Attempt to hack my CCR1036-8G-2S+

sidex84 · August 30, 2016, 6:31am

Hello colleagues. Today in my logs CCR1036-8G-2S + I found suspicious activity.

logs:

Aug/29/2016 22:24:23 pptp,info TCP connection established from 104.130.19.164
Aug/29/2016 22:24:34 pptp,ppp,debug <20>: LCP lowerdown
Aug/29/2016 22:24:34 pptp,ppp,debug <20>: LCP down event in initial state
Aug/29/2016 22:24:34 pptp,info TCP connection established from 104.130.19.164
Aug/29/2016 22:24:34 pptp,debug received too big control message, disconnecting
Aug/29/2016 22:24:34 pptp,ppp,debug <21>: LCP lowerdown
Aug/29/2016 22:24:34 pptp,ppp,debug <21>: LCP down event in initial state
Aug/29/2016 22:24:34 pptp,info TCP connection established from 104.130.19.164
Aug/29/2016 22:24:34 pptp,debug received too big control message, disconnecting
Aug/29/2016 22:24:34 pptp,ppp,debug <22>: LCP lowerdown
Aug/29/2016 22:24:34 pptp,ppp,debug <22>: LCP down event in initial state
Aug/29/2016 22:24:35 pptp,info TCP connection established from 104.130.19.164
Aug/29/2016 22:24:35 pptp,debug received too big control message, disconnecting
Aug/29/2016 22:24:35 pptp,ppp,debug <23>: LCP lowerdown
Aug/29/2016 22:24:35 pptp,ppp,debug <23>: LCP down event in initial state
Aug/29/2016 22:24:35 pptp,info TCP connection established from 104.130.19.164
Aug/29/2016 22:24:35 pptp,debug received too big control message, disconnecting
Aug/29/2016 22:24:35 pptp,ppp,debug <24>: LCP lowerdown
Aug/29/2016 22:24:35 pptp,ppp,debug <24>: LCP down event in initial state
Aug/29/2016 22:24:35 pptp,info TCP connection established from 104.130.19.164
Aug/29/2016 22:24:35 pptp,debug received non control message, ignoring
Aug/29/2016 22:24:40 pptp,ppp,debug <25>: LCP lowerdown
Aug/29/2016 22:24:40 pptp,ppp,debug <25>: LCP down event in initial state
Aug/29/2016 22:24:40 pptp,info TCP connection established from 104.130.19.164
Aug/29/2016 22:24:40 pptp,debug received non control message, ignoring
Aug/29/2016 22:24:45 pptp,ppp,debug <26>: LCP lowerdown
Aug/29/2016 22:24:45 pptp,ppp,debug <26>: LCP down event in initial state
Aug/29/2016 22:24:46 pptp,info TCP connection established from 104.130.19.164
Aug/29/2016 22:24:53 pptp,ppp,debug <27>: LCP lowerdown
Aug/29/2016 22:24:53 pptp,ppp,debug <27>: LCP down event in initial state
Aug/29/2016 22:24:53 pptp,info TCP connection established from 104.130.19.164
Aug/29/2016 22:24:53 pptp,debug received too big control message, disconnecting
Aug/29/2016 22:24:53 pptp,ppp,debug <28>: LCP lowerdown
Aug/29/2016 22:24:53 pptp,ppp,debug <28>: LCP down event in initial state
Aug/29/2016 22:24:53 pptp,info TCP connection established from 104.130.19.164
Aug/29/2016 22:24:53 pptp,debug recveived too small control message, disconnecting
Aug/29/2016 22:24:53 pptp,ppp,debug <29>: LCP lowerdown
Aug/29/2016 22:24:53 pptp,ppp,debug <29>: LCP down event in initial state
Aug/29/2016 22:24:54 pptp,info TCP connection established from 104.130.19.164
Aug/29/2016 22:24:54 pptp,debug recveived too small control message, disconnecting
Aug/29/2016 22:24:54 pptp,ppp,debug <30>: LCP lowerdown
Aug/29/2016 22:24:54 pptp,ppp,debug <30>: LCP down event in initial state
Aug/29/2016 22:24:54 pptp,info TCP connection established from 104.130.19.164
Aug/29/2016 22:24:54 pptp,debug received too big control message, disconnecting
