Community discussions

MikroTik App
  4. RouterOS
  5. General

Attempt to hack my CCR1036-8G-2S+

Post Reply
 
User avatar
sidex84
just joined
Topic Author
Posts: 5
Joined: Tue Aug 30, 2016 9:06 am
Contact:
Contact sidex84

Attempt to hack my CCR1036-8G-2S+

Tue Aug 30, 2016 9:31 am

Hello colleagues. Today in my logs CCR1036-8G-2S + I found suspicious activity.

logs:
Code: Select all
Aug/29/2016 22:24:23 pptp,info TCP connection established from 104.130.19.164
Aug/29/2016 22:24:34 pptp,ppp,debug <20>: LCP lowerdown
Aug/29/2016 22:24:34 pptp,ppp,debug <20>: LCP down event in initial state
Aug/29/2016 22:24:34 pptp,info TCP connection established from 104.130.19.164
Aug/29/2016 22:24:34 pptp,debug received too big control message, disconnecting
Aug/29/2016 22:24:34 pptp,ppp,debug <21>: LCP lowerdown
Aug/29/2016 22:24:34 pptp,ppp,debug <21>: LCP down event in initial state
Aug/29/2016 22:24:34 pptp,info TCP connection established from 104.130.19.164
Aug/29/2016 22:24:34 pptp,debug received too big control message, disconnecting
Aug/29/2016 22:24:34 pptp,ppp,debug <22>: LCP lowerdown
Aug/29/2016 22:24:34 pptp,ppp,debug <22>: LCP down event in initial state
Aug/29/2016 22:24:35 pptp,info TCP connection established from 104.130.19.164
Aug/29/2016 22:24:35 pptp,debug received too big control message, disconnecting
Aug/29/2016 22:24:35 pptp,ppp,debug <23>: LCP lowerdown
Aug/29/2016 22:24:35 pptp,ppp,debug <23>: LCP down event in initial state
Aug/29/2016 22:24:35 pptp,info TCP connection established from 104.130.19.164
Aug/29/2016 22:24:35 pptp,debug received too big control message, disconnecting
Aug/29/2016 22:24:35 pptp,ppp,debug <24>: LCP lowerdown
Aug/29/2016 22:24:35 pptp,ppp,debug <24>: LCP down event in initial state
Aug/29/2016 22:24:35 pptp,info TCP connection established from 104.130.19.164
Aug/29/2016 22:24:35 pptp,debug received non control message, ignoring
Aug/29/2016 22:24:40 pptp,ppp,debug <25>: LCP lowerdown
Aug/29/2016 22:24:40 pptp,ppp,debug <25>: LCP down event in initial state
Aug/29/2016 22:24:40 pptp,info TCP connection established from 104.130.19.164
Aug/29/2016 22:24:40 pptp,debug received non control message, ignoring
Aug/29/2016 22:24:45 pptp,ppp,debug <26>: LCP lowerdown
Aug/29/2016 22:24:45 pptp,ppp,debug <26>: LCP down event in initial state
Aug/29/2016 22:24:46 pptp,info TCP connection established from 104.130.19.164
Aug/29/2016 22:24:53 pptp,ppp,debug <27>: LCP lowerdown
Aug/29/2016 22:24:53 pptp,ppp,debug <27>: LCP down event in initial state
Aug/29/2016 22:24:53 pptp,info TCP connection established from 104.130.19.164
Aug/29/2016 22:24:53 pptp,debug received too big control message, disconnecting
Aug/29/2016 22:24:53 pptp,ppp,debug <28>: LCP lowerdown
Aug/29/2016 22:24:53 pptp,ppp,debug <28>: LCP down event in initial state
Aug/29/2016 22:24:53 pptp,info TCP connection established from 104.130.19.164
Aug/29/2016 22:24:53 pptp,debug recveived too small control message, disconnecting
Aug/29/2016 22:24:53 pptp,ppp,debug <29>: LCP lowerdown
Aug/29/2016 22:24:53 pptp,ppp,debug <29>: LCP down event in initial state
Aug/29/2016 22:24:54 pptp,info TCP connection established from 104.130.19.164
Aug/29/2016 22:24:54 pptp,debug recveived too small control message, disconnecting
Aug/29/2016 22:24:54 pptp,ppp,debug <30>: LCP lowerdown
Aug/29/2016 22:24:54 pptp,ppp,debug <30>: LCP down event in initial state
