Solved

Microsoft Internet Explorer Security Bypass Caught on IPS

Posted on 2015-02-11
2
193 Views
Last Modified: 2015-02-12
there is a medium alert sent to me from our IPS box saying the "Microsoft Internet Explorer Security Bypass", and the initiator for the attack is from my webserver. Could you help me give me some guidance?

I want to know if my webserver has been hacked or not. Thanks.


Event ID	6823991242468
Severity	medium
Host ID	LAC-ASA5525-IPS-8-1
Application Name	sensorApp
Event Time	02/11/2015 08:49:48
Sensor Local Time	02/11/2015 08:49:48
Signature ID	5009
Signature Sub-ID	0
Signature Name	Microsoft Internet Explorer Security Bypass
Signature Version	S851
Signature Details	CVE-2015-0069
Interface Group	vs0
VLAN ID	0
Interface	PortChannel0/0
Attacker IP	198.51.140.163
Protocol	tcp
Attacker Port	80
Attacker Locality	OUT
Target IP	63.241.135.78
Target Port	26936
Target Locality	OUT
Target OS	unknown unknown (unknown)
Actions	
Risk Rating	TVR=medium 
Risk Rating Value	63
Threat Rating	63
Reputation	
Context Data	From attacker: Ether: ---- Ethernet2 OSI=2 Frame #1 Captured on 2015-02-11 08:49:48.344 ---- Ether: Ether: dst = 35:38:35:37:37:27 Ether: src = 29:3b:a:20:20:2f Ether: proto = 0x2a20 Ether: Data: 0000 4c 54 52 20 2a 2f 0a 20 20 6c 69 73 74 2d 73 74 LTR */. list-st Data: 0010 79 6c 65 2d 74 79 70 65 3a 20 64 69 73 63 3b 0a yle-type: disc;. Data: 0020 7d 0a 2e 6d 65 6e 75 20 2e 6c 65 61 66 20 7b 0a }..menu .leaf {. Data: 0030 20 20 6c 69 73 74 2d 73 74 79 6c 65 2d 69 6d 61 list-style-ima Data: 0040 67 65 3a 20 75 72 6c 28 27 2e 2e 2f 2e 2e 2f 2e ge: url('../../. Data: 0050 2e 2f 69 6d 61 67 65 73 2f 6d 69 73 63 2f 6d 65 ./images/misc/me Data: 0060 6e 75 2d 6c 65 61 66 2e 70 6e 67 3f 31 33 37 39 nu-leaf.png?1379 Data: 0070 34 35 38 35 37 37 27 29 3b 0a 20 20 6c 69 73 74 458577');. list Data: 0080 2d 73 74 79 6c 65 2d 74 79 70 65 3a 20 73 71 75 -style-type: squ Data: 0090 61 72 65 3b 0a 7d 0a 0a 2f 2a 20 4d 65 6e 75 20 are;.}../* Menu Data: 00a0 53 74 61 74 65 20 4d 6f 64 69 66 69 65 72 73 20 State Modifiers Data: 00b0 2a 2f 0a 2e 61 63 74 69 76 65 20 7b 0a 20 20 63 */..active {. c Data: 00c0 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 7d 0a 0a 2e olor: #000;.}... Data: 00d0 6d 65 6e 75 2d 64 69 73 61 62 6c 65 64 20 7b 0a menu-disabled {. Data: 00e0 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 63 background: #c Data: 00f0 63 63 cc Data: From victim: Ether: ---- Ethernet2 OSI=2 Frame #1 Captured on 2015-02-11 08:49:48.344 ---- Ether: Ether: dst = 74:69:6f:6e:3a:20 Ether: src = 4b:65:65:70:2d:41 Ether: proto = 0x6c69 Ether: Data: 0000 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 ve..User-Agent: Data: 0010 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e Mozilla/5.0 (Win Data: 0020 64 6f 77 73 20 4e 54 20 36 2e 31 3b 20 57 4f 57 dows NT 6.1; WOW Data: 0030 36 34 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 64) AppleWebKit/ Data: 0040 35 33 37 2e 33 36 20 28 4b 48 54 4d 4c 2c 20 6c 537.36 (KHTML, l Data: 0050 69 6b 65 20 47 65 63 6b 6f 29 20 43 68 72 6f 6d ike Gecko) Chrom Data: 0060 65 2f 34 30 2e 30 2e 32 32 31 34 2e 31 31 31 20 e/40.0.2214.111 Data: 0070 53 61 66 61 72 69 2f 35 33 37 2e 33 36 0d 0a 41 Safari/537.36..A Data: 0080 63 63 65 70 74 2d 4c 61 6e 67 75 61 67 65 3a 20 ccept-Language: Data: 0090 65 6e 2d 55 53 2c 65 6e 3b 71 3d 30 2e 38 0d 0a en-US,en;q=0.8.. Data: 00a0 58 2d 46 6f 72 77 61 72 64 65 64 2d 46 6f 72 3a X-Forwarded-For: Data: 00b0 20 31 37 32 2e 31 36 2e 38 32 2e 31 38 36 0d 0a 172.16.82.186.. Data: 00c0 58 2d 52 42 54 2d 4f 70 74 69 6d 69 7a 65 64 2d X-RBT-Optimized- Data: 00d0 42 79 3a 20 4e 59 2d 52 56 52 42 45 44 31 20 28 By: NY-RVRBED1 ( Data: 00e0 52 69 4f 53 20 33 2e 31 2e 32 29 20 53 43 0d 0a RiOS 3.1.2) SC.. Data: 00f0 0d 0a .. Data:
Packet Data	
Event Summary	0
Initial Alert	
Summary Type	
Final Alert	
Event Status	New
Event Notes	

Open in new window

0
Comment
Question by:Jason Yu
2 Comments
 
LVL 42

Accepted Solution

by:
Davis McCarn earned 500 total points
ID: 40605677
The attack is originating from L.A. CARE COMMUNITY HEALTH's ip address.
The target is in a range assigned by AT&T.
Nirsoft's Current Ports will let you inspect the processes using TCP and UDP ports to determine which process is triggering the alarm: http://www.nirsoft.net/utils/cports.html
0
 

Author Comment

by:Jason Yu
ID: 40606000
Ok, this server in LA care is a webserver managed by me. Can I install this tool on linux box? It is a rhel box.

Or I can install it on my desktop and monitor the server's ports.

thanks.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
Read about achieving the basic levels of HRIS security in the workplace.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the fileā€¦
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now