yodaa
asked on
Botnet detection help me please
SOURCE and destination IP are your WAN address
ASKER
It was server IP address. This server has remote access role installed.
you have a web site under construction there
ASKER
Hi David,
Sorry David but I dont understand that ? what do you mean by that ?
Sorry David but I dont understand that ? what do you mean by that ?
That IP address has been listed by several places for being known to serve malware, so I would take this as a true positive.
Here is a report from VirusTotal: https://www.virustotal.com /en/ip-add ress/173.2 54.236.43/ informatio n/
If you look, things were still getting picked up by AV scanners as of 2 days ago.
Here is another from Securi: https://sitecheck.sucuri.n et/results /173.254.2 36.43
Here is a report from VirusTotal: https://www.virustotal.com
If you look, things were still getting picked up by AV scanners as of 2 days ago.
Here is another from Securi: https://sitecheck.sucuri.n
ASKER
Okay so why this domain tried to initiate botnet atttack ? or it means that my server is as the botnet?
if your server has the web address in the picture then you are the source
It could be a site that some system on your network was browsing that had an ad linking to that IP address and the Sonicwall blocked the communication. (Malicious ads are all over the place now, so it's not necessarily anything the user did).
ASKER
its not my server IP or WAN.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Then most likely a scan from a botnet trying to identify targets. Hopefully you have remote administration of your SW turned off, and also that you did not enable the WAN interface to respond to ICMP traffic.
ASKER
Masnrock
Sorry but what do you mean AD of my SW turned off?
Sorry but what do you mean AD of my SW turned off?
SW = Sonicwall.
I was saying you hopefully do not have remote administration of it turned on. (The WAN interface does allow for one to turn on remote access to the administration page of the Sonicwall itself).
I was saying you hopefully do not have remote administration of it turned on. (The WAN interface does allow for one to turn on remote access to the administration page of the Sonicwall itself).
ASKER
Hi
No I cannot access remotly into my sonicwall only locally. Also could you tell me where I can find it to check it "WAN interface to respond to ICMP traffic "
No I cannot access remotly into my sonicwall only locally. Also could you tell me where I can find it to check it "WAN interface to respond to ICMP traffic "
Sorry, it's just Ping that's listed.
I forget what model Sonicwall you have, however...
https://support.software.d ell.com/kb /sw3785
Do NOT enable any of the administration or user login options.
I forget what model Sonicwall you have, however...
https://support.software.d
Do NOT enable any of the administration or user login options.
ASKER
Main question.
Should I worry ?
My Firewall is updated and software too.
It is first time when I have seen botnet connection.
Should I worry ?
My Firewall is updated and software too.
It is first time when I have seen botnet connection.
You should worry if they actually get through. The good news is that it got detected. Think of this as a reason to make sure that you periodically review your security.
However, you don't have anything to worry about. Botnets are always out there. Even ones that aren't necessarily known by vendors yet. As long as the traffic is getting stopped, you're good.
However, you don't have anything to worry about. Botnets are always out there. Even ones that aren't necessarily known by vendors yet. As long as the traffic is getting stopped, you're good.
ASKER
Hi Masnrock,
Okay so the sonicwall blocked this botnet connection ?
Also it means that someone was trying to use botnet method to serve malicious code onto server ?
Okay so the sonicwall blocked this botnet connection ?
Also it means that someone was trying to use botnet method to serve malicious code onto server ?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.