I have a large guest network (Wi-Fi), that consists of Unifi APs and a Mikrotik Router as the gateway.

Recently I was alerted to winbox login attempts to the router from 3-4 Laptops on the network. Now I have the router setup to only accept logins from my IP on a management port, and have the firewall set to reject any attempts from the guest network, so I am not to worried about them getting in.

I got my hands on one of the laptops that has the virus(?), and after running several AV scans on it, I was unable to locating the program causing it.

I was able to see the logs roll in on the router while I had the laptop, and at that time I could hear the HDD in the laptop running, but by the time I got to resource monitor it had stopped.

Anyone know what is causing this? I tried searching, but maybe I was using the wrong terms. Let me know if you need more details.

Also if this is in the wrong section of the forum please let me know.

Start with this
https://wiki.mikrotik.com/wiki/Manual:S ... our_Router
If you want to block access to router from guest network, block in firewall input chain all from this interface or IP range, allowing only needed services, i.e. DHCP, DNS, etc.

Start with this
https://wiki.mikrotik.com/wiki/Manual:S ... our_Router
If you want to block access to router from guest network, block in firewall input chain all from this interface or IP range, allowing only needed services, i.e. DHCP, DNS, etc.

I don't think this is answer to OPs question (he wrote: "I am not to worried about them getting in."). He's interested in knowing what kind of malware can be running on laptops which tries to get into ROS.

Are you sure it was winbox login attempts and not some other service like webfig or SMB?
It is quite common for guest devices to do all kinds of attempts to connect services that they have available at home, and where the owner has installed software or has made configuration for it.
The best way is to just allow only what you need to allow (likely only TCP and UDP port 53) and just reject or drop everything else without log.

Sorry for the slow reply. It appears to be winbox/dude traffic, as they are using port 8291.

After my last post, I did set up a HoneyPot (T-Pot) on the network and opened it up to the network. The same laptops that attempt port 8291 on the router, attempts to access the honey pot via ssh and a couple other protocols.

I know that no one at the laptop is doing it, as I have one of them here with me.

Time to format it, clearly infected with malware.

What AV you used to scan?

Avast Premium was installed on it when it got infected, Scanning with that didn't yield any results. I uninstalled it and tried AVG and it found nothing. I also ran scans with Malwarebytes, CCleaner, and a Bot scanner from Avast.

Hi

As I know avast does a test for know if network is secure , And it tries to connect to the gateway , and does this attemps to.router (ssh,ftp...)try to uninstall avast and try onli.malwarebytes or eset for serveral days and see if the problem.persist

M.BP