software,

Welcome to EH-Net.

As I run a system similar to the one you describe, I can offer very precise information for this kind of issue. Contact the Mikrotik technical divison and request their assistance. I'm sure that they will be just as keen to improve their security also, I always am.

Software,

looking at the port list, as I'm sure you're aware you've got FTP, Telnet, SSH, HTTP and DNS open to the source of your scan. I'm assuming the scan was actioned from an external source not local, if you performed the scan from the loca network then there may be false positives for services that are protected by firewalls etc.

Major advice would be to disable any services that you do not need. As you state that you are an ISP, all the services seem reasonable although I would question running all services from a single IP/server, although I know that this can be forced via budget/resource restraints etc.

First service that I would look at would be Telnet, as you are also running SSH then it is likely this service isn't needed for general administrative purposes. (Telnet transmits login/session details in cleartext whilst SSH is encrypted).

As your remote communication services (telnet/ssh) require valid credentials to access the server (I hope) then it is possible that an account on the server has been compromised, possibly through social engineering, or dictionary/bruteforce attempts. Only good staff awareness, training and policy can protect against the first, for the latter there are many tools designed to protect against brute-force attemtps, for example try breakinguard.

Next step would be to ensure that all software and services are up to date. I know it's a chore but keeping patch levels up to date can save you some big headaches.

You also stated that a third party hotspot service was the source of the unidentified individual using your network. As from your response they appear to be fairly unhelpful, I would recommend if possible and within your authority finding a different service provider. If this is not possible then you could try to segregate the wireless connection from the core of your network, on a DMZ for example. What evidence do you have that has lead you to believe that this is the entry point being used to access your network?

Once your server is locked down then you need to attempt to determine how the unknown party has gained access to your network and what damage has been done. For this you need to be looking at logs and any information you can get. How were you alerted to the individual bypassing your systems in the first place?

If incident response is new to you then the SANs Intrusion Detection FAQ can be a good place to start, HERE.

Hopefully this should set you on your way to both determining what has occured and improving your systems security. Knowing the industry I appreciate that some of this information you may not want it public view, this being the case feel free to PM me if necessary. Good luck...

Good question,

looks like EH-net-ers are friendlier than TechRepublic though

I do work for an ISP (I see tons of phishing calls for help to the Abuse@myisp.com) and I would like to see an e-mail address from the real domain before offering too much help as Yahoo e-mail addresses are free. If you truly need help with security you might want to post a real e-mail address you can post it like bob.smith (at) Mikrotik (dot) com to avoid spam. But till you show a way to prove you do work for the ISP it would be hard for most of the members here to help you ethically.

Brian

Well the long and the short of it is that you aren't going to get much more then general help from an open forum about an active security issue that you can't disclose details about (for obvious reasons).  If you do work for the ISP and need fix this security breach then your best bet is to tell management to pony up some cash and hire a security professional to take a look at your network.  Now if you need help finding a security professional you came to the right place!  Post your geographical location and ask for someone in your general area to send you a Private Message so you can make arrangements.  Good Luck! 

I tend to agree with Bill V on this and this does not seem like the kind of question an admin would be asking.   The only way to bypass the Mikrotic login is if you have admin access. Its actually a simple technique.   If someone is able to do this then it suggests they have owned the box and have admin access. If this is true then you have a serious issue that requires more immediate attention that trying to figure out how to bypass the login page remotely.