In the logs of Mikrotik devices (router and 3 access points), I periodically (few times a week) find the following
Code: Select all
login failure for user admin from 192.168.1.147 via ssh
login failure for user MikroTikSystem from 192.168.1.147 via ssh
login failure for user dircreate from 192.168.1.147 via ssh
login failure for user EServicios from 192.168.1.147 via ssh
I configured logging of ports 21,22,23 on Mikrotik devices and can see the time and details of connections from the hosts on the local network
Code: Select all
Oct/28/2021 22:39:01 firewall,info login telnet/ftp/ssh input: in:bridge out:(unknown 0), src-mac f8:0f:41:b5:0b:34, proto TCP (SYN), 192.168.1.147:61740->192.168.1.81:22, len 52
I scanned the last two hosts from which there was a brute-force attack with three different antivirus tools and they did not find anything dangerous
Perhaps the malicious code is using spoofing of the attacker's address?
Does anyone have any idea how to identify malware?