Hello Community,
We have been working with Mikrotik for a long time and we have had very satisfactory results. Recently an ISP denounced one of our clients assuming that the router in their network was altered and was performing some kind of backdoor attack on the 5G nodes of the provider. We request an on-site inspection and they reviewed the configuration of our mikrotik equipment (which are modified with filters, 18-character passwords, fixed MAC addresses for remote access, change of usernames and periodic password).
Hours after the inspection indicated that the Mikrotik was altered because the Active User Session table showed 4 sessions of which Winbox and Telnet were, all with the IP address authenticated (Attached photos).
We have been looking for documentation because Winbox clearly opens these Telnet channels to take data from the router. Is this behavior of the mikrotik normal?
Thank you and sorry about my english,
