Community discussions

MikroTik App
  4. RouterOS
  5. General

hacking??

Post Reply
 
smhula
just joined
Topic Author
Posts: 23
Joined: Wed May 14, 2014 2:48 pm

hacking??

Tue Sep 16, 2014 1:06 pm

Good day all,
what do you think about this scenario on my network:

My LOG is reporting some login failures:
12:25:12 system,error,critical login failure for user root from 61.174.51.209 via ssh
12:25:13 system,error,critical login failure for user root from 61.174.51.209 via ssh

11:35:49 system,error,critical login failure for user zabbix from 101.227.246.74 via ssh
11:35:56 system,error,critical login failure for user zabbix from 101.227.246.74 via ssh
11:36:02 system,error,critical login failure for user zabbix from 101.227.246.74 via ssh

The same IP's are showing different names for login attempts

My connect tracking shows a lot of syn-sent :
this is just an example:

1674 S tcp 222.186.21.43:65265 197.235.8.114:8080 syn-recv 2m36s
1675 udp 128.195.65.13:10503 197.235.8.114:53 2m28s
1676 SA udp 24.192.180.233:3414 197.235.8.114:53 22s
1677 tcp 111.74.238.172:11850 197.235.8.114:8080 syn-sent 2m33s
1678 udp 128.195.65.13:56387 197.235.8.114:53 2m28s
1679 SA tcp 111.73.45.56:55207 197.235.8.114:8080 established 23h57m26s
1680 SA udp 128.195.65.13:37582 197.235.8.114:53 25s
1681 tcp 61.160.212.165:36455 197.235.8.114:8080 syn-sent 2m30s
1682 tcp 58.218.199.67:50017 197.235.8.114:8080 syn-sent 2m29s
1683 S tcp 60.169.77.202:51534 197.235.8.114:8080 syn-recv 2m28s
1684 udp 128.195.65.13:14278 197.235.8.114:53 2m22s
1685 SA udp 84.118.240.21:44624 197.235.8.114:53 29s
1686 SA udp 186.223.47.27:55770 197.235.8.114:53 31s
1687 S tcp 115.239.231.76:14941 197.235.8.114:8080 syn-recv 2m24s
1688 tcp 222.186.21.43:6307 197.235.8.114:8080 syn-sent 2m22s
1689 tcp 197.235.8.114:43998 221.228.209.164:801 syn-sent 2m22s
1690 udp 128.195.65.13:24974 197.235.8.114:53 2m17s
1691 tcp 61.160.207.163:9003 197.235.8.114:8080 syn-sent 2m20s
1692 tcp 183.136.214.125:20905 197.235.8.114:8080 syn-sent 2m19s
1693 udp 128.195.65.13:46960 197.235.8.114:53 2m14s
1694 SA udp 84.118.240.21:2375 197.235.8.114:53 37s
1695 SA tcp 58.218.204.37:54974 197.235.8.114:8080 established 23h57m38s
1696 SA tcp 111.73.46.94:18844 197.235.8.114:8080 established 23h57m38s
1697 SA udp 77.181.125.194:19154 197.235.8.114:53 39s
1698 SA udp 128.195.65.13:30442 197.235.8.114:53 40s
1699 udp 24.192.180.233:26163 197.235.8.114:53 2m10s
1700 SA tcp 197.235.8.114:53515 2.20.49.194:443 established 23h57m26s
1701 S tcp 23.245.116.37:24003 197.235.8.114:8080 syn-recv 2m30s
1702 udp 128.195.65.13:50726 197.235.8.114:53 2m25s
1703 tcp 79.129.32.29:63507 197.235.8.114:8080 syn-sent 2m30s
1704 S tcp 108.46.235.84:55524 197.235.8.114:8080 syn-recv 2m29s

And i have a lot of data drops as invalid as you can see on the screenshot



is this anything to worry about or it is normal?
You do not have the required permissions to view the files attached to this post.
Top
 
User avatar
boen_robot
Forum Guru
Forum Guru
Posts: 2400
Joined: Thu Aug 31, 2006 4:43 pm
Location: europe://Bulgaria/Plovdiv

Re: hacking??

Tue Sep 16, 2014 1:14 pm

If you have a non-default username and an uncommon password, chances are that this (probably) bot will give up after trying those out.

To be absolutely safe, you could employ bruteforce login prevention settings.
Top
 
agehall
Frequent Visitor
Frequent Visitor
Posts: 67
Joined: Fri Aug 15, 2014 8:47 pm

Re: hacking??

Tue Sep 16, 2014 5:23 pm

Just follow the instructions in http://wiki.mikrotik.com/wiki/Bruteforc ... P_%26_SSH) and forget about it. :)
Top
 
smhula
just joined
Topic Author
Posts: 23
Joined: Wed May 14, 2014 2:48 pm

Re: hacking??

Wed Sep 17, 2014 8:23 pm

Thank you both for your attention,
I will implement this on the router and will post it back the result.

Thank you for your support
Top
 
Zorro
Long time Member
Long time Member
Posts: 675
Joined: Wed Apr 16, 2014 2:43 pm

Re: hacking??

Fri Sep 19, 2014 10:13 am

or simply this config http://wiki.mikrotik.com/wiki/Drop_port_scanners
generally if you don't need much from you router personally acessibly from external(from WAN interfaces, putting toward Internet), you can simply drop non-essential ports in "input" chains enteriely, dropping/rejecting unsolicited/unwanted/redundant traffic to your router at all.
if you still need management access from outside - whitelist relevant networks/ISP/hoster you operate from/thru. same for other services.
p.s.
there bunch of "dirty hosters" among all continents(but majorty are located in NA, Central and Eastern Europe, Turkey, and few other countries), thats was used, among botnets(with 1:5 proportions, sometimes even less) for such purposes(BF and so on). funny enough that some/mostly of them tend to ignore abuse report or even try to send offensive/irrelevant replies, resulting in their blocking by some ISP's enteriely :)
generally i don't use such, but folks tend to perma-drop /24 if more than 5 hosts was detected in BF during week or so from such range.
Top
 
smhula
just joined
Topic Author
Posts: 23
Joined: Wed May 14, 2014 2:48 pm

Re: hacking??

Fri Sep 19, 2014 11:05 pm

Thank you for help,
i have replaced the router for the old one (not mkt) and the links seem stable, what makes me believe that i was hacked,
any specific mesure you advise me to do beside the ones already presented?,
i took the x86 box to our office to reconfigure.

Looking forward to hear from you.

Regards
Top
 
Zorro
Long time Member
Long time Member
Posts: 675
Joined: Wed Apr 16, 2014 2:43 pm

Re: hacking??

Sat Sep 20, 2014 3:06 am

turn on SynCookies to be more Syn-Flood proof, btw.
its strip extra-options, yes, but let not powerful enough routers to whitstand Syn-flood.
Top
Post Reply

Who is online

Users browsing this forum: aferreira, Amazon [Bot], Google [Bot], kanecharles and 204 guests
  4. RouterOS
  5. General