Malware on Mikrotik output chain?

solar77 · September 29, 2020, 11:26am

we have been informed by our ISP that there are Malware attached originated from our public IP.
Dst IP are only few so I’ve added them to a list and added firewall rule in forward, output and Mangle - Postrouting chain , trying to catch which LAN IP is doing this

/ip firewall filter add action=add-src-to-address-list address-list=MalwareLAN_IP address-list-timeout=none-dynamic chain=forward dst-address-list=Malware log=yes log-prefix=***Malware_LAN_IP_Forward**
/ip firewall mangle
add action=add-src-to-address-list address-list="Malware " address-list-timeout=none-dynamic chain=postrouting dst-address-list=Malware log=yes log-prefix=***Melware_Postrouting***

to my supprise, the only log I have got so far is on the output and postrouting chain,
log attached

09:13:34 firewall,info ***MalwareIP output: in:(unknown 0) out:sfp-sfpplus1, proto TCP (SYN), myPublicIP:59285->13.248.148.254:80, len 60 
09:13:34 firewall,info ***MalwareIP output: in:(unknown 0) out:sfp-sfpplus1, proto TCP (ACK), myPublicIP:59285->13.248.148.254:80, len 52 
09:13:34 firewall,info ***MalwareIP output: in:(unknown 0) out:sfp-sfpplus1, proto TCP (ACK,PSH), myPublicIP:59285->13.248.148.254:80, len 456 
09:13:34 firewall,info ***MalwareIP output: in:(unknown 0) out:sfp-sfpplus1, proto TCP (ACK), myPublicIP:59285->13.248.148.254:80, len 52 
09:13:34 firewall,info ***MalwareIP output: in:(unknown 0) out:sfp-sfpplus1, proto TCP (ACK), myPublicIP:59285->13.248.148.254:80, len 52 
09:13:34 firewall,info ***MalwareIP output: in:(unknown 0) out:sfp-sfpplus1, proto TCP (ACK), myPublicIP:59285->13.248.148.254:80, len 52 
09:13:34 firewall,info ***MalwareIP output: in:(unknown 0) out:sfp-sfpplus1, proto TCP (ACK), myPublicIP:59285->13.248.148.254:80, len 52 
09:13:34 firewall,info ***MalwareIP output: in:(unknown 0) out:sfp-sfpplus1, proto TCP (ACK,PSH), myPublicIP:59285->13.248.148.254:80, len 398 
09:13:34 firewall,info ***MalwareIP output: in:(unknown 0) out:sfp-sfpplus1, proto TCP (ACK), myPublicIP:59285->13.248.148.254:80, len 52 
09:13:34 firewall,info ***MalwareIP output: in:(unknown 0) out:sfp-sfpplus1, proto TCP (ACK), myPublicIP:59285->13.248.148.254:80, len 52 
09:13:34 firewall,info ***MalwareIP output: in:(unknown 0) out:sfp-sfpplus1, proto TCP (ACK), myPublicIP:59285->13.248.148.254:80, len 52 
09:13:34 firewall,info ***MalwareIP output: in:(unknown 0) out:sfp-sfpplus1, proto TCP (ACK), myPublicIP:59285->13.248.148.254:80, len 52 
09:13:34 firewall,info ***MalwareIP output: in:(unknown 0) out:sfp-sfpplus1, proto TCP (ACK), myPublicIP:59285->13.248.148.254:80, len 52 
09:14:34 firewall,info ***MalwareIP output: in:(unknown 0) out:sfp-sfpplus1, proto TCP (ACK,FIN), myPublicIP:59285->13.248.148.254:80, len 52

I’ve checked, there is no script / scheduled task on Mikrotik that I don’t know of.
there are no proxy, socks service.
I don’t think the router is hacked.

only reason the Mikrotik originate a connection is Mikrotik’s own DDNS service in Clud, and a SNTP client

we used to have few VPN client using this Mikrotik as a VPN server but I would think anything from these VPN clients would show up in forward Chain?
any thoughts?

SiB · September 29, 2020, 12:01pm

and netwatch have a up/down-scripts, vpn prifile script, dhcp script…
In System>Scripts you have a JOB tab, check it.
Use a Tool\Tourch too

and easier do /export file=dump.txt and analyze it.