Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

SonicWall - Gateway Antivirus Alert:  Phish_PayPal (Trojan) blocked

Posted on 2010-11-28
7
Medium Priority
?
3,524 Views
Last Modified: 2012-05-10
I have a SonicWall installed on a small business network.  Today, I received the following alerts multiple times:

11/28/2010 16:22:19.944
Alert Security Services
Gateway Anti-Virus Alert: Phish_Paypal (Trojan) blocked
Source:  24.143.205.187, 80, X1           Destination:  192.168.1.114, 1109, X0  

or

11/28/2010 16:22:20.096
Alert Security Services
Gateway Anti-Virus Alert: Phish_Paypal (Trojan) blocked
Source:  192.168.1.114, 1107, X0                 Destination:  24.143.205.187, 80, X1    

 
I got multiple attempts from multiple IP addresses.  More than 20+ attempts in a short period.  I even got a TCP XMas Tree dropped Intrusion Prevention alert.

Most of these alerts came from the following IP addresses:

24.143.205.25
24.143.205.187
184.85.253.57
184.85.253.56
184.85.253.40
184.85.253.41
184.85.253.48
184.85.253.49
184.85.253.10
209.18.43.179
209.18.43.171
209.18.43.56
209.18.43.25
209.18.43.26
209.18.43.65

They were quite agressive but the SonicWall said that they were blocked.  Is there anything I should be worried about?  My log filled up quick and I got a ton of email notifications.

I did antivirus and spyware scans on the PCs but they came up negative.  All this occurred when I was upgrading the Norton Antivirus on some computers and upgrading some Dell support software.  Also, when I tried to update the Norton Internet Security 2011 with the LiveUpdate, one of the many patches failed to install.  It was a patch for anti-phising.

Any advice would be appreciated.  Thanks in advance.
0
Comment
Question by:EE_User12
  • 4
  • 3
7 Comments
 
LVL 33

Expert Comment

by:digitap
ID: 34227203
you need to look more closely at 192.168.1.114.  appears the traffic was trying to come into that internal ip and going out from that ip.  if the alerts were of type ingress, then i'd say not to be concerned.  the sonicwall did its job and blocked the attacks.  however, the alerts indicating an internal host would make me concerned.

is 192.168.1.114 the ip of x0 on the sonicwall?
0
 

Author Comment

by:EE_User12
ID: 34227820
It is the address of one of the computers on the network.  I believe x0 is the LAN interface where I have a switch connected to the SonicWall and X1 is the WAN interface.  I'm actually using a different more unique address than the 192.168.1.x scheme.  I'm just using this as an example.  All the other addresses are valid though.  The attack is also not specific to one computer.  I may have 2 or 3 other computers giving out the same message but they are all functioning fine.  Most of the troubled computers were the ones I upgraded.  I'm not sure if their installation files were corrupted.  

The attack seems to come in pairs.  Like a remote user trying to call or install something and then the internal computer tries to do something.  The SonicWall says block but the attacks this afternoon were very persistent.  I have scanned the internal computers thoroughly with basic antivirus (Norton) and antispyware (Spybot S&D)  tools but have not found anything.  I'm not sure if I have to Combofix this.  Also this attack only occurs when connected to the Internet.  When I disconnect the WAN from the Internet, everything goes quiet.

I'm not sure if something is hiding internally or if someone is trying to break in.  I do once in a while get scans hitting on my SonicWall from the outside but I just ignore them.

I removed all the Dell software and may replace or reinstall the Norton software since the antiphising patch will not install.  Everything has been stable and fine for months until today.
0
 
LVL 33

Assisted Solution

by:digitap
digitap earned 600 total points
ID: 34227886
yes...on the sonicwall, X0 is typically the LAN zone and X1 is the WAN zone.  reviewing the public IP addresses, i see several of those public IP addresses appear as AKAMAITECHNOLOGIES.COM in a reverse DNS.  the last 209.18.43.x don't resolve to anything, but most of the 184.85.253.x resolve the domain i specified above.  to quote,

"Akamai provides many IT services like application hosting, content delivery, and streaming media services, but they are probably best known for their massive distributed computer infrastructure. In lay terms, they have upwards of 15,000+ servers positioned around the globe providing content (software downloads, etc) and media (like QuickTime, RealAudio, or Windows Media
files) for their customers (the likes of Apple, GM, MTV, Department of Defense, IBM, Microsoft, Monster.com, Yahoo!, Adobe...)."

Ref: http://bit.ly/elOJAJ

At most, i'd perform a malwarebytes, but it seems you got it.  combofix seems a little aggressive, and i've stopped using spybot quite some time ago.

based on what you're seeing, what you've found in your scans and that the sonicwall is blocking things, i think you don't have anything to worry about.  seems the sonicwall may be interpreting the updates.  you may try to exclude the Phish_Paypal "filter" and try an update on one of the boxes where updates are failing.  if it succeeds, then you've got your answer.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:EE_User12
ID: 34232611
I am beginning to think this may be a false positive.  I am able to replicate the SonicWall Phish_PayPal alerts every time I run the LiveUpdate in Norton.  It appears all my PCs with Norton have been affected.  For some reason, they cannot install an antiphising patch.

Error message:

Norton 2011 Web Protection Definitions Updates Antiphising to verify authentic websites failed to install.

All scans with Malwarebytes and SpyBotSD come up negative.  After removing the Norton, things went quiet.  Even after a fresh install of Norton, the patch still fails to install.  I have one test computer running Avast and it has no problems.  I'm assuming this is an issue between the Norton LiveUpdate and the SonicWall.  I had no problems with Norton until they recently released NIS 2011.  I have another group of computers that I take care of that are not protected by a SonicWall but their updates have been able to install successfully on Norton 2011.
0
 
LVL 33

Accepted Solution

by:
digitap earned 600 total points
ID: 34232668
yes, I agree with you.  i believe it to be a sonicwall issue.  their signatures for Phish_PayPal are generating this and probably need to be updated...perhaps that has already happened.  you might check when the last time your sonicwall definitions were updated or even the firmware you are currently running on.  you could probably disable the filter for this item safely until a fix has be released by sonicwall...possibly even with Norton in the way they distributed updates.
0
 

Author Closing Comment

by:EE_User12
ID: 34273684
Digitap, thanks again for your help.

If any readers have a similar problem, look for automated processes.  When digitap mentioned Akamai that rang a bell in my head.  Most of these automated processes go through this service.  In my situation, the SonicWall was creating a false positive when the NIS 2011 was looking for updates.  For some reason the anti-phising update failed to install.  It might be related to the SpybotS&D or a bad upgrade on the NIS 2011.  I had varying results with my fix.  Some computers eventually were able to install the anti-phising update after I did an uninstall of NIS 2011, updated the SpybotS&D, followed with a SpybotS&D immunization, and then reinstalled the NIS 2011.  It might or might not be related to the immunize process of the SpybotS&D not allowing the anti-phising update to be installed.  Disabling any running programs during install made no difference.  If the update continues to fail, either disable the LiveUpdate (and do it manually) or change to another antivirus/firewall program like Avast.  I have some computers on Avast and they're doing great but I think Avast has a weak antispam feature especially for mail.  I also recommend that you update your signatures and firmware for the SonicWall like digitap mentioned.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34273860
thanks for the points and the detailed information.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is about my experience upgrading my consulting machine to Windows 10 Version 1709 (The Fall 2017 Creator Update)
Your business may be under attack from a silent enemy that is hard to detect. It works stealthily in the shadows to access and exploit your critical business information, sensitive confidential data and intellectual property, for commercial gain. T…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question