Hi All
I am new to Mikrotik, so please be easy on me.
I recently got notified by my ISP that my IP has been blacklisted. I checked on Spamhaus website and my IP was indeed listed there because of Mikrotik vulnerability.
After investigating, I found I had old version package on my Mikrotik routerboard, so I upgraded the Routerboard OS to latest, upgraded the firmware, changed the password, disable all the IP services other than winbox, changed winbox port, rebooted the router.
I also changed my APs wifi passwords. I then scanned all my machines but could not find infection.
Even after doing this, my IP was still getting lots of hits on Spamhaus.
I started further investigation and found that at any given time, I have about 17000 connections under firewall. Most of these connection are made on port 58154 from random IPs. There are other ports too.
When I checked this port on online checker tool, this port was indeed open but under filter rules I don’t see this port being open.
Under logs, I also see denied winbox/dude from random IPs.
Last weekend, I power down the router and hits got to 0 in last 24hours on Spamhaus but this Monday when router was switched back ON, I got 85 hits in last 24hours.
Tonight, I am planning to power down the switch and leave mikrotik ON. If still I keep getting hit on Spamhaus then it will be clear that Mikrotik is still compromised.
Meanwhile, can you please provide any suggestion to fix this issue?
Regards