Around 8pm @Ogon informed me that there is suspicious activity originating from an RB located at my office and obviously being outside office times this seemed very abnormal.
Long story short, seems like someone managed to brute force my password from the internet, setup an l2tp tunnel which gave them local access, and then using that local access to attempt to gain access to other machines. It has all been locked down now thanks to some assistance from @spin
If you do check your logs and see earlier attempts, just know it was not intentional from my side and I do apologize in advance for any stresses caused.
As a precaution, those with internet, or even those without, just check your Secrets ( Under PPP ) incase he may have gotten into yours as well. The secret he used on mine was “ss”
I spotted bruteforcing while checking out NMS syslogs I did not notice the original issue as this was on a private rb, but once the hacker gained access to toady’s rb he scanned wug routers.
The sure fire way to see if your router is at risk for this sort of thing is if your logs look like this:
These are failures from internet IPs. It’s clear how they are trying various usernames and probably passwords too. So if one of your passwords has been used by someone else or your password was part of a password dump from some other website, you are at risk. Toady’s password was not great but not super simple either.
The other issue is leaving ports open to the internet. Usually we always NAT our internet (so our stuff behind the network is less at risk) but we often forget that our routers are on the internet. Mikortiks come with a clean slate and therefore do not have the usually firewalls a consumer device might have.
I’d suggest that if you have internet on a Mikrotik or similar device that you drop all traffic on the input chain from the internet interface. Be careful when adding this rule as you can quite easily lock yourself out of your rb. Make sure you only block the internet interface (and not the LAN side you are connecting from).
Then only open ports that you require to be open (or nat those that you need to the relevant pc inside your network).
This is also why your passwords should be secure both on and off the wug.
Was working on a router a colleague was building from scratch.
This already had a live public IP.
While I was live and logged in I saw the same ss login via pptp to start.
Then L2TP…
Atleast this was first contact according to the logs.
Nuked the router.
Turns out he set the admin password to 123 while building the config…