Aug/29/2016 22:24:54 pptp,info TCP connection established from 104.130.19.164
Aug/29/2016 22:24:54 pptp,debug received too big control message, disconnecting
Aug/29/2016 22:24:54 pptp,ppp,debug <31>: LCP lowerdown
Aug/29/2016 22:24:54 pptp,ppp,debug <31>: LCP down event in initial state
Aug/29/2016 22:24:54 pptp,info TCP connection established from 104.130.19.164
Aug/29/2016 22:24:54 pptp,debug received too big control message, disconnecting
Aug/29/2016 22:24:54 pptp,ppp,debug <32>: LCP lowerdown
Aug/29/2016 22:24:54 pptp,ppp,debug <32>: LCP down event in initial state
Aug/29/2016 22:24:55 pptp,info TCP connection established from 104.130.19.164
Aug/29/2016 22:25:00 pptp,ppp,debug <33>: LCP lowerdown
Aug/29/2016 22:25:00 pptp,ppp,debug <33>: LCP down event in initial state
Aug/29/2016 22:25:00 pptp,info TCP connection established from 104.130.19.164
Aug/29/2016 22:25:00 pptp,debug received too big control message, disconnecting
Aug/29/2016 22:25:00 pptp,ppp,debug <34>: LCP lowerdown
Aug/29/2016 22:25:00 pptp,ppp,debug <34>: LCP down event in initial state
Aug/29/2016 22:25:00 pptp,info TCP connection established from 104.130.19.164
Aug/29/2016 22:25:00 pptp,debug received too big control message, disconnecting
Aug/29/2016 22:25:00 pptp,ppp,debug <35>: LCP lowerdown
Aug/29/2016 22:25:00 pptp,ppp,debug <35>: LCP down event in initial state
Aug/29/2016 22:25:00 pptp,info TCP connection established from 104.130.19.164
Aug/29/2016 22:25:00 pptp,debug received too big control message, disconnecting
Aug/29/2016 22:25:00 pptp,ppp,debug <36>: LCP lowerdown
Aug/29/2016 22:25:00 pptp,ppp,debug <36>: LCP down event in initial state
Aug/29/2016 22:25:01 pptp,info TCP connection established from 104.130.19.164
Aug/29/2016 22:25:01 pptp,debug received too big control message, disconnecting
Aug/29/2016 22:25:01 pptp,ppp,debug <37>: LCP lowerdown
Aug/29/2016 22:25:01 pptp,ppp,debug <37>: LCP down event in initial state
Aug/29/2016 22:25:01 pptp,info TCP connection established from 104.130.19.164
Aug/29/2016 22:25:01 pptp,debug received too big control message, disconnecting
Aug/29/2016 22:25:01 pptp,ppp,debug <38>: LCP lowerdown
Aug/29/2016 22:25:01 pptp,ppp,debug <38>: LCP down event in initial state
Aug/29/2016 22:25:01 pptp,info TCP connection established from 104.130.19.164
Aug/29/2016 22:25:01 pptp,debug received too big control message, disconnecting
Aug/29/2016 22:25:01 pptp,ppp,debug <39>: LCP lowerdown
Aug/29/2016 22:25:01 pptp,ppp,debug <39>: LCP down event in initial state
Aug/29/2016 22:25:01 pptp,info TCP connection established from 104.130.19.164
Aug/29/2016 22:25:06 pptp,ppp,debug <40>: LCP lowerdown
Aug/29/2016 22:25:06 pptp,ppp,debug <40>: LCP down event in initial state
Aug/29/2016 22:25:07 pptp,info TCP connection established from 104.130.19.164
Aug/29/2016 22:25:07 pptp,debug received non control message, ignoring
Aug/29/2016 22:25:12 pptp,ppp,debug <41>: LCP lowerdown
Aug/29/2016 22:25:12 pptp,ppp,debug <41>: LCP down event in initial state
Aug/29/2016 22:25:12 pptp,info TCP connection established from 104.130.19.164
Aug/29/2016 22:25:12 pptp,debug recveived too small control message, disconnecting
Aug/29/2016 22:25:12 pptp,ppp,debug <42>: LCP lowerdown
Aug/29/2016 22:25:12 pptp,ppp,debug <42>: LCP down event in initial state
Aug/29/2016 22:25:12 pptp,info TCP connection established from 104.130.19.164
Aug/29/2016 22:25:17 pptp,debug received too big control message, disconnecting
