Page 1 of 1

Mikrotik cpe is hacked?

Posted: Wed Jan 11, 2012 5:21 pm
by gcs
I have a customer who's cpe is sending out hundred's of port 1080 (socks) to different ip address. I had them unplug or shutdown their computers and it still shows up. It bogs down the link so much it is hard to connect to it. I finaly was able to login and disabled the ethernet interface and the traffic still came.

ANY idea what is going on and how to fix it?

Re: Mikrotik cpe is hacked?

Posted: Thu Jan 12, 2012 4:14 am
by che
You can start by doing port scan targeting customers IP address to see if there are any non standard services up on CPE (unprotected proxy or similar). After that you can check what is going on by starting torch utilitiy at client's CPE (Tools > Torch), select WAN interface and check all boxes. That will give you good idea what is going on customers Mikrotik since it will list you all the connections in real time.

And what to do to prevent flooding - start by blocking connections that cause such traffic so you have easier time accessing CPE. You mentioned port 1080 - then you should combine customers IP address as source or destination IP and port 1080 as src or dst port (depending on direction of the traffic) to create rule in forward chain and block what you need at your equipement.

Re: Mikrotik cpe is hacked?

Posted: Sat Jan 14, 2012 1:05 am
by gcs
I changed the ip address of the wlan interface and all is working fine now.

Re: Mikrotik cpe is hacked?

Posted: Tue Jan 31, 2012 12:15 am
by sten
socks proxy may be enabled on the cpe.