Hello My friends.. so i get this repeated message in my mikrotik RB951ui log as you see below
TCP connection established from 104.152.52.57
so anyone can explain to me what happen here, i make a search to this IP : 104.152.52.54 and i found that this public ip is from a merica.
what i can do in this case
by the way i dont have any pptp tunnel on my mikrotik
Your router has likely been hacked. That IP belongs to a hosting service so odds are it has been made part of some sort of botnet. You need to perform a net install on the router, recreate your configuration, and ensure that you don’t change any firewall rules without understanding 100% what they do.
i don’t know why mikrotik enable this default ospf and pptp enterface in Routers . its not the first time that attacker uses this vulnerability to access to mikrotik routers.
Your firewall rules are what play the biggest role there. Which ROS version are you using? Can you provide a sanitized copy of your config?
Yes, if hte router is hacked there was an unsafe config most likely
First step disconnect from net.
Second step netinstall a fresh version of stable software.
Third step manually add back in the config for required traffic.
Default config are not perfect, but will make it hard to hack your router.
If you do change things, you need to now what your are doing.
If you open router to be administrated from a public IP you will be at risk.
If you do not upgrade your router you also may be at risk.
i don’t know why mikrotik enable this bullshit default ospf and pptp
No need to use bad language.
OSPF and PPTP are not enabled by default, they are part of functions that RouterOS can be configured to handle.
Post your config and we can help out figure out what are wrong. Bad config/hacked etc.
The fact that you haven’t configured any PPTP tunnel on your Mikrotik doesn’t mean that PPTP service does not listen for incoming connections.
The log only shows that the unknown address has successfully initiated a TCP session to establish a PPTP control connection, but since it repeats multiple times, it is likely it did not succeed in username&password authentication, which is no surprise given that you haven’t configured any user account for PPTP.
The question is why your firewall permits incoming PPTP connections via WAN - a 951 is a SOHO grade router whose default firewall configuration doesn’t allow any incoming connections via WAN, unless the default configuration comes from a very old version of RouterOS.
So as others have suggested, post the export of the configuration (see my automatic signature below regarding anonymisation - you don’t want to reveal an IP address of a router along with an export of its weak or non-existent firewall). Also remove the serial number before posting - it can be used to find out the address if you use the “cloud” DDNS service.
As said before, it will probably be the safest way to netinstall your router with an up-to-date RouterOS version, but some comments on the current configuration may be helpful for you before you start modifying the default one created by netinstall.
yes .. sure you can look to it in the last comment .
sorry if my language seems to be unappropriate, you can find my router config in the last comment.
so this is my router config
i didn’t change any firewall rule. yet i disable some other function like ipv6, ospf defaut and …etc
question to ask :
when i initiate a scan for open port on my LAN i always get this 2000 callback port, and i couldn’t close it, so do you know what is this port..?
4K.rsc (9.55 KB)
I am trying to understand your firewall. (after a quick look)
add action=drop chain=input protocol=tcp src-address=0.0.0.0/0 src-port=2000
add action=drop chain=input protocol=udp src-address=0.0.0.0/0 src-port=2000
This only blocks port 2000 udp/tcp on your router.
Normally you should block all port and only have open the needed ports.
See anavs post here:
https://forum.mikrotik.com/viewtopic.php?t=180838
Last rule should be some like this:
add action=drop chain=input
add action=drop chain=forward
Your router is completely unprotected. I suggest to apply default firewall rules first, then add your customizations.
Edit: OK, Jotne already wrote about it.
Wouldn’t you also want to specify 2000 as the destination port in that rule? Source port can be whatever but OP is specifically trying to block connections to his router on port 2000.
Also, add action=accept chain=input dst-address=127.0.0.1 log=yes makes me uneasy as well.
The better course, as recommended, is to specify what is allowed and then deny all else.
Dear **Tech**system, after this comment and after seeing your “configured” firewall, I must agree with @anav here:
With one addition: stay disconnected.
Like others said, if you configure your own firewall, you can’t blame manufacturer for this. You have removed firewall and there is no protection in place, like it is seen in your config.
Complete reinstall and then reset to default is the best way. Default config does have firewall. Do not remove it this time.
i agree with you Normis. and well.. please i don’t hate Mikrotik, i know that there are a professional people out there, but really want to know if there is a specific firewall rule that prohibit this kind of attacking on my current situation. or its a mandatory to apply all default rules in its order to avoid this..?
In a nut shell, the input chain is dangerous if you misconfigure it. Input is access to the router itself. So don’t create allow rules in the input chain unless you absolutely understand what you’re doing and if doing so is necessary. Most importantly, never create an input rule that allows access from any source to any port/service. That gives complete access to the router from WAN and will result in your router being compromised.
Edit: leave the default rules in place and add your own rules as necessary. Don’t blow away the default firewall.
There is no one rule techsystem, except perhaps dont let you configure routers. 
)
Now that you know that the router has been exposed on the internet in such a manner you need to do the following steps
- disconnect it from the internet
- netinstall the lastest stable firmware
- Keep the default rules in place
- modify them so that they block all and only allow the required traffic for users and admin.
Hello Anav..! Maybe ..! 
, so is it mandatory to netinstall the router..? i replaced all my old rules with default rule that came with the router does that make scence..? so why all of you recommended to neinstall the router..?
For two reason:
- you have 4beta and the last is 7.6 and is better remove all old mess and restore default firewall and other rules that work with firewall
- if your device is hacked, you clean the hack
don’t write bullshit
theirs are off on default and if you open them, it’s your fault
MikroTik cannot prevent the mistakes of those who use the router