Aug/29/2016 22:25:17 pptp,ppp,debug <43>: LCP lowerdown
Aug/29/2016 22:25:17 pptp,ppp,debug <43>: LCP down event in initial state
Aug/29/2016 22:25:17 pptp,info TCP connection established from 104.130.19.164
Aug/29/2016 22:25:17 pptp,debug received too big control message, disconnecting
Aug/29/2016 22:25:17 pptp,ppp,debug <44>: LCP lowerdown
Aug/29/2016 22:25:17 pptp,ppp,debug <44>: LCP down event in initial state
Aug/29/2016 22:25:17 pptp,info TCP connection established from 104.130.19.164
Aug/29/2016 22:25:17 pptp,debug,packet rcvd Start-Control-Connection-Request from 104.130.19.164
Aug/29/2016 22:25:17 pptp,debug,packet     protocol-version=0x0100
Aug/29/2016 22:25:17 pptp,debug,packet     framing-capabilities=1
Aug/29/2016 22:25:17 pptp,debug,packet     bearer-capabilities=1
Aug/29/2016 22:25:17 pptp,debug,packet     maximum-channels=65535
Aug/29/2016 22:25:17 pptp,debug,packet     firmware-revision=1
Aug/29/2016 22:25:17 pptp,debug,packet     host-name=none
Aug/29/2016 22:25:17 pptp,debug,packet     vendor-name=nmap
Aug/29/2016 22:25:17 pptp,debug,packet sent Start-Control-Connection-Reply to 104.130.19.164
Aug/29/2016 22:25:17 pptp,debug,packet     protocol-version=0x0100
Aug/29/2016 22:25:17 pptp,debug,packet     result-code=1
Aug/29/2016 22:25:17 pptp,debug,packet     error-code=0
Aug/29/2016 22:25:17 pptp,debug,packet     framing-capabilities=2
Aug/29/2016 22:25:17 pptp,debug,packet     bearer-capabilities=0
Aug/29/2016 22:25:17 pptp,debug,packet     maximum-channels=0
Aug/29/2016 22:25:17 pptp,debug,packet     firmware-revision=1
Aug/29/2016 22:25:17 pptp,debug,packet     host-name=cfo-gw
Aug/29/2016 22:25:17 pptp,debug,packet     vendor-name=MikroTik
Aug/29/2016 22:25:17 pptp,ppp,debug <45>: LCP lowerdown
Aug/29/2016 22:25:17 pptp,ppp,debug <45>: LCP down event in initial state 
Aug/30/2016 00:48:51 pptp,info TCP connection established from 14.215.176.20
Aug/30/2016 00:49:21 pptp,ppp,debug <46>: LCP lowerdown
Aug/30/2016 00:49:21 pptp,ppp,debug <46>: LCP down event in initial state
Aug/30/2016 00:56:54 pptp,info TCP connection established from 14.215.176.21
Aug/30/2016 00:57:05 pptp,ppp,debug <47>: LCP lowerdown
Aug/30/2016 00:57:05 pptp,ppp,debug <47>: LCP down event in initial state
Aug/30/2016 00:57:05 pptp,info TCP connection established from 14.215.176.20
Aug/30/2016 00:57:05 pptp,debug received too big control message, disconnecting
Aug/30/2016 00:57:05 pptp,ppp,debug <48>: LCP lowerdown
Aug/30/2016 00:57:05 pptp,ppp,debug <48>: LCP down event in initial state
Aug/30/2016 00:57:06 pptp,info TCP connection established from 14.215.176.21
Aug/30/2016 00:57:07 pptp,debug received too big control message, disconnecting
Aug/30/2016 00:57:07 pptp,ppp,debug <49>: LCP lowerdown
Aug/30/2016 00:57:07 pptp,ppp,debug <49>: LCP down event in initial state
Aug/30/2016 00:57:09 pptp,info TCP connection established from 14.215.176.149
Aug/30/2016 00:57:09 pptp,debug received too big control message, disconnecting
Aug/30/2016 00:57:09 pptp,ppp,debug <50>: LCP lowerdown
Aug/30/2016 00:57:09 pptp,ppp,debug <50>: LCP down event in initial state
Aug/30/2016 00:57:09 pptp,info TCP connection established from 14.215.176.21
Aug/30/2016 00:57:09 pptp,debug received too big control message, disconnecting
Aug/30/2016 00:57:09 pptp,ppp,debug <51>: LCP lowerdown
Aug/30/2016 00:57:09 pptp,ppp,debug <51>: LCP down event in initial state
