Am i being hacked?

imaljko4 · December 2, 2016, 8:57am

Lately i am having very strange logs in my router, also immediatelly when i enable port 23 in firewall, somebody tries to acces my router with wrong user name and password, seems like brute force, so i have to keep port 23 disabled.

This logs continue to happen, i tried refreshing my public ip addres (my dsl gives me a new public ip each time i recconect with pppoe), but as soon as i get the new public IP, i have the same loggs again.
Also i tried to disable most of the network devices (routers cameras,smartphone, pc), and then refresh the public ip, then i tried to turn of my computer and use another pc, but each time i refreshed the public ip, the same loggs shows soon after: "Drop input: src-mac=00:90:1A:xx:xx:xx "
If its an attack how does the attacker know my new public IP, or is it no attack?

THanks

Here some example of some loggs, in the 2nd screenshot i enabled port 23 just for 30 seconds, and this was enough for the attacker to start the brute force(so i quickly disabled this port again)…?

Screenshot_2 (2).png

kamillo · December 2, 2016, 9:02am

From your logs it looks like you are using DynDNS, this is probably why changing public IP doesn’t help.

UDP traffic to/from 5678 is used by MT discovery protocol: http://forum.mikrotik.com/t/port-5678-udp/17211/1

imaljko4 · December 2, 2016, 9:52am

maybe this “udp 5678” log might not be harmful, but the src mac addres on him “02:01:xx:xx:xx:xx” is not from a MT device.
Still i am more concerned about the " proto TCP (SYN) log" from “00:90:1a:xx:xx:xx”,
also when I change my public ip, this logg immediately repeats, before my dyndns rule was even able to update my new ip to dyndns server.

R1CH · December 2, 2016, 3:44pm

This is the Mirai botnet, nothing to worry about. It is brute forcing telnet on the entire IPv4 internet.

macgaiver · December 2, 2016, 4:39pm

why does the telnet port is open on WAN. You might need only winbox/ssh port opened from WAN, maybe some VPN server ports, but all other - drop it.

imaljko4 · December 2, 2016, 7:36pm

Thanks.
I keep my telnet port closed, just i was suprised how each time I open the port just for 30 seconds, i get attacked immediatelly…
My provider is Croatian T-com, and i red that this Mirai botnet is attacking German T-com routers, as its the same company, could it be that my T-com Router/Modem, which is working as a Bridge/Modem for the MT Routerboard, is compromised or infected with this malware?
Or is it normal to have so many logs of TCP(SYN) from so many addresses?

THanks

alexgrgr · December 3, 2016, 3:05pm

Yes, it is normal. I have around 2000 telnet connection tries every day. Nothing to worry about as far as you are dropping them. I will also recommend to disable telnet connections to the router at IP->Services->Telnet as you don´t need it at all.

alexgrgr · December 3, 2016, 3:07pm

Also, it is much much better to log the rule instead of disabling it just to see if there is someone trying to log in.

imaljko4 · December 3, 2016, 9:40pm

ok, thanks for help