I’m new. I have a MIKROTIK RB951U1-2nD router for 1 year. I access it with WinBox.
Behind it ( router) i have Windows, a xampp server on which I host Wordpress. A hacker attack started a month ago, and the hacker using the server’s local IP 192.168.88.100.
Attacker real IP is not visible. I am asking for guidance on how to find out where the attack is coming from. The computer has Malwarebyts licensed.
The “hack” is coming from the internet to your wordpress server. Why would the router be involved at all? The hacker can visit your wordpress site just like any other internet user.
Hello Normis.
Thank you for replay. I have involved router, because as per my point of view, if router is hacked bad persons can send requests from internal IP. For first time i see hacker that attack using internal IP and cannot see real IP or MAC inside of router. In the log ( which i am monitoring continuously) cannot find “real path” of hacker nor in access log. So how they can “visit me” without trace in log, access bridge etc..
All traffic pass trough the router. “Look like”: myself trying to hack myself. I think( with all respect of you) your statement is strange for me.
In /ip/firewall/connections you can see all connections, just filter on Dst. Address 192.168.88.100 to get the list of Src. Addresses.
Still unclear what makes you think your router is part of the hack. Especially because the only log you provide is from the XAMPP server.
Can you provide your routers config?
/export file=anynameyoulike
Remove serial and post between code tags by using the </> button.
Hello Erlinden,
please accept my apologies for this inconvenience.
If i know cannot asking you.
Attached please find configuration file named: forchecking.rsc
Unplug router from internet.
Netinstall latest stable firmware
Put back config WITHOUT any port forwarding.
a. think about having ONLY a server with a secure login process
b. think about limiting in source address list which public IPs can access server.
c. even better use wireguard and have people access the server after they wireguard to the router.
Requests from the server itself to wp-cron.php. Nothing wrong with that. Nevertheless, I think you should make yourself familiar with WordPress. Keeping it updated and secure is crucial when exposing it to public internet.
From your logs, it seems like someone is exploiting WordPress scripts, which could indicate vulnerabilities in your WordPress setup or plugins. Start by updating all WordPress plugins, themes, and the core itself to their latest versions. Also, install a security plugin like Wordfence or Sucuri to scan for malware and block malicious requests.
For your MikroTik router, reset it to factory settings and update the firmware immediately. Disable unnecessary services like WinBox from being accessible publicly. It’s also good to change all passwords to something strong and unique.
I recently came across news from chaktty about hacking cases like this, and it emphasized how attackers often exploit outdated software or weak credentials. Following those tips helped me secure my network. Keep monitoring your logs after making changes to ensure no unauthorized access continues.