Aug/30/2016 00:57:10 pptp,info TCP connection established from 14.215.176.21
Aug/30/2016 00:57:10 pptp,debug received non control message, ignoring
Aug/30/2016 00:57:15 pptp,ppp,debug <52>: LCP lowerdown
Aug/30/2016 00:57:15 pptp,ppp,debug <52>: LCP down event in initial state
Aug/30/2016 00:57:16 pptp,info TCP connection established from 14.215.176.20
Aug/30/2016 00:57:16 pptp,debug received non control message, ignoring
Aug/30/2016 00:57:21 pptp,ppp,debug <53>: LCP lowerdown
Aug/30/2016 00:57:21 pptp,ppp,debug <53>: LCP down event in initial state
Aug/30/2016 00:57:21 pptp,info TCP connection established from 14.215.176.149
Aug/30/2016 00:57:29 pptp,ppp,debug <54>: LCP lowerdown
Aug/30/2016 00:57:29 pptp,ppp,debug <54>: LCP down event in initial state
Aug/30/2016 00:57:30 pptp,info TCP connection established from 14.215.176.148
Aug/30/2016 00:57:30 pptp,debug received too big control message, disconnecting
Aug/30/2016 00:57:30 pptp,ppp,debug <55>: LCP lowerdown
Aug/30/2016 00:57:30 pptp,ppp,debug <55>: LCP down event in initial state
Aug/30/2016 00:57:30 pptp,info TCP connection established from 14.215.176.20
Aug/30/2016 00:57:30 pptp,debug recveived too small control message, disconnecting
Aug/30/2016 00:57:30 pptp,ppp,debug <56>: LCP lowerdown
Aug/30/2016 00:57:30 pptp,ppp,debug <56>: LCP down event in initial state
Aug/30/2016 00:57:36 pptp,info TCP connection established from 14.215.176.148
Aug/30/2016 00:57:41 pptp,debug recveived too small control message, disconnecting
Aug/30/2016 00:57:41 pptp,ppp,debug <57>: LCP lowerdown
Aug/30/2016 00:57:41 pptp,ppp,debug <57>: LCP down event in initial state
Aug/30/2016 00:57:41 pptp,info TCP connection established from 14.215.176.149
Aug/30/2016 00:57:41 pptp,debug received too big control message, disconnecting
Aug/30/2016 00:57:41 pptp,ppp,debug <58>: LCP lowerdown
Aug/30/2016 00:57:41 pptp,ppp,debug <58>: LCP down event in initial state
Aug/30/2016 00:57:41 pptp,info TCP connection established from 14.215.176.148
Aug/30/2016 00:57:41 pptp,debug received too big control message, disconnecting
Aug/30/2016 00:57:41 pptp,ppp,debug <59>: LCP lowerdown
Aug/30/2016 00:57:41 pptp,ppp,debug <59>: LCP down event in initial state
Aug/30/2016 00:57:42 pptp,info TCP connection established from 14.215.176.20
Aug/30/2016 00:57:47 pptp,ppp,debug <60>: LCP lowerdown
Aug/30/2016 00:57:47 pptp,ppp,debug <60>: LCP down event in initial state
Aug/30/2016 00:57:47 pptp,info TCP connection established from 14.215.176.148
Aug/30/2016 00:57:47 pptp,debug received too big control message, disconnecting
Aug/30/2016 00:57:47 pptp,ppp,debug <61>: LCP lowerdown
Aug/30/2016 00:57:47 pptp,ppp,debug <61>: LCP down event in initial state
Aug/30/2016 00:57:47 pptp,info TCP connection established from 14.215.176.20
Aug/30/2016 00:57:47 pptp,debug received too big control message, disconnecting
Aug/30/2016 00:57:47 pptp,ppp,debug <62>: LCP lowerdown
Aug/30/2016 00:57:47 pptp,ppp,debug <62>: LCP down event in initial state
Aug/30/2016 00:57:48 pptp,info TCP connection established from 14.215.176.21
Aug/30/2016 00:57:48 pptp,debug received too big control message, disconnecting
Aug/30/2016 00:57:48 pptp,ppp,debug <63>: LCP lowerdown
Aug/30/2016 00:57:48 pptp,ppp,debug <63>: LCP down event in initial state
Aug/30/2016 00:57:52 pptp,info TCP connection established from 14.215.176.21
Aug/30/2016 00:57:53 pptp,debug received too big control message, disconnecting
