So I think I have (or had) malware on my network on some device.
I can see on my FreePBX phone server a pile of failed logins at 11:09 April 19.
Now when I logged into Winbox today and opened the terminal (I was going to do some VLAN stuff) I see it pops up and showed several failed login attempts for mikrotik router.
apr/19/2023 11:08:28 system,error,critical login failure for user admin from 192.1
68.88.34 via ftp
apr/19/2023 11:08:29 system,error,critical login failure for user guest from 192.1
68.88.34 via ftp
apr/19/2023 11:08:30 system,error,critical login failure for user root from 192.16
8.88.34 via ftp
apr/19/2023 11:08:31 system,error,critical login failure for user admin from 192.1
68.88.34 via ftp
apr/19/2023 11:08:33 system,error,critical login failure for user root from 192.16
8.88.34 via ftp
apr/19/2023 11:08:34 system,error,critical login failure for user admin from 192.1
68.88.34 via ftp
apr/19/2023 11:08:35 system,error,critical login failure for user admin from 192.1
68.88.34 via ftp
apr/20/2023 10:16:47 system,error,critical login failure for user admin from 192.1
68.88.250 via winbox
On my FreePBX server you can type a command and see all previous login attempts. Is there a command you can type which lets you see this on Mikrotik? It seems to have the logs, given that it printed them on the terminal when I started up Winbox.
Thank you.
EDIT: The last entry (IP address 192.168.88.250) was me I think, but all the 192.168.88.34 ftp attempts were not. And yes I have changed the admin account to a new named one, ‘admin’ is disabled now
Thank you rex, do you know is there anyway for it to go back even further? I typed that but the terminal seems to run out of space and so it only shows as far back as yesterday. Or maybe thats all that is stored in its memory?
Seems like it has ran out of space I think. The last log was april 25. I will have to set up a method of saving the logs automatically in the future.
You can’t go back because the log is limited to 1000 lines, but with this “addon” your last 10.000 lines are saved on disk, and on future you can see more far.
You can increase the line limit per log file, I use 4096 without any problem.
Ideally these log files are written to disk, even better external disk.
You could also use an external syslog server where all log lines are being sent to (and then you can do what you want).
This seems to be what I am getting.
I don’t think I have ever entered a command like this before for it to return ‘such file name already exists’ but it appears I have possibly?
[XXXX@MikroTik] /system/logging> /system logging action
[XXXX@MikroTik] /system/logging/action> add disk-file-count=10 name=SaveToDisk target=disk
failure: disk action with such file name already exists
[XXXX@MikroTik] /system/logging/action> /system logging
[XXXX@MikroTik] /system/logging> add action=SaveToDisk prefix=SEC topics=system,error,critical
input does not match any value of action
Do you know should I change ‘SaveToDisk’ to a different name in both commands?
Thanks. I will definitely set this up so it saves the logs to a separate hard drive with large storage space (few hundred GB or something) so that I can see all the logs going back. I didn’t really know how useful the logs were until now
Check twice what you paste, something is lost on meantime…
after target=disk is present disk-file-name=/seclog
Paste this on terminal, if you obtain 1, is a Flash, if is a 0, is a NAND
:put [:len [/file find where name="flash" and type="disk"]]
After you connect the external disk, just change from (/flash)/seclog to /disk_name_here/seclog on winbox/webfig and you can increase the file number from 10 to what you want.
Do not exceed lines per log, it consume router memory, better have more files.
I also properly entered the commands with disk-file-name=/seclog included.
So now my log file will have 10,000 lines instead of 1000? Does this include when you go to Log via the Winbox menu as opposed to typing it in /log print?
Only thing you need to take into account when using winbox, is setting buffer to disk (Log - right upper field), otherwise you will see double entries (for those entries also being kept in memory).
So now that I have this ‘save to disk’ command entered, it will save logs to disk. Instead of memory. I assume that means the Mikrotik has a disk / hard drive storage space on it as well as RAM and we are saving to the hard drive now instead of the RAM?
Rex I am not sure what you mean by ‘to see old logs check old files’
All I can currently see is /log print or go to Winbox → Log → only logs shown are Memory logs. When I select ‘save to disk’ in the top right it is empty.
edit: Nevermind, it is working. It is just only saving certain logs.
What does it mean that they are trying to log in via FTP?
All the failed logins were via FTP.
I only know two ways to access Mikrotik router, with winbox, or with web access. What does it mean they are accessing it with FTP? How do you access mikrotik with FTP?
# apr/26/2023 14:26:20 by RouterOS 7.4
# software id = JCY8-AFLA
#
# model = RB2011iL
# serial number = XXXXXXXXXXXXX
/ip service
set telnet address="" disabled=no port=23 vrf=main
set ftp address="" disabled=no port=21
set www address="" disabled=no port=80 vrf=main
set ssh address="" disabled=no port=22 vrf=main
set www-ssl address="" certificate=none disabled=yes port=443 tls-version=any vrf=main
set api address="" disabled=no port=8728 vrf=main
set winbox address="" disabled=no port=8291 vrf=main
set api-ssl address="" certificate=none disabled=no port=8729 tls-version=any vrf=main
Most likely some bot or service on your network trying to scan or even get in.
Some reported this behavior from a virus scanner doing this scanning on the network.
Your FTP service is enabled so a possible entry point.
If not needed, disable.
If you use only winbox and webfig, paste this for close all the open services (to the world?)
(www-ssl on https is useless if you do not have any cert)
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set www-ssl disabled=yes
set api disabled=yes
set api-ssl disabled=yes
I have a script that parses the log looking for logins, and failed logins since the last time the script ran. If it finds any, it sends me an E-Mail. the script is schedule to run every minute. I did not write the original script - just tweeked it for my purposes. If you want that script, just ask and I will post it.