Aug/29/2016 22:24:54 pptp,ppp,debug <31>: LCP lowerdown
Aug/29/2016 22:24:54 pptp,ppp,debug <31>: LCP down event in initial state
Aug/29/2016 22:24:54 pptp,info TCP connection established from 104.130.19.164
Aug/29/2016 22:24:54 pptp,debug received too big control message, disconnecting
Aug/29/2016 22:24:54 pptp,ppp,debug <32>: LCP lowerdown
Aug/29/2016 22:24:54 pptp,ppp,debug <32>: LCP down event in initial state
Aug/29/2016 22:24:55 pptp,info TCP connection established from 104.130.19.164
Aug/29/2016 22:25:00 pptp,ppp,debug <33>: LCP lowerdown
Aug/29/2016 22:25:00 pptp,ppp,debug <33>: LCP down event in initial state
Aug/29/2016 22:25:00 pptp,info TCP connection established from 104.130.19.164
Aug/29/2016 22:25:00 pptp,debug received too big control message, disconnecting
Aug/29/2016 22:25:00 pptp,ppp,debug <34>: LCP lowerdown
Aug/29/2016 22:25:00 pptp,ppp,debug <34>: LCP down event in initial state
Aug/29/2016 22:25:00 pptp,info TCP connection established from 104.130.19.164
Aug/29/2016 22:25:00 pptp,debug received too big control message, disconnecting
Aug/29/2016 22:25:00 pptp,ppp,debug <35>: LCP lowerdown
Aug/29/2016 22:25:00 pptp,ppp,debug <35>: LCP down event in initial state
Aug/29/2016 22:25:00 pptp,info TCP connection established from 104.130.19.164
Aug/29/2016 22:25:00 pptp,debug received too big control message, disconnecting
Aug/29/2016 22:25:00 pptp,ppp,debug <36>: LCP lowerdown
Aug/29/2016 22:25:00 pptp,ppp,debug <36>: LCP down event in initial state
Aug/29/2016 22:25:01 pptp,info TCP connection established from 104.130.19.164
Aug/29/2016 22:25:01 pptp,debug received too big control message, disconnecting
Aug/29/2016 22:25:01 pptp,ppp,debug <37>: LCP lowerdown
Aug/29/2016 22:25:01 pptp,ppp,debug <37>: LCP down event in initial state
Aug/29/2016 22:25:01 pptp,info TCP connection established from 104.130.19.164
Aug/29/2016 22:25:01 pptp,debug received too big control message, disconnecting
Aug/29/2016 22:25:01 pptp,ppp,debug <38>: LCP lowerdown
Aug/29/2016 22:25:01 pptp,ppp,debug <38>: LCP down event in initial state
Aug/29/2016 22:25:01 pptp,info TCP connection established from 104.130.19.164
Aug/29/2016 22:25:01 pptp,debug received too big control message, disconnecting
Aug/29/2016 22:25:01 pptp,ppp,debug <39>: LCP lowerdown
Aug/29/2016 22:25:01 pptp,ppp,debug <39>: LCP down event in initial state
Aug/29/2016 22:25:01 pptp,info TCP connection established from 104.130.19.164
Aug/29/2016 22:25:06 pptp,ppp,debug <40>: LCP lowerdown
Aug/29/2016 22:25:06 pptp,ppp,debug <40>: LCP down event in initial state
Aug/29/2016 22:25:07 pptp,info TCP connection established from 104.130.19.164
Aug/29/2016 22:25:07 pptp,debug received non control message, ignoring
Aug/29/2016 22:25:12 pptp,ppp,debug <41>: LCP lowerdown
Aug/29/2016 22:25:12 pptp,ppp,debug <41>: LCP down event in initial state
Aug/29/2016 22:25:12 pptp,info TCP connection established from 104.130.19.164
Aug/29/2016 22:25:12 pptp,debug recveived too small control message, disconnecting
Aug/29/2016 22:25:12 pptp,ppp,debug <42>: LCP lowerdown
Aug/29/2016 22:25:12 pptp,ppp,debug <42>: LCP down event in initial state
Aug/29/2016 22:25:12 pptp,info TCP connection established from 104.130.19.164
