Re: [44net] MikroTik worm - please check your RouterOS version!

A central syslog and firewalled 8291 ports with logging would be a better solution imho :) Grep seems less of a strain than tshark and would be quicker I imagine -----Original Message----- From: 44Net <44net-bounces+on3rvh=on3rvh.be(a)mailman.ampr.org> On Behalf Of Rob Janssen Sent: woensdag 28 maart 2018 18:44 To: 44net(a)mailman.ampr.org Subject: [44net] MikroTik worm - please check your RouterOS version! I'll run another scan (actually: a trace) tonight. It has to run for about 8-10 hours to catch everything, it appears. I just trace for SYN to port 8291 and get the source addresses. Unfortunately it cannot be done using a simple tshark -i eth0 -f "tcp dst port 8291" because tshark collects session state information and its memory use balloons under the millions of session open attempts it sees. So I use: while true do tshark -i eth0 -f "tcp dst port 8291" -c 20000 | fgrep '[SYN]' | sed -e 's/ ->.*//' -e 's/.* //' >>/tmp/syn8291 done Of course it would also be possible to limit it to AMPRnet: tshark -i eth0 -f "tcp dst port 8291 and src net 44.0.0.0/8" Rob _________________________________________ 44Net mailing list 44Net(a)mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net