Hi Everyone
I could use some help with an issue I had today.
Looks like some script kiddies ran a script against my Alta Route10
Info below:
The Intrusion Detection System on Alta-Access XXXXXXX has detected potentially malicious traffic.
Severity: High
Alert: ET INFO HTTP POST contains pass= in cleartext
Protocol: TCP
Source: 157.90.140.164:80
Destination: 192.168.1.11:56668
So I used the ripe abuse page and found
[
Reverse DNS Hostname
](RIPEstat)
static.164.140.90.157.clients.your-server.de
157.90.140.164
So I guess we’ll see how long it takes for the abuse email to get back with me.
In the meantime, someone in Germany can see I have a box plugged in on one of the lan ports and it was assigned 192.168.1.11? That alone seems somewhat concerning. So I have some questions
- What logs , verbosity can I turn on get more information on events like this?
- The IDS/IPS is on, so how can I check if that kicked in and started blocking this attempt?
- iptables logging from what I can see isn’t dropping any information for me to do forensics after the fact. Can it be setup so I can see 1 day of block logs for instance … or longer if I plug in a usb drive?
root@Alta-Access:/tmp/log# iptables -L -v -n | grep -i drop
Chain INPUT (policy DROP 0 packets, 0 bytes)
Chain FORWARD (policy DROP 0 packets, 0 bytes)
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
3496 381K DROP all – * eth3 0.0.0.0/0 0.0.0.0/0 ctstate INVALID /* !fw3: Prevent NAT leakage /
0 0 DROP all – * eth4 0.0.0.0/0 0.0.0.0/0 ctstate INVALID / !fw3: Prevent NAT leakage /
Chain zone_wan_dest_DROP (1 references)
0 0 DROP all – * eth3 0.0.0.0/0 0.0.0.0/0 / !fw3 /
0 0 DROP all – * eth4 0.0.0.0/0 0.0.0.0/0 / !fw3 /
0 0 zone_wan_dest_DROP all – * * 0.0.0.0/0 0.0.0.0/0 / !fw3 /
1585 639K zone_wan_src_DROP all – * * 0.0.0.0/0 0.0.0.0/0 / !fw3 /
Chain zone_wan_src_DROP (1 references)
1585 639K DROP all – eth3 * 0.0.0.0/0 0.0.0.0/0 / !fw3 /
0 0 DROP all – eth4 * 0.0.0.0/0 0.0.0.0/0 / !fw3 */
- Can a controller be set to pull logs from a route10? I believe I saw a syslog server setting… which would push the logs to a destination. Can you also do the reverse and pull logs. Say I have a syslog server and I want it to poll the route10 every 5 minutes for new information?
- I do like the fact that I received emails. I may keep my account cloud for that reason as I received information offline that I could get from my phone
Anyway , if there is any other information I can check for things like this , that will be helpful.
Thanks for your support.
Hi. I read the email with the initial question. The answer is no. I dont have a controller appliance. I have purchased one and waiting for that in the mail. I have a bsd box which is the only thing plugged into the lan port. I didn’t want the controller connected to the route 10 due to the hacking issue. I would like to plug that behind another layer of packet filtering and have controller pull logs from the route 10 instead.
I’ve seen this logged before with some test equipment I have, although in my case it was due to me logging into a device that didn’t utilize HTTPS on the login page.
In my case, I believe it logged the source as the remote device as it was communicating back to my device on the LAN that had requested the connection and that’s when it tripped the IDS rule.
So I guess I’m saying my concern in your case would be if the device on your LAN initiated that connection, rather than an unsoclicited connection came through from the Internet to the local device. But I’m certainly not an expert so feel free to take that with a grain of salt!
Otherwise on the local controller I think there’s not much in the way of doing some kind of custom push/pull sort of thing.
1 Like
Yep . checking all my systems phones , ipads , macbook. I just bought a windows 11 laptop back up and upgraded the OS using uupdump to the latest Windows 11 beta package. Those iso build packages download files directly from Microsoft, so I have doubts that would be infected by some trojan or malware connecting to these RIPE addresses. it could be an app launched locally or in the background. So yes checking everything . The route 10 seems to have learned what applications I used from the packet inspection, so I’ll also check there to see if the route10 also saved destination addresses from those apps. But you are correct , I’ll need to check everything for some sort of malware. I would go to something in that range , but apps are built with all sorts of “call home” functions these days, so checking that now
1 Like
It turns out that now you can google that ip and the gmbh software group put that spyware / call home feature in a few apps. I guess the suricata reports went public. I was using drivermax and winrar. I put in a windows firewall rule to block all traffic going to that ip and I was unable to reinstall winrar. So now I use 7zip exclusively. But that IDS report was valid. Maybe if the IDS alert email could be reworded. The source was indeed my laptop and the destination was the gmbh ip address. The IDS only hit once the traffic came back, but at that point a connection was established…
The Intrusion Detection System on Alta-Access XXXXXXXXX has detected potentially malicious traffic.
Severity: High
Alert: ET INFO HTTP POST contains pass= in cleartext
Protocol: TCP
Source: 157.90.140.164:80
Destination: 192.168.1.11:64586
So this did what I wanted , but it seems the source and destination seem to be in reverse. But this helps a lot. I’m definitely keeping this feature on