Attack from aggrosoperations.ltd
Hey Guys and Ladies...
My 1100 picked up 2 attacks from 18.104.22.168 that is registered to aggrosoperations.ltd in Germany according to ripe.net. When I look at the netname and descr it says that it's Pfcloud. Are these netgate servers?
These are the details of the attack:
Class: Attempted Administrator Privilege Gain
Description: ET EXPLOIT Realtek SDK - Command Execution/Backdoor Access Inbound (CVE-2021-35394)
I have a feeling that the IP address may have been spoofed! My first reaction was to block the IP but, in hindsight, that may interferre with the device...
Thanks in advance.
@asgr71 I assume you are running IPS on your WAN? Default action is to block all incoming traffic.
EdIlS0N LiMa last edited by
Boa tarde .. estou pegando os ips que o snort alerta. e colocando em uma block list.. mas isso muda o tempo todo.. destinos diferentes.. existe alguma forma de fazer esse bloqueio. ou o único meio de acabar com esse ataque sera trocar a placa de rede ?
EdIlS0N LiMa last edited by EdIlS0N LiMa
OS QUE PEGUEI ATE AGORA..
ET EXPLOIT Realtek eCos RSDK/MSDK Stack-based Buffer Overflow Attempt Inbound (CVE-2022-27255)
22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206
220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199
188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168
Não ative o Snort na WAN. Isso é inútil, pois a ação padrão do firewall é bloquear. Coloque o Snort na sua LAN.
Do not enable Snort on the WAN. That is pointless to do as the default action of the firewall is to block. Place Snort on your LAN.