https://live.paloaltonetworks.com/t5/general-topics/pattern-of-network-vulnerability-scanning-coming-from-all-over/m-p/183632#M56421 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43490">@CTW1983</a>,</P><P>Important to remember that unless it's just someone running scripts, most people would run activity through a botnet. This would explain your wide range of IPs coming from different regions.</P><P>An additional step to take would be to block the IP for a set period of time.&nbsp;</P> Wed, 25 Oct 2017 13:29:32 GMT BPry 2017-10-25T13:29:32Z https://live.paloaltonetworks.com/t5/general-topics/pattern-of-network-vulnerability-scanning-coming-from-all-over/m-p/183531#M56399 <P>In the last month or so we have seen lots of network vulnerability scanning for the following 3 Threat IDs coming from all over the world.<BR /><BR />- MVPower DVR TV Shell Unauthenticated Command Execution Vulnerability(30426)<BR />- WebUI mainfile.php Arbitrary Command Injection Vulnerability(38836)<BR />- Wireless IP Camera Pre-Auth Info Leak Vulnerability(33556)<BR /><BR />We don't have products that would be vulnerable to these threats. A single scanning interval seems to always look for only these 3 threats all within a few seconds, coming from the same source IP, and attacking the same destination IP. Then several hours later plus or minus a few hours (seems random), another scan interval occurs, but with a different source IP (and likely different region), and attacking a different destination IP from the last time it occurred. Then it repeats.<BR /><BR />Our action for these attacks is "reset-both". Should we be doing some thing different?<BR /><BR />We find it strange that this is coming from several regions around the world. Are they all part of the same hacking group?<BR /><BR />Has anyone else also seen this same pattern?</P> Tue, 24 Oct 2017 22:32:58 GMT https://live.paloaltonetworks.com/t5/general-topics/pattern-of-network-vulnerability-scanning-coming-from-all-over/m-p/183531#M56399 CTW1983 2017-10-24T22:32:58Z https://live.paloaltonetworks.com/t5/general-topics/pattern-of-network-vulnerability-scanning-coming-from-all-over/m-p/183632#M56421 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43490">@CTW1983</a>,</P><P>Important to remember that unless it's just someone running scripts, most people would run activity through a botnet. This would explain your wide range of IPs coming from different regions.</P><P>An additional step to take would be to block the IP for a set period of time.&nbsp;</P> Wed, 25 Oct 2017 13:29:32 GMT https://live.paloaltonetworks.com/t5/general-topics/pattern-of-network-vulnerability-scanning-coming-from-all-over/m-p/183632#M56421 BPry 2017-10-25T13:29:32Z https://live.paloaltonetworks.com/t5/general-topics/pattern-of-network-vulnerability-scanning-coming-from-all-over/m-p/183739#M56436 <P>Hello,</P><P>I agree with&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>, definitly set the policy to block-ip. The max time is 3600 seconds (1 hour) so at least they would only be able to try once an hour. If they are comming from the smae source IP you could always just put in a rule to block those IP's.&nbsp;</P><P>&nbsp;</P><P>Just a thought.</P> Wed, 25 Oct 2017 21:25:27 GMT https://live.paloaltonetworks.com/t5/general-topics/pattern-of-network-vulnerability-scanning-coming-from-all-over/m-p/183739#M56436 OtakarKlier 2017-10-25T21:25:27Z