Link to home
Start Free TrialLog in
Avatar of yodaa
yodaa

asked on

Botnet detection help me please

Hi guys

I have noticed today on my weekly Firewall report botnet initiator. It is one connection from yestarday please see below

User generated image
Could you help me what shuld I do ? is it false positive ?

Thank you for help
Avatar of David Johnson, CD
David Johnson, CD
Flag of Canada image

SOURCE and destination IP are your WAN address
Avatar of yodaa
yodaa

ASKER

It was server IP address. This server has remote access role installed.
you have a web site under construction there
Avatar of yodaa

ASKER

Hi David,

Sorry David but I dont understand that ?  what do you mean by that ?
That IP address has been listed by several places for being known to serve malware, so I would take this as a true positive.

Here is a report from VirusTotal: https://www.virustotal.com/en/ip-address/173.254.236.43/information/

If you look, things were still getting picked up by AV scanners as of 2 days ago.

Here is another from Securi: https://sitecheck.sucuri.net/results/173.254.236.43
Avatar of yodaa

ASKER

Okay   so why this domain  tried  to initiate botnet atttack ? or it means that my server is as the botnet?
if your server has the web address in the picture then you are the source
It could be a site that some system on your network was browsing that had an ad linking to that IP address and the Sonicwall blocked the communication. (Malicious ads are all over the place now, so it's not necessarily anything the user did).
Avatar of yodaa

ASKER

its not my server IP  or WAN.
ASKER CERTIFIED SOLUTION
Avatar of masnrock
masnrock
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of yodaa

ASKER

I dont think that was user website access block.  

This Botnet detection was at 12 am  

User generated image
Then most likely a scan from a botnet trying to identify targets. Hopefully you have remote administration of your SW turned off, and also that you did not enable the WAN interface to respond to ICMP traffic.
Avatar of yodaa

ASKER

Masnrock

Sorry but what do you mean AD of my SW turned off?
SW = Sonicwall.

I was saying you hopefully do not have remote administration of it turned on. (The WAN interface does allow for one to turn on remote access to the administration page of the Sonicwall itself).
Avatar of yodaa

ASKER

Hi

No I cannot access remotly into my sonicwall only locally. Also could you tell me where I can find it to check it "WAN interface to respond to ICMP traffic "
Sorry, it's just Ping that's listed.

I forget what model Sonicwall you have, however...

https://support.software.dell.com/kb/sw3785

Do NOT enable any of the administration or user login options.
Avatar of yodaa

ASKER

Main question.

Should I worry ?

My Firewall is updated and software too.

It is first time when I have seen botnet connection.
You should worry if they actually get through. The good news is that it got detected. Think of this as a reason to make sure that you periodically review your security.

However, you don't have anything to worry about. Botnets are always out there. Even ones that aren't necessarily known by vendors yet. As long as the traffic is getting stopped, you're good.
Avatar of yodaa

ASKER

Hi Masnrock,

Okay so the sonicwall blocked this botnet connection ?
Also it means that someone was trying to use botnet method to serve malicious code onto server ?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial