Jump to content
DaveB-Opt

Security vulnerability exploitation

Recommended Posts

We have a threat notification for the following.

However we have blocked all connections coming from 185.202.0.0/16 at the firewall level, and I'm unable to see any incoming traffic from that IP address in the last week (from the firewall logs also).

I'm not sure what triggers this alert in ESET but I'm also unsure as to how the firewall didn't pick up the connection attempt?

Can anyone shed some light on this detection.

 

Process name
System
Rule name
 
Rule ID
 
Source address
185.202.1.204
Source port
320
Target address
192.168.8.43
Target port
80
Protocol
TCP
Occurrences per minute
1

Share this post


Link to post
Share on other sites

Maybe it's a notebook which was attacked from that IP address when it was outside your company's network that is behind a firewall that blocks any communication from that IP address?

Share this post


Link to post
Share on other sites
Posted (edited)
30 minutes ago, Marcos said:

Maybe it's a notebook which was attacked from that IP address when it was outside your company's network that is behind a firewall that blocks any communication from that IP address?

Actually I spoke too soon.

The only affected machine is an internal server which always resides behind our firewall

Edited by DaveB-Opt

Share this post


Link to post
Share on other sites
Posted (edited)

Port 320 is used by the PTP protocol: https://wiki.wireshark.org/Protocols/ptp .

As noted in the article, PTP is used for time synchronization between clients and servers on the internal LAN. As such, this port should not be open on the WAN side of the network perimeter appliance/router. I would check your network perimeter appliance/router for a possible breach/misconfiguartion.  

Edited by itman

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...