Aug/29/2016 22:25:17 pptp,debug received too big control message, disconnecting
Aug/29/2016 22:25:17 pptp,ppp,debug <43>: LCP lowerdown
Aug/29/2016 22:25:17 pptp,ppp,debug <43>: LCP down event in initial state
Aug/29/2016 22:25:17 pptp,info TCP connection established from 104.130.19.164
Aug/29/2016 22:25:17 pptp,debug received too big control message, disconnecting
Aug/29/2016 22:25:17 pptp,ppp,debug <44>: LCP lowerdown
Aug/29/2016 22:25:17 pptp,ppp,debug <44>: LCP down event in initial state
Aug/29/2016 22:25:17 pptp,info TCP connection established from 104.130.19.164
Aug/29/2016 22:25:17 pptp,debug,packet rcvd Start-Control-Connection-Request from 104.130.19.164
Aug/29/2016 22:25:17 pptp,debug,packet     protocol-version=0x0100
Aug/29/2016 22:25:17 pptp,debug,packet     framing-capabilities=1
Aug/29/2016 22:25:17 pptp,debug,packet     bearer-capabilities=1
Aug/29/2016 22:25:17 pptp,debug,packet     maximum-channels=65535
Aug/29/2016 22:25:17 pptp,debug,packet     firmware-revision=1
Aug/29/2016 22:25:17 pptp,debug,packet     host-name=none
Aug/29/2016 22:25:17 pptp,debug,packet     vendor-name=nmap
Aug/29/2016 22:25:17 pptp,debug,packet sent Start-Control-Connection-Reply to 104.130.19.164
Aug/29/2016 22:25:17 pptp,debug,packet     protocol-version=0x0100
Aug/29/2016 22:25:17 pptp,debug,packet     result-code=1
Aug/29/2016 22:25:17 pptp,debug,packet     error-code=0
Aug/29/2016 22:25:17 pptp,debug,packet     framing-capabilities=2
Aug/29/2016 22:25:17 pptp,debug,packet     bearer-capabilities=0
Aug/29/2016 22:25:17 pptp,debug,packet     maximum-channels=0
Aug/29/2016 22:25:17 pptp,debug,packet     firmware-revision=1
Aug/29/2016 22:25:17 pptp,debug,packet     host-name=cfo-gw
Aug/29/2016 22:25:17 pptp,debug,packet     vendor-name=MikroTik
Aug/29/2016 22:25:17 pptp,ppp,debug <45>: LCP lowerdown
Aug/29/2016 22:25:17 pptp,ppp,debug <45>: LCP down event in initial state 
Aug/30/2016 00:48:51 pptp,info TCP connection established from 14.215.176.20
Aug/30/2016 00:49:21 pptp,ppp,debug <46>: LCP lowerdown
Aug/30/2016 00:49:21 pptp,ppp,debug <46>: LCP down event in initial state
Aug/30/2016 00:56:54 pptp,info TCP connection established from 14.215.176.21
Aug/30/2016 00:57:05 pptp,ppp,debug <47>: LCP lowerdown
Aug/30/2016 00:57:05 pptp,ppp,debug <47>: LCP down event in initial state
Aug/30/2016 00:57:05 pptp,info TCP connection established from 14.215.176.20
Aug/30/2016 00:57:05 pptp,debug received too big control message, disconnecting
Aug/30/2016 00:57:05 pptp,ppp,debug <48>: LCP lowerdown
Aug/30/2016 00:57:05 pptp,ppp,debug <48>: LCP down event in initial state
Aug/30/2016 00:57:06 pptp,info TCP connection established from 14.215.176.21
Aug/30/2016 00:57:07 pptp,debug received too big control message, disconnecting
Aug/30/2016 00:57:07 pptp,ppp,debug <49>: LCP lowerdown
Aug/30/2016 00:57:07 pptp,ppp,debug <49>: LCP down event in initial state
Aug/30/2016 00:57:09 pptp,info TCP connection established from 14.215.176.149
Aug/30/2016 00:57:09 pptp,debug received too big control message, disconnecting
Aug/30/2016 00:57:09 pptp,ppp,debug <50>: LCP lowerdown
Aug/30/2016 00:57:09 pptp,ppp,debug <50>: LCP down event in initial state
Aug/30/2016 00:57:09 pptp,info TCP connection established from 14.215.176.21
Aug/30/2016 00:57:09 pptp,debug received too big control message, disconnecting
