Symantec Reported Nuclear Exploit Kit Website Attack
I'm running Symantec Endpoint Protection 12.1.6 on a Windows 7 PC. It's joined to a Windows 2003 Server. (We're working on migrating away from server 2003.)
This morning I got a Symantec popup with the message 'Nuclear Website Attack' I checked the Symantec traffic log and do see incoming ethernet traffic being blocked. The MAC addresses show, but no IP addresses. I ran arp-a and found MAC addresses, but they don't match the Source MAC addresses being blocked. There are a few static IP addresses that come up in a totally different range than what I use. (I don't know if that's a problem or not.)
Any ideas on how to run down the source of the problem?
Thanks,
Steve
This morning I got a Symantec popup with the message 'Nuclear Website Attack' I checked the Symantec traffic log and do see incoming ethernet traffic being blocked. The MAC addresses show, but no IP addresses. I ran arp-a and found MAC addresses, but they don't match the Source MAC addresses being blocked. There are a few static IP addresses that come up in a totally different range than what I use. (I don't know if that's a problem or not.)
Any ideas on how to run down the source of the problem?
Thanks,
Steve
gheist
You need to find network port which has exploit kit active and attacking rest of machines using MAC addresses and disconnect it ASAP. Assume your unpatched windows server is hacked but dormant too.
This is because the Symantec's IPS is blocking an intrusion attempt on your system.
Also see if the Intrusion Prevention or Network Threat Protection logs within the Endpoint Protection Manager (SEPM). These are separate from the antivirus logs and events. To view all of the Intrusion Prevention or Network Threat Protection events. You should be able to see "Remote Host IP"
1. Log onto SEPM
2. Click on the “Monitors” button
3. Click on the “Logs” tab
4. Select the "Network Threat Protection" log type
5. Select the "Attacks" log content
6. Click the "View Log" button
Ref - Do see the IPS alert section
http://clientui-kb.symantec.com/resources/sites/BUSINESS/content/live/DOCUMENTATION/6000/DOC6404/en_US/Network%20Intrusion%20Prevention%20System%2011.x%20User%20Guide.pdf
This alert can be caused when you visit any untrusted link. If you are getting this alert while browsing , then your system is safe up till now. AS a precaution, you can delete your browser cookies to prevent repetation of this trigger.http://www.symantec.com/connect/forums/sid-25701-web-attack-exploit-toolkit-website-4-detected-traffic-has-been-blocked-application
Also see if the Intrusion Prevention or Network Threat Protection logs within the Endpoint Protection Manager (SEPM). These are separate from the antivirus logs and events. To view all of the Intrusion Prevention or Network Threat Protection events. You should be able to see "Remote Host IP"
1. Log onto SEPM
2. Click on the “Monitors” button
3. Click on the “Logs” tab
4. Select the "Network Threat Protection" log type
5. Select the "Attacks" log content
6. Click the "View Log" button
Ref - Do see the IPS alert section
http://clientui-kb.symantec.com/resources/sites/BUSINESS/content/live/DOCUMENTATION/6000/DOC6404/en_US/Network%20Intrusion%20Prevention%20System%2011.x%20User%20Guide.pdf
You can sniff some colds browsing cookies - delete them and use better browser in future....
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Flash player is included in windows 8.1 and you need to rip away all internet explorer feature to get rid of that....
ASKER
Thanks for everyone jumping in to help. How do I tell if the attacks are coming from another computer on the network or a website I visited? That seems to be the place to start.
I didn't have SEPM installed on the server. I'm downloading and installing it now.
Steve
I didn't have SEPM installed on the server. I'm downloading and installing it now.
Steve
It is too late to install.
Your SEP logs can tell IF you browsed bad website or some sweepscanned SEP management webservers and planted trojans there...
Your SEP logs can tell IF you browsed bad website or some sweepscanned SEP management webservers and planted trojans there...
ASKER
gheist,
Under "Network Threat Protection" the "Packet Log" comes up blank. The "Traffic Log" is showing the blocked ports.
Here's the info...
Protocol - Ethernet
Action - Blocked
Remote MAC - 10-BD...
Severity: 10
Direction: Incoming
Remote Host 0.0.0.0
Remote Port: 0
Local Host: 0.0.0.0
Local MAC: 01-00...
Local Port: 0
Application: blank
User: has my login name
User Domain: has my domain name
Location: Default
Occurrences: 1
Begin Time: About every second a new one hits
Rule: Block All
Under "Network Threat Protection" the "Packet Log" comes up blank. The "Traffic Log" is showing the blocked ports.
Here's the info...
Protocol - Ethernet
Action - Blocked
Remote MAC - 10-BD...
Severity: 10
Direction: Incoming
Remote Host 0.0.0.0
Remote Port: 0
Local Host: 0.0.0.0
Local MAC: 01-00...
Local Port: 0
Application: blank
User: has my login name
User Domain: has my domain name
Location: Default
Occurrences: 1
Begin Time: About every second a new one hits
Rule: Block All
Can you recover 1st three octets of remote MAC to look up in IEEE list who made network card to help you troubleshooting?
