RouterOS suspicious activity

purecancer · February 27, 2014, 3:33am

I’m using Mikrotik RouterOS 4.5 and recently received a number of complaints about malicious (scanning rdp service port) traffic originated from one of IP addresses on my router.

I enabled logging to monitor origin of this traffic and received this:

05:22:34 firewall,info rdp_out output: in:(none) out:ether1-gw-RCom, proto TCP (RST), my_ip:18543->some_random_ip:3389, len 20 
05:22:36 firewall,info rdp_out output: in:(none) out:ether1-gw-RCom, proto TCP (RST), my_ip:18543->some_random_ip:3389, len 20 
06:03:31 firewall,info rdp_out output: in:(none) out:ether1-gw-RCom, proto TCP (RST), my_ip:62990->some_random_ip:3389, len 20 
06:11:56 firewall,info rdp_out output: in:(none) out:ether1-gw-RCom, proto TCP (RST), my_ip:19555->some_random_ip:3389, len 20

According to manual, output chain is for traffic that originates from router itself. Could it be that my router was hacked and what is my course of action if it was?
P.S. I never used default passwords and all service ports was remapped to custom number, except winbox.

jarda · February 27, 2014, 5:00pm

Hope you also use non-default user names…

Sent from Android by Tapatalk.

purecancer · March 3, 2014, 3:51am

I had to swap compromised mikrotik to brand new and manually move all configs. Lets hope that will help.

purecancer · March 5, 2014, 10:45am

Oh well, it started again. Not really sure what to do now. It was clean router with latest RouterOS, all passwords changed.

15:51:23 firewall,info rdp_out output: in:(none) out:ether1-gw-RCom, proto TCP (ACK,RST), my_ip:43508->random_ip:3389, len 40 
15:51:24 firewall,info rdp_out output: in:(none) out:ether1-gw-RCom, proto TCP (ACK,RST), my_ip:43508->random_ip:3389, len 40 
15:51:24 firewall,info rdp_out output: in:(none) out:ether1-gw-RCom, proto TCP (ACK,RST), my_ip:43508->random_ip:3389, len 40 
15:54:01 firewall,info rdp_out output: in:(none) out:ether1-gw-RCom, proto TCP (ACK,RST), my_ip:43508->random_ip:3389, len 40 
15:54:02 firewall,info rdp_out output: in:(none) out:ether1-gw-RCom, proto TCP (ACK,RST), my_ip:43508->random_ip:3389, len 40 
15:54:02 firewall,info rdp_out output: in:(none) out:ether1-gw-RCom, proto TCP (ACK,RST), my_ip:43508->random_ip:3389, len 40

Any suggestions?

tomaskir · March 5, 2014, 11:16am

Please post:

/ip firewall export
/ip socks export

purecancer · March 5, 2014, 11:32am

Firewall Export.

/ip firewall address-list
add address=192.168.2.145 disabled=no list=through_ekb
add address=192.168.2.64 disabled=no list=through_ekb
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s \
    tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input disabled=no dst-port=8291 protocol=tcp
add action=accept chain=input disabled=no protocol=icmp
add action=accept chain=input connection-state=established disabled=no
add action=accept chain=input connection-state=related disabled=no
add action=accept chain=forward connection-state=established disabled=no
add action=accept chain=forward connection-state=related disabled=no
add action=log chain=forward disabled=no dst-port=3389 log-prefix=rdp_out protocol=tcp
add action=log chain=output disabled=no dst-port=3389 log-prefix=rdp_out protocol=tcp
add action=log chain=input disabled=no dst-port=3389 log-prefix=rdp_out protocol=tcp
add action=reject chain=forward comment="deny default route" disabled=no out-interface=ether1-gw-RCom reject-with=icmp-network-unreachable src-address-list=through_ekb
add action=reject chain=forward comment="deny default route" disabled=no out-interface=ether3-gw-iZet reject-with=icmp-network-unreachable src-address-list=through_ekb
add action=drop chain=output comment="suspicious activity" disabled=no dst-address=!192.168.0.0/16 dst-port=3389 protocol=tcp
add action=drop chain=forward disabled=no dst-address=!192.168.0.0/16 dst-port=25 protocol=tcp
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=no dst-address=!192.168.0.0/16 new-routing-mark=EKAT passthrough=no src-address-list=through_ekb
add action=mark-routing chain=prerouting disabled=yes dst-address=!192.168.0.0/16 new-routing-mark=EKAT passthrough=yes src-address=192.168.2.94
/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=pptp-to-ekat src-address=192.168.2.0/24
add action=masquerade chain=srcnat disabled=no out-interface=ether1-gw-RCom
add action=masquerade chain=srcnat disabled=no out-interface=ether3-gw-iZet
add action=masquerade chain=srcnat disabled=no out-interface=ether2-gw-Beeline
add action=dst-nat chain=dstnat disabled=no dst-address=my_ip dst-port=33899 protocol=tcp to-addresses=192.168.2.122 to-ports=3389
add action=dst-nat chain=dstnat disabled=no dst-address=my_ip dst-port=33900 protocol=tcp to-addresses=192.168.2.66 to-ports=3389
add action=dst-nat chain=dstnat disabled=no dst-address=my_ip dst-port=22022 protocol=tcp to-addresses=192.168.2.94 to-ports=22
add action=dst-nat chain=dstnat disabled=no dst-address=my_ip dst-port=8080 protocol=tcp to-addresses=192.168.2.110 to-ports=8080
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no

Socks export.

set connection-idle-timeout=2m enabled=no max-connections=200 port=1080

I don’t see anything suspicious there, all rules added by me.

tomaskir · March 5, 2014, 12:28pm

You dont have an input drop, I would start by securing your router’s input chain.

Default action for firewall is accept, so you need a default input drop at the end of your input rules.

purecancer · March 6, 2014, 3:31am

chain=input action=reject reject-with=icmp-network-unreachable

Thanks for advice, I added reject rule, like shown above. What should I do next?

Also, after enabling logging

chain=input action=log protocol=tcp dst-port=!137 log-prefix=""

I noticed huge amount of connections from random IP’s to my ip on TCP port 43508, same port
that used as outgoing for malicious RDP connections from my ip earlier.

09:42:37 firewall,info input: in:ether1-gw-RCom out:(none), src-mac 00:12:da:0d:34:1b, proto TCP (SYN), random_ip:3845->my_ip:43508, len 48 
09:42:38 firewall,info input: in:ether1-gw-RCom out:(none), src-mac 00:12:da:0d:34:1b, proto TCP (SYN), random_ip:22334->my_ip:43508, len 48 
09:42:42 firewall,info input: in:ether1-gw-RCom out:(none), src-mac 00:12:da:0d:34:1b, proto TCP (SYN), random_ip:15900->my_ip:43508, len 52 
09:42:44 firewall,info input: in:ether1-gw-RCom out:(none), src-mac 00:12:da:0d:34:1b, proto TCP (SYN), random_ip:22359->my_ip:43508, len 48 
09:42:45 firewall,info input: in:ether1-gw-RCom out:(none), src-mac 00:12:da:0d:34:1b, proto TCP (SYN), random_ip:15914->my_ip:43508, len 52

According to /ip service print I have nothing running on that port and I can’t telnet to that port from other hosts.

Addition: I found Job in /system scripts job that I didn’t create.

/system script job print
 # SCRIPT                                                                                       OWNER                                                                                       STARTED             
 0                                                                                              admin                                                                                       mar/05/2014 17:25:45
 1                                                                                              admin                                                                                       mar/06/2014 16:59:30

From winbox it shows only one job started as admin, but from terminal it shows as two.