Security vulnerability exploitation

[DaveB-Opt 0]

We have a threat notification for the following.

However we have blocked all connections coming from 185.202.0.0/16 at the firewall level, and I'm unable to see any incoming traffic from that IP address in the last week (from the firewall logs also).

I'm not sure what triggers this alert in ESET but I'm also unsure as to how the firewall didn't pick up the connection attempt?

Can anyone shed some light on this detection.

 

Process name

System

Rule name

 

Rule ID

 

Source address

185.202.1.204

Source port

320

Target address

192.168.8.43

Target port

80

Protocol

TCP

Occurrences per minute

1

[Marcos 5,069]

Maybe it's a notebook which was attacked from that IP address when it was outside your company's network that is behind a firewall that blocks any communication from that IP address?

[DaveB-Opt 0]

Good point - silly me! Thanks Marcos

[DaveB-Opt 0]

30 minutes ago, Marcos said:

Maybe it's a notebook which was attacked from that IP address when it was outside your company's network that is behind a firewall that blocks any communication from that IP address?

Actually I spoke too soon.

The only affected machine is an internal server which always resides behind our firewall

Edited June 5, 2020 by DaveB-Opt

[Marcos 5,069]

I'd say that communication on port 80 is allowed by the firewall. It's unlikely to be a false positive, the IP is a known source of attacks:

https://www.abuseipdb.com/check/185.202.1.204

[itman 1,659]

Port 320 is used by the PTP protocol: https://wiki.wireshark.org/Protocols/ptp .

As noted in the article, PTP is used for time synchronization between clients and servers on the internal LAN. As such, this port should not be open on the WAN side of the network perimeter appliance/router. I would check your network perimeter appliance/router for a possible breach/misconfiguartion.  

Edited June 5, 2020 by itman