2021 with a brand new router that I installed, after a week or so it was attempting telnet connections all over the place. Duxtel sent the logs to Mikrotik but didn't find anything abnormal. Wiped and netinstalled, reloaded a safe config and we were back in business, still concerning that it was exploited in the first place, but no issues since. -----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Karl Auer Sent: Monday, 7 November 2022 7:16 PM To: MikroTik Public <public@talk.mikrotik.com.au> Subject: [MT-AU Public] Blocking FTP I'm wondering if I have fundamentally misunderstood something. In fact I am rather hoping I have. An outside agency has reported seeing telnet connection attempts coming from the outside IPv4 address of a client's router. They have provided info that shows quite clearly that these are attacks coming from the router. To see where in the network they were originating, I added these lines at the front of each of the input, output and forward "/ip firewall filter" chains: chain=xxx action=drop \ protocol=tcp dst-port=23 \ log=yes \ log-prefix="TEL_xxx" My log output shows exclusively lines with "TEL_output". I wasn't expecting any "TEL_input" lines, but I was definitely expecting some "TEL_forward" lines, assuming the miscreant is inside the network. Here is a sample (a.b.c.d is the outside address of the router, w.x.y.z is the destination address): 18:44:35 firewall,info TEL_output output: in:(none) out:e1-uplink, proto TCP (SYN), a.b.c.d:54315->w.x.y.z:23, len 40 I.e., the packets seem to be sourced at the router. Does this mean that the router is the source of this nefariousness?!? Or am I missing something? There are quite a few of these, I'm seeing about 20 per minute. The router version is old and should be upgraded: 6.36 (stable). It appears that an earlier colleague added three mangle/passthrough statements, but these as I understand it are effectively just counters. There are no other mangle statements. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
participants (4)
-
Andrew Oakeley
-
Damien Gardner Jnr
-
Karl Auer
-
Two Fat Monkeys - Dirk Bermingham