This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Pattern of network vulnerability scanning coming from all over the world

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Pattern of network vulnerability scanning coming from all over the world

Go to solution
Curt_Wilson
L2 Linker

‎10-24-2017 03:32 PM

In the last month or so we have seen lots of network vulnerability scanning for the following 3 Threat IDs coming from all over the world.

- MVPower DVR TV Shell Unauthenticated Command Execution Vulnerability(30426)
- WebUI mainfile.php Arbitrary Command Injection Vulnerability(38836)
- Wireless IP Camera Pre-Auth Info Leak Vulnerability(33556)

We don't have products that would be vulnerable to these threats. A single scanning interval seems to always look for only these 3 threats all within a few seconds, coming from the same source IP, and attacking the same destination IP. Then several hours later plus or minus a few hours (seems random), another scan interval occurs, but with a different source IP (and likely different region), and attacking a different destination IP from the last time it occurred. Then it repeats.

Our action for these attacks is "reset-both". Should we be doing some thing different?

We find it strange that this is coming from several regions around the world. Are they all part of the same hacking group?

Has anyone else also seen this same pattern?

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
BPry
Cyber Elite
Cyber Elite

‎10-25-2017 06:29 AM

@Curt_Wilson,

Important to remember that unless it's just someone running scripts, most people would run activity through a botnet. This would explain your wide range of IPs coming from different regions.

An additional step to take would be to block the IP for a set period of time. 

View solution in original post

2 REPLIES 2

Go to solution
BPry
Cyber Elite
Cyber Elite

‎10-25-2017 06:29 AM

@Curt_Wilson,

Important to remember that unless it's just someone running scripts, most people would run activity through a botnet. This would explain your wide range of IPs coming from different regions.

An additional step to take would be to block the IP for a set period of time. 

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite
In response to BPry

‎10-25-2017 02:25 PM

Hello,

I agree with @BPry, definitly set the policy to block-ip. The max time is 3600 seconds (1 hour) so at least they would only be able to try once an hour. If they are comming from the smae source IP you could always just put in a rule to block those IP's. 

 

Just a thought.

  • 1 accepted solution
  • 2795 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks