I have this question may the place is not for this but anyway the doubt is killing me
i have this mikrotic CR5125-24g as main with
a Centos server
40 desktop pc
18 nootbooks
~60 cellphones mostly android
i set up a lot of rules just to log activity in the mikrotic and the logs are stored in the centos server i check it from time to time this log its just from the last Mont
some of mi machines are port scanning mi router in 192.168.0.1
all ip’s over 100 are from the wireless network there is mostly cellphones and some notebooks
in the line begin the attack from the pc whith the ip 192.168.0.47 its checks like 194 ports before the rules in the mikrotic blacklist it and block it
today i check this pc 47, the user has restricted acount the pc is inside the domain and has all kind of restrictions from gpo’s so the user couldn’t install something like a port scanner
and sincerely this girls is not like versed in knowledge like to hack hers way inside mi router
###############
Anyway there is something in mi network trying to hack mi router and:
whatever it is mi antivirux is not detecting it
it gets under the windows restrictions and security
its not always active just show-up from time to time
for now looks like its doing nothing, maybe just a spyware or a Trojan waiting from orders from the headquarters
###############
By now im little like border paranoid trying to not buying in the panic and get into madness and reinstall every machine in the fabric
cos it could be anything
a ransoware inactive just because couldn’t connect to their clandestine server to create keys or something and the router is the only thing saving our asses
or a Microsoft|NSA|coreans|rusians shit trying to retrieve info from our network secretly
###############
Some of yours has been in the same predicament ??
How i could identified what kind of treadth im facing here ??
Is this BYOD or a machine you control?
If BYOD, then I’d suggest that you harden the layer 2 (peer isolation on wireless and in the switching)
Then for the switch’s security on the input chain, drop everything that’s not:
dhcp requests
dns (if you’re proxying DNS in the switch)
icmp echo request (so helpdesk can still have users ping the default GW as a troubleshooting step)
and disable neighbor discovery / mac servers on the interface
Finally, have IP forwarding chain rules that only allow the BYOD network to go to/from the Internet and/or any specific internal services that they should have access to.
Make sure those offered services are hardened and up to date with their patches.
Then let it ride - don’t worry about what they’re trying to do because they’re isolated from each other and from the rest of your network except on specific required services.
Layer 2 client isolation stops all kinds of things like the dreaded netcut / rogue dhcp / arp poisoning / etc misbehavior that clients can do from the inside, as well as stopping them from offering unwanted services to other devices in the LAN (no file sharing, no UPnP, etc)
EDIT: It appears that the PC in question is owned by your organization. Don’t dismiss the fact that users could access content which installs malware and it’s this malware you’re detecting and not something malicious on the part of the user herself. I’m not a computer expert by any stretch so I don’t have any advice to offer on digging through the PC itself to identify the source of the traffic, but that’s the step I recommend next, especially if the same PC does this even when nobody’s using it.
In your case it mostly looks like software looking for certain vulnerabilities or services, but there are also some “legitimate” accesses
to strange port numbers that I have identified on our network as well. We run a WiFi guest network where lots of phones and pads
are active, and I notice at least the following:
TCP port 7 is apparently used by Android to do connectivity checks
TCP port 8013 is apparently used by some Fortigate software that people may have “at home” or “at their own company”
TCP port 15740 is used by Android for picture transfer
UDP ports 192 and 39999 are used as well
I saw these a lot in our logs when we still had a log option on the default drop on input to the router and made explicit drops with no log for them.
When you see those scans targeting SMB and other common ports, it usually is malware.