Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Microsoft Internet Explorer Security Bypass Caught on IPS

Posted on 2015-02-11
2
Medium Priority
?
203 Views
Last Modified: 2015-02-12
there is a medium alert sent to me from our IPS box saying the "Microsoft Internet Explorer Security Bypass", and the initiator for the attack is from my webserver. Could you help me give me some guidance?

I want to know if my webserver has been hacked or not. Thanks.


Event ID	6823991242468
Severity	medium
Host ID	LAC-ASA5525-IPS-8-1
Application Name	sensorApp
Event Time	02/11/2015 08:49:48
Sensor Local Time	02/11/2015 08:49:48
Signature ID	5009
Signature Sub-ID	0
Signature Name	Microsoft Internet Explorer Security Bypass
Signature Version	S851
Signature Details	CVE-2015-0069
Interface Group	vs0
VLAN ID	0
Interface	PortChannel0/0
Attacker IP	198.51.140.163
Protocol	tcp
Attacker Port	80
Attacker Locality	OUT
Target IP	63.241.135.78
Target Port	26936
Target Locality	OUT
Target OS	unknown unknown (unknown)
Actions	
Risk Rating	TVR=medium 
Risk Rating Value	63
Threat Rating	63
Reputation	
Context Data	From attacker: Ether: ---- Ethernet2 OSI=2 Frame #1 Captured on 2015-02-11 08:49:48.344 ---- Ether: Ether: dst = 35:38:35:37:37:27 Ether: src = 29:3b:a:20:20:2f Ether: proto = 0x2a20 Ether: Data: 0000 4c 54 52 20 2a 2f 0a 20 20 6c 69 73 74 2d 73 74 LTR */. list-st Data: 0010 79 6c 65 2d 74 79 70 65 3a 20 64 69 73 63 3b 0a yle-type: disc;. Data: 0020 7d 0a 2e 6d 65 6e 75 20 2e 6c 65 61 66 20 7b 0a }..menu .leaf {. Data: 0030 20 20 6c 69 73 74 2d 73 74 79 6c 65 2d 69 6d 61 list-style-ima Data: 0040 67 65 3a 20 75 72 6c 28 27 2e 2e 2f 2e 2e 2f 2e ge: url('../../. Data: 0050 2e 2f 69 6d 61 67 65 73 2f 6d 69 73 63 2f 6d 65 ./images/misc/me Data: 0060 6e 75 2d 6c 65 61 66 2e 70 6e 67 3f 31 33 37 39 nu-leaf.png?1379 Data: 0070 34 35 38 35 37 37 27 29 3b 0a 20 20 6c 69 73 74 458577');. list Data: 0080 2d 73 74 79 6c 65 2d 74 79 70 65 3a 20 73 71 75 -style-type: squ Data: 0090 61 72 65 3b 0a 7d 0a 0a 2f 2a 20 4d 65 6e 75 20 are;.}../* Menu Data: 00a0 53 74 61 74 65 20 4d 6f 64 69 66 69 65 72 73 20 State Modifiers Data: 00b0 2a 2f 0a 2e 61 63 74 69 76 65 20 7b 0a 20 20 63 */..active {. c Data: 00c0 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 7d 0a 0a 2e olor: #000;.}... Data: 00d0 6d 65 6e 75 2d 64 69 73 61 62 6c 65 64 20 7b 0a menu-disabled {. Data: 00e0 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 63 background: #c Data: 00f0 63 63 cc Data: From victim: Ether: ---- Ethernet2 OSI=2 Frame #1 Captured on 2015-02-11 08:49:48.344 ---- Ether: Ether: dst = 74:69:6f:6e:3a:20 Ether: src = 4b:65:65:70:2d:41 Ether: proto = 0x6c69 Ether: Data: 0000 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 ve..User-Agent: Data: 0010 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e Mozilla/5.0 (Win Data: 0020 64 6f 77 73 20 4e 54 20 36 2e 31 3b 20 57 4f 57 dows NT 6.1; WOW Data: 0030 36 34 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 64) AppleWebKit/ Data: 0040 35 33 37 2e 33 36 20 28 4b 48 54 4d 4c 2c 20 6c 537.36 (KHTML, l Data: 0050 69 6b 65 20 47 65 63 6b 6f 29 20 43 68 72 6f 6d ike Gecko) Chrom Data: 0060 65 2f 34 30 2e 30 2e 32 32 31 34 2e 31 31 31 20 e/40.0.2214.111 Data: 0070 53 61 66 61 72 69 2f 35 33 37 2e 33 36 0d 0a 41 Safari/537.36..A Data: 0080 63 63 65 70 74 2d 4c 61 6e 67 75 61 67 65 3a 20 ccept-Language: Data: 0090 65 6e 2d 55 53 2c 65 6e 3b 71 3d 30 2e 38 0d 0a en-US,en;q=0.8.. Data: 00a0 58 2d 46 6f 72 77 61 72 64 65 64 2d 46 6f 72 3a X-Forwarded-For: Data: 00b0 20 31 37 32 2e 31 36 2e 38 32 2e 31 38 36 0d 0a 172.16.82.186.. Data: 00c0 58 2d 52 42 54 2d 4f 70 74 69 6d 69 7a 65 64 2d X-RBT-Optimized- Data: 00d0 42 79 3a 20 4e 59 2d 52 56 52 42 45 44 31 20 28 By: NY-RVRBED1 ( Data: 00e0 52 69 4f 53 20 33 2e 31 2e 32 29 20 53 43 0d 0a RiOS 3.1.2) SC.. Data: 00f0 0d 0a .. Data:
Packet Data	
Event Summary	0
Initial Alert	
Summary Type	
Final Alert	
Event Status	New
Event Notes	

Open in new window

0
Comment
Question by:Jason Yu
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 44

Accepted Solution

by:
Davis McCarn earned 2000 total points
ID: 40605677
The attack is originating from L.A. CARE COMMUNITY HEALTH's ip address.
The target is in a range assigned by AT&T.
Nirsoft's Current Ports will let you inspect the processes using TCP and UDP ports to determine which process is triggering the alarm: http://www.nirsoft.net/utils/cports.html
0
 

Author Comment

by:Jason Yu
ID: 40606000
Ok, this server in LA care is a webserver managed by me. Can I install this tool on linux box? It is a rhel box.

Or I can install it on my desktop and monitor the server's ports.

thanks.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question