Pattern of network vulnerability scanning coming from all over the world

cancel
Showing results for 
Search instead for 
Did you mean: 

Pattern of network vulnerability scanning coming from all over the world

L2 Linker

In the last month or so we have seen lots of network vulnerability scanning for the following 3 Threat IDs coming from all over the world.

- MVPower DVR TV Shell Unauthenticated Command Execution Vulnerability(30426)
- WebUI mainfile.php Arbitrary Command Injection Vulnerability(38836)
- Wireless IP Camera Pre-Auth Info Leak Vulnerability(33556)

We don't have products that would be vulnerable to these threats. A single scanning interval seems to always look for only these 3 threats all within a few seconds, coming from the same source IP, and attacking the same destination IP. Then several hours later plus or minus a few hours (seems random), another scan interval occurs, but with a different source IP (and likely different region), and attacking a different destination IP from the last time it occurred. Then it repeats.

Our action for these attacks is "reset-both". Should we be doing some thing different?

We find it strange that this is coming from several regions around the world. Are they all part of the same hacking group?

Has anyone else also seen this same pattern?

1 ACCEPTED SOLUTION

Accepted Solutions

Cyber Elite
Cyber Elite

@Curt_Wilson,

Important to remember that unless it's just someone running scripts, most people would run activity through a botnet. This would explain your wide range of IPs coming from different regions.

An additional step to take would be to block the IP for a set period of time. 

View solution in original post

2 REPLIES 2

Cyber Elite
Cyber Elite

@Curt_Wilson,

Important to remember that unless it's just someone running scripts, most people would run activity through a botnet. This would explain your wide range of IPs coming from different regions.

An additional step to take would be to block the IP for a set period of time. 

Hello,

I agree with @BPry, definitly set the policy to block-ip. The max time is 3600 seconds (1 hour) so at least they would only be able to try once an hour. If they are comming from the smae source IP you could always just put in a rule to block those IP's. 

 

Just a thought.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!