Aug/30/2016 00:57:09 pptp,ppp,debug <51>: LCP lowerdown
Aug/30/2016 00:57:09 pptp,ppp,debug <51>: LCP down event in initial state
Aug/30/2016 00:57:10 pptp,info TCP connection established from 14.215.176.21
Aug/30/2016 00:57:10 pptp,debug received non control message, ignoring
Aug/30/2016 00:57:15 pptp,ppp,debug <52>: LCP lowerdown
Aug/30/2016 00:57:15 pptp,ppp,debug <52>: LCP down event in initial state
Aug/30/2016 00:57:16 pptp,info TCP connection established from 14.215.176.20
Aug/30/2016 00:57:16 pptp,debug received non control message, ignoring
Aug/30/2016 00:57:21 pptp,ppp,debug <53>: LCP lowerdown
Aug/30/2016 00:57:21 pptp,ppp,debug <53>: LCP down event in initial state
Aug/30/2016 00:57:21 pptp,info TCP connection established from 14.215.176.149
Aug/30/2016 00:57:29 pptp,ppp,debug <54>: LCP lowerdown
Aug/30/2016 00:57:29 pptp,ppp,debug <54>: LCP down event in initial state
Aug/30/2016 00:57:30 pptp,info TCP connection established from 14.215.176.148
Aug/30/2016 00:57:30 pptp,debug received too big control message, disconnecting
Aug/30/2016 00:57:30 pptp,ppp,debug <55>: LCP lowerdown
Aug/30/2016 00:57:30 pptp,ppp,debug <55>: LCP down event in initial state
Aug/30/2016 00:57:30 pptp,info TCP connection established from 14.215.176.20
Aug/30/2016 00:57:30 pptp,debug recveived too small control message, disconnecting
Aug/30/2016 00:57:30 pptp,ppp,debug <56>: LCP lowerdown
Aug/30/2016 00:57:30 pptp,ppp,debug <56>: LCP down event in initial state
Aug/30/2016 00:57:36 pptp,info TCP connection established from 14.215.176.148
Aug/30/2016 00:57:41 pptp,debug recveived too small control message, disconnecting
Aug/30/2016 00:57:41 pptp,ppp,debug <57>: LCP lowerdown
Aug/30/2016 00:57:41 pptp,ppp,debug <57>: LCP down event in initial state
Aug/30/2016 00:57:41 pptp,info TCP connection established from 14.215.176.149
Aug/30/2016 00:57:41 pptp,debug received too big control message, disconnecting
Aug/30/2016 00:57:41 pptp,ppp,debug <58>: LCP lowerdown
Aug/30/2016 00:57:41 pptp,ppp,debug <58>: LCP down event in initial state
Aug/30/2016 00:57:41 pptp,info TCP connection established from 14.215.176.148
Aug/30/2016 00:57:41 pptp,debug received too big control message, disconnecting
Aug/30/2016 00:57:41 pptp,ppp,debug <59>: LCP lowerdown
Aug/30/2016 00:57:41 pptp,ppp,debug <59>: LCP down event in initial state
Aug/30/2016 00:57:42 pptp,info TCP connection established from 14.215.176.20
Aug/30/2016 00:57:47 pptp,ppp,debug <60>: LCP lowerdown
Aug/30/2016 00:57:47 pptp,ppp,debug <60>: LCP down event in initial state
Aug/30/2016 00:57:47 pptp,info TCP connection established from 14.215.176.148
Aug/30/2016 00:57:47 pptp,debug received too big control message, disconnecting
Aug/30/2016 00:57:47 pptp,ppp,debug <61>: LCP lowerdown
Aug/30/2016 00:57:47 pptp,ppp,debug <61>: LCP down event in initial state
Aug/30/2016 00:57:47 pptp,info TCP connection established from 14.215.176.20
Aug/30/2016 00:57:47 pptp,debug received too big control message, disconnecting
Aug/30/2016 00:57:47 pptp,ppp,debug <62>: LCP lowerdown
Aug/30/2016 00:57:47 pptp,ppp,debug <62>: LCP down event in initial state
Aug/30/2016 00:57:48 pptp,info TCP connection established from 14.215.176.21
Aug/30/2016 00:57:48 pptp,debug received too big control message, disconnecting
