Hello,

I'm new. I have a MIKROTIK RB951U1-2nD router for 1 year. I access it with WinBox.

Behind it ( router) i have Windows, a xampp server on which I host Wordpress. A hacker attack started a month ago, and the hacker using the server's local IP 192.168.88.100.

Attacker real IP is not visible. I am asking for guidance on how to find out where the attack is coming from. The computer has Malwarebyts licensed.

Is mikrotik hacked or WinBox or something else.

Here is an example from the server access log:

192.168.88.100 - - [15/Mar/2024:14:14:57 +0200] "POST /wp-cron.php?doing_wp_cron=1710504897.6459970474243164062500 HTTP/1.1" 200 -
192.168.88.100 - - [15/Mar/2024:14:15:02 +0200] "POST /wp-admin/admin-ajax.php?action=wp_1_wc_privacy_cleanup&nonce=8e5dc83129 HTTP/1.1" 200 -

Please guide me.

PS Admins please excuse me if I haven't posted in the right place.

The "hack" is coming from the internet to your wordpress server. Why would the router be involved at all? The hacker can visit your wordpress site just like any other internet user.

Hello Normis.
Thank you for replay. I have involved router, because as per my point of view, if router is hacked bad persons can send requests from internal IP. For first time i see hacker that attack using internal IP and cannot see real IP or MAC inside of router. In the log ( which i am monitoring continuously) cannot find "real path" of hacker nor in access log. So how they can "visit me" without trace in log, access bridge etc..
All traffic pass trough the router. "Look like": myself trying to hack myself. I think( with all respect of you) your statement is strange for me.

In /ip/firewall/connections you can see all connections, just filter on Dst. Address 192.168.88.100 to get the list of Src. Addresses.
Still unclear what makes you think your router is part of the hack. Especially because the only log you provide is from the XAMPP server.

Can you provide your routers config?
Remove serial and post between code tags by using the </> button.

Hello Erlinden,
please accept my apologies for this inconvenience.
If i know cannot asking you.
Attached please find configuration file named: forchecking.rsc

At your disposal with respect.

maybe file is not attached.?? I cannot see it in my post.
Please advice if the file is not received by you.

Requests from the server itself to wp-cron.php. Nothing wrong with that. Nevertheless, I think you should make yourself familiar with WordPress. Keeping it updated and secure is crucial when exposing it to public internet.