Odd problem

RouterOS General
1

I’ve got an RB600 that is pinging a list of IP addresses.

Looks like it has a bug or something. I can’t find anything. Can’t find where anyone has gotten in to it, but obviously something has happened.

Any ideas?

13:44:52 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->162.222.2.247, len 80 
13:44:52 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->99.251.229.171, len 76 
13:44:54 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->151.80.113.65, len 68 
13:44:55 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->162.222.2.247, len 76 
13:44:55 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->213.66.216.222, len 68 
13:44:55 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->71.68.79.68, len 76 
13:44:55 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->173.239.240.149, len 92 
13:44:55 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->65.99.1.83, len 92 
13:44:55 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->71.68.79.68, len 76 
13:44:55 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->50.116.198.197, len 68 
13:44:55 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->92.3.164.153, len 68 
13:44:55 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->50.116.198.196, len 68 
13:44:55 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->14.201.106.95, len 68 
13:44:55 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->75.139.156.38, len 80 
13:44:55 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->67.149.85.220, len 76 
13:44:55 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->122.150.85.199, len 68 
13:44:55 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->104.244.46.135, len 157 
13:44:56 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->178.62.205.165, len 68 
13:44:57 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->73.204.112.199, len 80 
13:44:57 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->73.204.112.199, len 60 
13:44:57 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->139.99.4.50, len 68 
13:44:58 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->76.97.162.14, len 76 
13:44:58 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->24.141.217.112, len 76 
13:44:58 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->67.149.85.220, len 76 
13:44:58 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->65.99.1.83, len 86 
13:44:58 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->76.97.162.14, len 86 
13:44:58 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->24.141.217.112, len 76 
13:44:58 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->70.185.49.18, len 76 
13:44:58 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->73.110.34.91, len 76 
13:44:58 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->173.239.240.149, len 92 
13:44:58 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->72.130.170.208, len 68 
13:44:58 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->24.74.37.187, len 76 
13:44:58 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->88.105.148.46, len 68 
13:44:58 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->108.59.14.78, len 68 
13:44:58 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->24.74.37.187, len 76 
13:44:58 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->68.158.0.46, len 80 
13:44:58 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->68.158.0.46, len 86 
13:44:58 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->86.156.216.141, len 76 
13:44:58 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->158.69.122.195, len 68 
13:44:58 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->216.218.206.84, len 68 
13:44:59 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->137.74.95.7, len 68 
13:44:59 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->204.11.109.68, len 68 
13:44:59 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->52.72.0.57, len 80 
13:45:00 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->45.55.28.159, len 68 
13:45:00 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->184.51.150.43, len 68 
13:45:00 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->184.51.150.43, len 68 
13:45:00 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->184.51.150.43, len 68 
13:45:00 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->184.51.150.43, len 68 
13:45:00 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->184.51.150.43, len 68 
13:45:00 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->184.51.150.43, len 68 
13:45:02 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->146.148.38.5, len 68 
13:45:02 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->73.110.34.91, len 76 
13:45:02 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->68.158.0.46, len 80 
13:45:02 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->68.158.0.46, len 86 
13:45:02 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->2.222.127.151, len 68 
13:45:02 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->75.139.156.38, len 80 
13:45:02 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->81.97.35.212, len 80 
13:45:02 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->81.97.35.212, len 76 
13:45:02 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->5.79.98.224, len 68 
13:45:02 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->58.166.73.13, len 68 
13:45:02 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->73.246.219.63, len 160 
13:45:02 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->173.194.219.188, len 80 
13:45:02 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->151.101.56.84, len 99 
13:45:02 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->151.101.56.84, len 99 
13:45:02 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->151.101.56.84, len 99 
13:45:02 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->34.213.77.81, len 80 
13:45:03 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->144.217.181.81, len 68 
13:45:03 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->91.230.47.14, len 68 
13:45:05 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->10.1.22.5, len 101 
13:45:05 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->10.1.22.5, len 101 
13:45:06 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->10.1.22.5, len 84 
13:45:06 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->10.1.22.5, len 84 
13:45:06 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->10.1.22.5, len 84 
13:45:06 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->60.169.78.56, len 68 
13:45:06 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->108.180.55.196, len 68 
13:45:06 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->81.97.35.212, len 80 
13:45:06 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->72.241.104.232, len 68 
13:45:06 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->81.97.35.212, len 76 
13:45:06 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->73.110.34.91, len 76 
13:45:06 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->65.99.1.83, len 76 
13:45:06 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->68.158.0.46, len 76 
13:45:06 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->68.158.0.46, len 86 
13:45:06 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->52.6.74.211, len 80 
13:45:06 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->35.185.82.249, len 80 
13:45:06 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->35.185.82.249, len 80 
13:45:07 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->10.1.22.5, len 88 
13:45:07 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->10.1.22.5, len 88 
13:45:07 firewall,info ping -  output: in:(none) out:ether2, proto ICMP (type 3, code 1), 10.1.22.2->10.1.22.5, len 88
2