Aug/30/2016 00:57:48 pptp,ppp,debug <63>: LCP lowerdown
Aug/30/2016 00:57:48 pptp,ppp,debug <63>: LCP down event in initial state
Aug/30/2016 00:57:52 pptp,info TCP connection established from 14.215.176.21
Aug/30/2016 00:57:53 pptp,debug received too big control message, disconnecting
Aug/30/2016 00:57:53 pptp,ppp,debug <64>: LCP lowerdown
Aug/30/2016 00:57:53 pptp,ppp,debug <64>: LCP down event in initial state
Aug/30/2016 00:57:53 pptp,info TCP connection established from 14.215.176.149
Aug/30/2016 00:57:55 pptp,debug received too big control message, disconnecting
Aug/30/2016 00:57:55 pptp,ppp,debug <65>: LCP lowerdown
Aug/30/2016 00:57:55 pptp,ppp,debug <65>: LCP down event in initial state
Aug/30/2016 00:57:55 pptp,info TCP connection established from 14.215.176.149
Aug/30/2016 00:57:55 pptp,debug received too big control message, disconnecting
Aug/30/2016 00:57:55 pptp,ppp,debug <66>: LCP lowerdown
Aug/30/2016 00:57:55 pptp,ppp,debug <66>: LCP down event in initial state
Aug/30/2016 00:58:01 pptp,info TCP connection established from 14.215.176.21
Aug/30/2016 00:58:08 pptp,info TCP connection established from 14.215.176.21
Aug/30/2016 00:58:08 pptp,debug received non control message, ignoring
Aug/30/2016 00:58:13 pptp,ppp,debug <68>: LCP lowerdown
Aug/30/2016 00:58:13 pptp,ppp,debug <68>: LCP down event in initial state
Aug/30/2016 00:58:14 pptp,info TCP connection established from 14.215.176.149
Aug/30/2016 00:58:14 pptp,debug recveived too small control message, disconnecting
Aug/30/2016 00:58:14 pptp,ppp,debug <69>: LCP lowerdown
Aug/30/2016 00:58:14 pptp,ppp,debug <69>: LCP down event in initial state
Aug/30/2016 00:58:14 pptp,info TCP connection established from 14.215.176.149
Aug/30/2016 00:58:19 pptp,debug received too big control message, disconnecting
Aug/30/2016 00:58:19 pptp,ppp,debug <70>: LCP lowerdown
Aug/30/2016 00:58:19 pptp,ppp,debug <70>: LCP down event in initial state
Aug/30/2016 00:58:31 pptp,ppp,debug <67>: LCP lowerdown
Aug/30/2016 00:58:31 pptp,ppp,debug <67>: LCP down event in initial state
Aug/30/2016 01:11:38 pptp,info TCP connection established from 14.215.176.148
Aug/30/2016 01:11:39 pptp,debug received too big control message, disconnecting
Aug/30/2016 01:11:39 pptp,ppp,debug <71>: LCP lowerdown
Aug/30/2016 01:11:39 pptp,ppp,debug <71>: LCP down event in initial state

My Mikrotik installed on the Russian Federation territory and the employees do not travel outside the country. The logs can be seen that the compounds come from:

104.130.19.164
14.215.176.20
14.215.176.21
14.215.176.149
14.215.176.148

These IP registered in China. This is an attempt hack my lan? What actions to take?

jarda · August 30, 2016, 7:26am

You can drop all traffic from that ips. Use address list and firewall raw table if you are running some recent version.

BlackVS · August 30, 2016, 7:30am

Capture and analyze few packets (to check protocol). I know of cases some inner clients used BitTorrent with open port 1723.
But better to block access to the 1723 TCP port for all and enable it only for some.

PS: or use port-knocking method. Like http://mum.mikrotik.com/presentations/US10/discher.pdf

sidex84 · August 30, 2016, 7:50am

Many thanks. I will try all your options proposed.