Attack from aggrosoperations.ltd

ASGR71

Hey Guys and Ladies...

My 1100 picked up 2 attacks from 45.128.232.126 that is registered to aggrosoperations.ltd in Germany according to ripe.net. When I look at the netname and descr it says that it's Pfcloud. Are these netgate servers?

These are the details of the attack:
Class: Attempted Administrator Privilege Gain
Description: ET EXPLOIT Realtek SDK - Command Execution/Backdoor Access Inbound (CVE-2021-35394)

I have a feeling that the IP address may have been spoofed! My first reaction was to block the IP but, in hindsight, that may interferre with the device...

Thanks in advance.

michmoor

@asgr71 I assume you are running IPS on your WAN? Default action is to block all incoming traffic.

EdIlS0N LiMa

Boa tarde .. estou pegando os ips que o snort alerta. e colocando em uma block list.. mas isso muda o tempo todo.. destinos diferentes.. existe alguma forma de fazer esse bloqueio. ou o único meio de acabar com esse ataque sera trocar a placa de rede ?

EdIlS0N LiMa

OS QUE PEGUEI ATE AGORA..

ET EXPLOIT Realtek eCos RSDK/MSDK Stack-based Buffer Overflow Attempt Inbound (CVE-2022-27255)

151.106.38.215 45.95.55.155 151.106.40.7 36.111.131.176
176.32.34.56 45.81.243.34 80.94.92.110 45.148.122.69
138.128.247.175 45.93.16.15 45.128.232.158 45.128.232.126
45.93.16.56 45.128.232.158

michmoor

@edils0n-lima

Não ative o Snort na WAN. Isso é inútil, pois a ação padrão do firewall é bloquear. Coloque o Snort na sua LAN.

Do not enable Snort on the WAN. That is pointless to do as the default action of the firewall is to block. Place Snort on your LAN.