It is persistent after a reset and reload, export/import rsc, not using the backups.

I didn’t check it while it was still wiped. Should have done that.

3

Persists after a reset.

System reset no-defaults=yes
add ip and gateway only
Starts pinging immediately.

4

Does this happen even when you don’t connect it to the Internet?
I’d suspect that one of the management services has been compromised, and that your router is being used to ping scan stuff.
Make sure that your firewall filter table’s INPUT chain has a proper configuration.
Most common error is when people configure the WAN to use PPPoE and forget to change the rules that reference ether1-gateway to reference pppoe1-out instead.

Try disabling all of the IP services except for Winbox, and then allow Winbox only from your exact IP address.
Then reboot.

If it still happens, then you need to go looking through scripts and so forth - check files on the filesystem.
Somewhere, there will be something with the IP addresses the log shows pings for.

EDIT: Given that a blank configuration starts pinging immediately, I’d say that your IP address is known by a hacker/bot and being hijacked.
You -did- remember to change the default admin password before connecting it to the Internet, right?

5

Yes, the password is secure. Even looked at the logs to make sure no one else was logged in. The only users showing up are me and the Dude.

This AP has been on the tower since 08. The ping is coming from my internal address, 10.1.22.2, not from my public address. The ping begins after a system reset with no defaults and I set the IP and gateway on the Ethernet 2 interface, the only one even connected to anything at that point.

Someone on a Facebook group mentioned maybe it is something to do with the subnets behind this AP and somehow it is being routed to it even when I don’t have the routes set up on this particular device yet.

I’m running NAT at the edge, src NAT only. The only way to get in to my equipment is through the public IP which I had not yet set up and the pings started anyway.

I’m wondering if this is some kind of spoofed pings and my RB600 is replying to the wrong addresses or if one of those lovely exploits that were released might have something to do with it.

When I set another device with 10.1.22.2 the pings don’t continue. When I moved this to 10.1.22.9 they did, when I moved it to 10.1.22.222 they stopped.

Definitely a head scratcher.

6

sniff all interfaces simultaneously, and if it’s completely replicable that the pings go away whenever you put the device 10.1.22.2 , then start the capture before doing so, then connect the device, and when the pings go away, stop the capture. Download it to your PC where you can open it in Wireshark, and then see what other stuff seems to happen simultaneously.

If there’s NAT involved, then you should see the other side of the NAT happening, too.

7

ICMP Type 3 Code 1 is “Host Unreachable”.
IT IS NOT PING!!!

8

Good catch, Sid. This means that the ICMP messages are most likely in response to typical network scans coming from the Internet. Note that the messages are being sent to various public IP addresses out there. Those are the IPs doing the scanning, and whatever IP they’re trying to reach (it’s pretty much going to be every unused public IP address that’s sink-holed at the router in question) is obviously not there, so the router is sending ICMP unreachable messages in response. Interesting that it’s using its private IP interface to do so.

9

Of course, 0ldman needs to post his config. to get any useful feedback from here on in.
I wonder if he will?