ASKER
What is "IEEE" list?
IANA of MAC addresses.
ASKER
I'm a newby with all of this. What is IANA?
Here you find manufacturer of the offending network card (if that is your router attack comes from outside and Symantec saved your day, if it is other machine prepare for weekend reinstall session)
http://standards-oui.ieee.org/oui.txt
IANA is organisation that deals IP addresses to continents, then continental IP registries hand smaller pieces to providers in continent.
http://standards-oui.ieee.org/oui.txt
IANA is organisation that deals IP addresses to continents, then continental IP registries hand smaller pieces to providers in continent.
ASKER
I looked 2 of the Remote MAC addresses up. One is from Cisco Systems. The other 2 are from Apple. what does that tell me?
i also notice the protocol is Ethernet which refer to the family of local-area network (LAN). It should be coming from some Cisco device in the LAN, may be good to identify that device/system by searching out the device/system via it's MAC address. That device may be doing some "default enabled" broadcast over IPv6 and over IPv4. Any maybe using AppleTalk etc.
See this http://www.symantec.com/connect/forums/network-threat-protection-logs-show-blocked-incoming-0000
Regardless, I am suspecting if Cisco is just another proxy through from the remote host. Maybe log from the Cisco can help to correlate the remote source..
See this http://www.symantec.com/connect/forums/network-threat-protection-logs-show-blocked-incoming-0000
Regardless, I am suspecting if Cisco is just another proxy through from the remote host. Maybe log from the Cisco can help to correlate the remote source..
ASKER
We have 1 Cisco switch on the network, but the MAC address on the switch and the remote MAC address in SEP have different MAC addresses. Just the last 2 digits are different, though.
I logged into the Cisco switch and found the logs. There's nothing in there dated past 2012.
Thanks for helping me with this. I do appreciate it.
Steve
I logged into the Cisco switch and found the logs. There's nothing in there dated past 2012.
Thanks for helping me with this. I do appreciate it.
Steve
set the clock on cisco ....
sadly with crumbles you pass it is hard to help with your incident.
Traffic logged and shown is not related to incident at all
Please take your time to review logs
Symantec says you browsed nasty sites,
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=23534
If you did so with old plugins without EMET you will never get past rootkits installed to see what really happened.
sadly with crumbles you pass it is hard to help with your incident.
Traffic logged and shown is not related to incident at all
Please take your time to review logs
Symantec says you browsed nasty sites,
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=23534
If you did so with old plugins without EMET you will never get past rootkits installed to see what really happened.
ASKER
I don't understand 'set the clock on cisco....'
Steve
Steve
when you power on cisco router it charges clock supercapacitor and starts to count time from first minute of odd year UTC
Given clock is years off it is of no value for analysis.
Please check *ALL* logs for any notice of exploit kit. there should be one.
Given clock is years off it is of no value for analysis.
Please check *ALL* logs for any notice of exploit kit. there should be one.
ASKER
I looked carefully through all the menu options and looked through anything that looked like a log.
I'm way over my head. I appreciate the help, but I'm going to have to call our network consultants to see if they can look at the system since I'm not able to give you the information you need to help me solve the problem.
Steve
I'm way over my head. I appreciate the help, but I'm going to have to call our network consultants to see if they can look at the system since I'm not able to give you the information you need to help me solve the problem.
Steve
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you do have any other hardware device such as the internet router, web proxy or even firewall, do look at their log and see any recent or alert. Also can check your client machine event log to see any anomalous events thay worth a hint. Good to get those network and infra team to chip in too..
Just to share also that recent it is reported that many Wordpress based sites are exploited and exploited to redirect user browsing its site to Nuclear kit laden server infecting that same user. This may be an instance your user has done that too and victimised. The network logs from proxy will tell..of those visit.. Or browser history possibly..
https://blog.sucuri.net/2015/09/wordpress-malware-active-visitortracker-campaign.html
Just to share also that recent it is reported that many Wordpress based sites are exploited and exploited to redirect user browsing its site to Nuclear kit laden server infecting that same user. This may be an instance your user has done that too and victimised. The network logs from proxy will tell..of those visit.. Or browser history possibly..
https://blog.sucuri.net/2015/09/wordpress-malware-active-visitortracker-campaign.html
One of the most infamous exploit kits known as “Nuclear” has implemented an exploit in Adobe Flash Player that was patched just a week ago. The exploit in question is related to CVE-ID: CVE-2015-0336.
If you have not patched your Adobe Flash Player yet, you should do it as soon as possible. This exploit kit is able to deliver malicious code to Windows operating systems that lack the latest security patch from Adobe. The problem becomes so much more severe if we take into account that now this exploit kit is able to deliver not data stealing malware, but ransomware.
http://bit.ly/1NF4kOn
If you have not patched your Adobe Flash Player yet, you should do it as soon as possible. This exploit kit is able to deliver malicious code to Windows operating systems that lack the latest security patch from Adobe. The problem becomes so much more severe if we take into account that now this exploit kit is able to deliver not data stealing malware, but ransomware.
http://bit.ly/1NF4kOn
ASKER
Thanks for the help. I think it's under control now.