Hi
So we have around 1000 routers in our network and we were hacked around a week ago due to the winbox password flaw
We found the source addresses of some of the attackers and bot nets so we blocked those
A few customers were off line for the last ROS upgrade and unfortunately they got hacked
I have here on the bench a hacked rb951 which I have been trying to access all weekend
Winbox, telnet and ssh blocked
So I decided to spoof the attackers IP’s and use the same exploit they did to get the password, no luck so far so I must have missed their address and just got the bots
My concern is this
A few days ago after the attack we went to activate our new BGP only to realise the port was sending out STP, even though the port is not in a bridge it is totally isolated.
Here I have the hacked rb951 and it too is sending out lots of STP from its WAN
I just checked my own router with similar config which I netinstalled just yesterday and there is no STP on the WAN only the bridge as you would expect.
aug/03/2018 18:34:36 system,error,critical login failure for user admin from 95.154.216.151 via winbox
aug/03/2018 18:34:36 system,error,critical login failure for user admin from 95.154.216.151 via winbox
aug/22/2018 05:38:08 system,error,critical login failure for user admin from 95.154.216.151 via winbox
aug/22/2018 05:38:09 system,error,critical login failure for user admin from 95.154.216.151 via winbox
aug/22/2018 19:16:11 system,error,critical login failure for user admin from 95.154.216.151 via winbox
aug/22/2018 19:16:11 system,error,critical login failure for user admin from 95.154.216.151 via winbox
this all red color is not my setting at the mikrotik router, but is auto add to the router.
i also don’t know about this ip address …