185.153.198.228 Has been BUSY

gotsprings · July 27, 2018, 3:30pm

Well here is what you are looking for from that attack.

jul/23/2018 05:37:21 system,error,critical login failure for user admin from 185.153.198.228 via winbox
jul/23/2018 05:37:25 system,error,critical login failure for user admin from 185.153.198.228 via winbox
jul/23/2018 05:37:28 system,error,critical login failure for user admin from 185.153.198.228 via winbox
jul/23/2018 05:37:32 system,error,critical login failure for user Admin from 185.153.198.228 via winbox
jul/23/2018 05:37:36 system,error,critical login failure for user emergency from 185.153.198.228 via winbox
jul/23/2018 05:37:39 system,error,critical login failure for user mtaadmin from 185.153.198.228 via winbox
jul/23/2018 05:37:42 system,error,critical login failure for user contractdata from 185.153.198.228 via winbox
jul/23/2018 05:37:45 system,error,critical login failure for user K16000865 from 185.153.198.228 via winbox

After you update your router change the password…
You will see log in attempts from that IP using your old passwords.

R1CH · July 27, 2018, 3:33pm

Exposing your winbox port is asking to be compromised when the next exploit is found. Best to firewall it.

gotsprings · July 27, 2018, 3:55pm

I started using port knocking to allow the winbox connection and none of those site showed this attack.

Anyone ever write a good tool for 3 failed winbox log in attempts from one address, and we can add them to an address list???

tippenring · July 27, 2018, 4:57pm

Here’s my typical blacklist firewall config. Generally we don’t permit any admin connections from the internet other than known management networks. This is used in any case where we are accepting traffic from the internet. This also works decently for other services with the forward chain rule.

/ip firewall
add action=jump chain=input connection-state=new in-interface=ether1 protocol=tcp jump-target=blacklist
add action=jump chain=forward connection-state=new in-interface=ether1 protocol=tcp jump-target=blacklist

  add action=add-src-to-address-list address-list=blacklist address-list-timeout=1w chain=blacklist comment="Blacklist processing" log=yes log-prefix="Blacklisted: " src-address-list=pre-blacklist4
  add action=add-src-to-address-list address-list=pre-blacklist4 address-list-timeout=5m chain=blacklist src-address-list=pre-blacklist3
  add action=add-src-to-address-list address-list=pre-blacklist3 address-list-timeout=5m chain=blacklist src-address-list=pre-blacklist2
  add action=add-src-to-address-list address-list=pre-blacklist2 address-list-timeout=5m chain=blacklist src-address-list=pre-blacklist1
  add action=add-src-to-address-list address-list=pre-blacklist1 address-list-timeout=5m chain=blacklist src-address-list=!blacklist log=yes log-prefix="pre-bl1: "
  add action=accept chain=blacklist src-address-list=!blacklist
  add action=drop chain=blacklist log=yes log-prefix="Blacklist Drop: "

gotsprings · July 28, 2018, 1:23am

So this would give you 3 shots…

4th Try would never make it to the router.
/ip firewall address-list
add address=192.168.88.0/24 list=local
/ip firewall filter
add action=drop chain=input src-address-list=Banned
add action=drop chain=forward src-address-list=Banned
add action=add-src-to-address-list address-list=Banned address-list-timeout=6h chain=input connection-state=new dst-port=8291 log=yes
log-prefix=Banned protocol=tcp src-address-list=Maybe2
add action=add-src-to-address-list address-list=Maybe2 address-list-timeout=10m chain=input connection-state=new dst-port=8291 protocol=
tcp src-address-list=Maybe1
add action=add-src-to-address-list address-list=Maybe1 address-list-timeout=5m chain=input connection-state=new dst-port=8291 protocol=
tcp src-address-list=Maybe
add action=add-src-to-address-list address-list=Maybe address-list-timeout=1m chain=input connection-state=new dst-port=8291 protocol=tcp
add action=accept chain=input comment=Winbox dst-port=8291 protocol=tcp
add action=accept chain=input connection-state=established,related
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=new src-address-list=local
add action=drop chain=input

Seem right?

emzine · July 30, 2018, 8:32am

We have seen attack traffic from this IP, and several others over the past few days:

95.154.216.160
95.154.216.163
95.154.216.164
95.154.216.166
185.153.198.228
194.40.240.254

All of them are attempting to use the already patched “slingshot” exploit to gain unauthorized access to Mikrotik routers.

One of our clients had a couple of boards running older firmware, and we logged in to find SOCKS configured, a “call home” script running every 60 seconds, and an added firewall rule.

Nasty stuff.

gotsprings · July 30, 2018, 5:31pm

So are you having to clear out a lot of socks settings?

emzine · July 30, 2018, 5:54pm

A few. Some of these attackers enabled socks, others did not.

eXS · July 31, 2018, 1:34am

FWIW i checked my fw’s shitlist and found several 185.153.198.* IPs

gotsprings · August 1, 2018, 9:55am

anyone figure out the password for user=“service”?