Aug/30/2016 00:57:53 pptp,ppp,debug <64>: LCP lowerdown
Aug/30/2016 00:57:53 pptp,ppp,debug <64>: LCP down event in initial state
Aug/30/2016 00:57:53 pptp,info TCP connection established from 14.215.176.149
Aug/30/2016 00:57:55 pptp,debug received too big control message, disconnecting
Aug/30/2016 00:57:55 pptp,ppp,debug <65>: LCP lowerdown
Aug/30/2016 00:57:55 pptp,ppp,debug <65>: LCP down event in initial state
Aug/30/2016 00:57:55 pptp,info TCP connection established from 14.215.176.149
Aug/30/2016 00:57:55 pptp,debug received too big control message, disconnecting
Aug/30/2016 00:57:55 pptp,ppp,debug <66>: LCP lowerdown
Aug/30/2016 00:57:55 pptp,ppp,debug <66>: LCP down event in initial state
Aug/30/2016 00:58:01 pptp,info TCP connection established from 14.215.176.21
Aug/30/2016 00:58:08 pptp,info TCP connection established from 14.215.176.21
Aug/30/2016 00:58:08 pptp,debug received non control message, ignoring
Aug/30/2016 00:58:13 pptp,ppp,debug <68>: LCP lowerdown
Aug/30/2016 00:58:13 pptp,ppp,debug <68>: LCP down event in initial state
Aug/30/2016 00:58:14 pptp,info TCP connection established from 14.215.176.149
Aug/30/2016 00:58:14 pptp,debug recveived too small control message, disconnecting
Aug/30/2016 00:58:14 pptp,ppp,debug <69>: LCP lowerdown
Aug/30/2016 00:58:14 pptp,ppp,debug <69>: LCP down event in initial state
Aug/30/2016 00:58:14 pptp,info TCP connection established from 14.215.176.149
Aug/30/2016 00:58:19 pptp,debug received too big control message, disconnecting
Aug/30/2016 00:58:19 pptp,ppp,debug <70>: LCP lowerdown
Aug/30/2016 00:58:19 pptp,ppp,debug <70>: LCP down event in initial state
Aug/30/2016 00:58:31 pptp,ppp,debug <67>: LCP lowerdown
Aug/30/2016 00:58:31 pptp,ppp,debug <67>: LCP down event in initial state
Aug/30/2016 01:11:38 pptp,info TCP connection established from 14.215.176.148
Aug/30/2016 01:11:39 pptp,debug received too big control message, disconnecting
Aug/30/2016 01:11:39 pptp,ppp,debug <71>: LCP lowerdown
Aug/30/2016 01:11:39 pptp,ppp,debug <71>: LCP down event in initial state
My Mikrotik installed on the Russian Federation territory and the employees do not travel outside the country. The logs can be seen that the compounds come from:
Code: Select all
104.130.19.164
14.215.176.20
14.215.176.21
14.215.176.149
14.215.176.148
These IP registered in China. This is an attempt hack my lan? What actions to take?
Top
 
jarda
Forum Guru
Forum Guru
Posts: 7756
Joined: Mon Oct 22, 2012 4:46 pm

Re: Attempt to hack my CCR1036-8G-2S+

Tue Aug 30, 2016 10:26 am

You can drop all traffic from that ips. Use address list and firewall raw table if you are running some recent version.
Top
 
User avatar
BlackVS
Member Candidate
Member Candidate
Posts: 175
Joined: Mon Feb 04, 2013 7:00 pm
Contact:
Contact BlackVS

Re: Attempt to hack my CCR1036-8G-2S+

Tue Aug 30, 2016 10:30 am

Capture and analyze few packets (to check protocol). I know of cases some inner clients used BitTorrent with open port 1723.
But better to block access to the 1723 TCP port for all and enable it only for some.

PS: or use port-knocking method. Like http://mum.mikrotik.com/presentations/US10/discher.pdf
Top
 
User avatar
sidex84
just joined
Topic Author
Posts: 5
Joined: Tue Aug 30, 2016 9:06 am
Contact:
Contact sidex84

Re: Attempt to hack my CCR1036-8G-2S+

Tue Aug 30, 2016 10:50 am

Many thanks. I will try all your options proposed.
Top
Post Reply
  4. RouterOS
  5. General