Jump to content

Security vulnerability exploitation


Recommended Posts

We have a threat notification for the following.

However we have blocked all connections coming from 185.202.0.0/16 at the firewall level, and I'm unable to see any incoming traffic from that IP address in the last week (from the firewall logs also).

I'm not sure what triggers this alert in ESET but I'm also unsure as to how the firewall didn't pick up the connection attempt?

Can anyone shed some light on this detection.

 

Process name
System
Rule name
 
Rule ID
 
Source address
185.202.1.204
Source port
320
Target address
192.168.8.43
Target port
80
Protocol
TCP
Occurrences per minute
1
Link to comment
Share on other sites

  • Administrators

Maybe it's a notebook which was attacked from that IP address when it was outside your company's network that is behind a firewall that blocks any communication from that IP address?

Link to comment
Share on other sites

30 minutes ago, Marcos said:

Maybe it's a notebook which was attacked from that IP address when it was outside your company's network that is behind a firewall that blocks any communication from that IP address?

Actually I spoke too soon.

The only affected machine is an internal server which always resides behind our firewall

Edited by DaveB-Opt
Link to comment
Share on other sites

Port 320 is used by the PTP protocol: https://wiki.wireshark.org/Protocols/ptp .

As noted in the article, PTP is used for time synchronization between clients and servers on the internal LAN. As such, this port should not be open on the WAN side of the network perimeter appliance/router. I would check your network perimeter appliance/router for a possible breach/misconfiguartion.  

Edited by itman
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...