Community discussions

MikroTik App
 
TomSF
Member Candidate
Member Candidate
Topic Author
Posts: 102
Joined: Tue Jun 27, 2017 2:12 am

Weird admin account login

Thu Jul 08, 2021 9:05 pm

I have a home network with a router, 7 access points and a couple switches. I am running v6.49beta54. Beta54 automatically installed at 1:00 AM on June 6. I noticed in my log that my admin account logged in via winbox at 1:18:42 AM that day from address 192.168.1.1 which is the local, NAT-ed address of my main bridge (I also have a guest bridge). I had previously created a unique admin ID and delete the standard "admin". The login was by the unique and only admin account. The Users list still shows that login as active, along with normal logins by me later that morning. I recently started logging logins so I have no history to say the login is unique but it seems odd. Does anybody have an explanation? Is it anything to worry about?
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2984
Joined: Mon Apr 08, 2019 1:16 am

Re: Weird admin account login

Fri Jul 09, 2021 10:57 am

Log in to the NATting bridge router and check the connections (ROS= Firewall connections) until you find the source of this still running session. You are most probably seeing your own shadow.
 
TomSF
Member Candidate
Member Candidate
Topic Author
Posts: 102
Joined: Tue Jun 27, 2017 2:12 am

Re: Weird admin account login

Fri Jul 09, 2021 5:18 pm

The DHCP server allocates starting at 192.168.1.10 and there are no leases below that. I did discover connections from the router to all APs and to itself using port 8291 (the Winbox port). I logged into an AP and it has an active user logged in via Winbox on 7/6/2021 but at a different time. The router and all APs use the same administrator login credentials.

While looking into this, I observed probes from the router to service ports, like 80 and 21. These were to addresses not allocated by the DHCP server. I am think Dude might be the culprit, as it probes addresses ranges. Maybe the only weird thing is that Dude is actually logging in, rather than checking to see if there is anything responding at that port. That is just a guess.
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2984
Joined: Mon Apr 08, 2019 1:16 am

Re: Weird admin account login

Fri Jul 09, 2021 6:03 pm

Yes DUDE is definitely logging in, when you indicate a device as RouterOS. Even without checking services or using SNMP on that device. DUDE is collecting a lot of information via 8291.
See in RouterOS via WinBox, menu tab DUDE, "RouterOS info", you see all Resources, Routerboard, Addresses, ARP, routes, interfaces, and the interesting overview of all "Wireless Registrations" on ALL AP's.combined.
 
TomSF
Member Candidate
Member Candidate
Topic Author
Posts: 102
Joined: Tue Jun 27, 2017 2:12 am

Re: Weird admin account login

Fri Jul 09, 2021 6:21 pm

Wow, there is a ton of information there. I wish I would have know about that a long time ago, I could have used a lot of it. Interestingly, I have no Wireless Registration information. Could that be because I use CAPsMAN to manage the APs? CAPsMAN does have registration information.
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2984
Joined: Mon Apr 08, 2019 1:16 am

Re: Weird admin account login

Fri Jul 09, 2021 6:43 pm

Yes, maybe CAPsMAN is storing it differently. I don't use CAPsMAN , so for me this is very important as monitoring and tuning tool.
.
Klembord-2.jpg
You do not have the required permissions to view the files attached to this post.
 
TomSF
Member Candidate
Member Candidate
Topic Author
Posts: 102
Joined: Tue Jun 27, 2017 2:12 am

Re: Weird admin account login

Fri Jul 09, 2021 6:48 pm

CAPsMAN has almost the same information.

Who is online

Users browsing this forum: Amazon [Bot], Google [Bot], GoogleOther [Bot], hatred and 66 guests