Community discussions

MikroTik App
  4. RouterOS
  5. General

FIREWALL Problem - Abuse from ISP - Hacking Virus Trojan

Post Reply
 
User avatar
antispam
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 63
Joined: Mon Apr 11, 2005 5:57 pm

FIREWALL Problem - Abuse from ISP - Hacking Virus Trojan

Fri Mar 08, 2013 11:51 pm

Hello,
I have a Problem, I use a MT RB750GL 5.24 and today I got an email from my ISP which told me, that someone in my LAN use my I-Net Connection for hacking attacks.

I cannot find anything on my devices, the androids and windows clients were scanned today, 100% no infection or something else.

Is there someone who can explain me, how to find out the infected client?

I found one connection in my connection-list which scares me a little...
Unbenannt2.PNG
and above see my firewall settings...
Code: Select all
 2   ;;; Accept established connections
     chain=input action=accept connection-state=established 

 3   ;;; Accept related connections
     chain=input action=accept connection-state=related 

 4   ;;; Drop invalid connections
     chain=input action=drop connection-state=invalid 

 5   ;;; Allow limited pings
     chain=input action=accept protocol=icmp limit=50/5s,2 

 6   ;;; Drop excess pings
     chain=input action=drop protocol=icmp 

 7   ;;; From our LAN
     chain=input action=accept src-address=192.168.100.0/24 in-interface=ether2 

12   ;;; Log everything else
     chain=input action=log log-prefix="DROP INPUT" 

13   ;;; Drop everything else
     chain=input action=drop
Thanks for your help.
You do not have the required permissions to view the files attached to this post.
Top
 
SurferTim
Forum Guru
Forum Guru
Posts: 4636
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: FIREWALL Problem - Abuse from ISP - Hacking Virus Trojan

Sat Mar 09, 2013 1:23 am

If you suspect one of your localnet computers, you should be watching the forward chain also. If you know the ip of the victim, it should be easy to tell who it is.
Top
 
User avatar
antispam
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 63
Joined: Mon Apr 11, 2005 5:57 pm

Re: FIREWALL Problem - Abuse from ISP - Hacking Virus Trojan

Sat Mar 09, 2013 12:55 pm

Hi, thanks for your answer, it must be one client in the local network. Who else could it be, normaly the fw should filter this?

Here we have 30 devices, Smartphones, Android, iPhone, Tablets, MediaCenter, Win7 and Ubuntu etc.

Is it possible to save the logs from the hole day automatic to a txt file?

thx
Top
 
CelticComms
Forum Guru
Forum Guru
Posts: 1765
Joined: Wed May 02, 2012 5:48 am

Re: FIREWALL Problem - Abuse from ISP - Hacking Virus Trojan

Sat Mar 09, 2013 1:49 pm

That first entry indicates a connection from a Carrier NAT address to a Google server which might mean that somebody is relaying through you.

You could upload output from /export compact for a better interpretation. If you want a faster resolution drop me an email and I can have a live look at the router in question.
Top
 
SurferTim
Forum Guru
Forum Guru
Posts: 4636
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: FIREWALL Problem - Abuse from ISP - Hacking Virus Trojan

Sat Mar 09, 2013 3:25 pm

Hi, thanks for your answer, it must be one client in the local network. Who else could it be, normaly the fw should filter this?
It will if you add the rules to filter it. By default, there is no firewall filtering for forward chain. The input chain only blocks or allows connections to the router. You need to block the forward chain (in one interface and out another) to get the desired result. Something like this if 1.2.3.4 is the hacking victim IP:
Code: Select all
/ip firewall filter
add chain=forward action=drop dst-address=1.2.3.4
You might want to add a log or address-list entry to that like your input rule.
Top
Post Reply

Who is online

Users browsing this forum: Bing [Bot] and 110 guests
  4. RouterOS
  5. General