System self-hacking..?

RouterOS General
1

I run a small WISP with three MTs, and when browsing through the log of one of them I saw the strangest entries:

Sep 22 17:57:04 192.168.5.2 system,error,critical MT_1: login failure for user admin from 192.168.5.99 via winbox
Sep 22 17:57:04 192.168.5.2 system,error,critical MT_1: login failure for user admin from 192.168.5.1 via winbox

Sep 23 17:57:05 192.168.5.2 system,error,critical MT_1: login failure for user admin from 192.168.5.99 via winbox
Sep 23 17:57:05 192.168.5.2 system,error,critical MT_1: login failure for user admin from 192.168.5.1 via winbox

Sep 24 17:57:06 192.168.5.2 system,error,critical MT_1: login failure for user admin from 192.168.5.99 via winbox
Sep 24 17:57:06 192.168.5.2 system,error,critical MT_1: login failure for user admin from 192.168.5.1 via winbox

I have left out many ordinary logentries, but as you can see: every day at apprx 1800 hours ‘something’ tries to log on to the one MT from another (..5.1) and from a user (..5.99). I am postive that this is not caused by any humans.

This did not happen before I upgraded the BIOS on the 21. sept. I am running ver ROS 3.28 on all three MTs and upgraded BIOS to get up to date.

Has anyone seen anything like this?

2

try http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention_(FTP_%26_SSH)

just change the ports for winbox login 8219 by defualt?

3

Thank you, but I have changed the port long time ago. And I really don’t think a hacker can try to hack at exactly the same time every day!

4

It’s a local network, isn’t this your network? Go find out what’s on the IP :slight_smile:

5

The one IP (..5.1) is a MikroTik RB600 with 4 radioes, and the other (..5.99) is my own station consisting of a Ubiquiti NS5 with a very simple network behind it. You are quite right in pointing out that this is my own network and I have a fairly good idea on what’s going on.

This is strange. Two different network components cooperating this way.

6

discovery protocol?

7

Is the network flat, or are there users behind those two devices being NAT’ed to those IP addresses?

8

The ..5.1 is the internetrouter. Behind ..5.99 (the UBNT NS5) is only my own PC. This happened again last night, exactly at the same time. Tonight I am going to close down the ..5.99 (my own network) and watch what happens.

9

is dude running?