Skip to main content
Ali_Jassim
Ali_Jassim
New Member
December 15, 2016
Question

What is Intrusion Victims !

  • December 15, 2016
  • 2 replies
  • 17525 views

Greetings to you

Dears Security team

Today I generate a reports for Threats Report! I saw many things but really I don't understand what going on

for example part of report showing like

Malware Detected # Malware Name Malware Type 1 JS/FakeJQuery.16F!tr Virus 2 JS/FBJack.A!tr Virus 3 JS/Agent.9E8!tr Virus

Is this real?

 

and

Malware Victims # Victim Name (or IP) 1 10.111.0.5 2 10.91.5.97 3 10.111.0.17 4 guest 5 10.91.150.234

All these computer have forticlient ! up to date ! is the false report ! ?

 

and also showing Malware Source

Malware Source # Malware Source Hostname (or IP) 1 10.111.0.5 arabianventureforum.org 2 10.91.5.97 www.tecnoqaisi.com 3 10.91.150.234 4 10.110.2.48 arabianventureforum.org 5 10.111.0.17 arabianventureforum.org

could you tell me what Malware Source dose mean ? is this really true alarm ? as I tolled you All Computers has forticlient

 

 

and what about these !

Intrusions Detected # Attack Name Severity 1 udp_flood Critical 2 Bash.Function.Definitions.Remote.Code.Execution Critical 3 SSLv2.Openssl.Get.Shared.Ciphers.Overflow.Attempt high 4 Novell.ZENworks.Desktop.Management.TFTPD.Buffer.Overflow high 5 TLS.Cross.Protocol.Attack.SSL2.DROWN high 6 Multiple.CCTV.DVR.Vendors.Remote.Code.Execution high 7 TCP.Split.Handshake medium 8 Obfuscated.JavaScript.Access medium 9 Squid.Proxy.String.Processing.NULL.Pointer.Dereference.DoS medium 10 DLink.Devices.Unauthenticated.Remote.Command.Execution medium

 

Could you explain for me how this attack work? I mean could you provide me any video explain any kind of these attack ?

 

 

And what about  Intrusion Victims ? All below IP is not belongs to my network ! its public IP for company in internet !

what dose this mean? is there DDOS ? Inside my network ? so in my local network there is warms preform attack to outside website ? Please I want more explain in this point !

 

Intrusion Victims # Attack Victim 1 104.40.210.32 2 103.243.221.87 3 103.243.221.112 4 40.127.142.76 5 103.243.220.231 6 103.243.221.109 7 172.16.80.132 8 52.51.125.107 9 103.243.221.75 10 54.229.33.74

 

and this is my local IP

 

Intrusion Sources # Attack Source 1 10.203.0.62 2 10.91.5.144 3 10.93.205.253 4 10.203.2.93 5 10.91.5.38 6 10.110.2.12 7 10.203.1.44 8 10.91.5.182 9 10.91.4.62 10 10.191.5.20

Need explain

    2 replies

    Ali_Jassim
    Ali_JassimAuthor
    New Member
    December 17, 2016

    Hmmm. not possible no security expert here ?  or I post in wrong section ?

    Please Could you explain for me

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    December 18, 2016

    hi,

     

    first, this is a user forum - we all use Fortinet equipment, either as endusers or partners, but we do not offer professional service here. Think of "best effort". We share experiences, problems and solutions on a voluntary basis. Close to the Chrismas holidays I do not wonder why there's little resonance as everybody is busier than at other times.

     

    Now to your questions:

    1- I cannot foresee in what state your network is. Based only on the reported messages I would think there are some problems. Generally, false positives are less common than true positives, that is, I would first assume the threats are real, and try to prove they are not.

    2-

    'Malware detected' is serious - some trojans were recognized. This doesn't mean they have infected your hosts, only that they tried to enter your network (tried to traverse the firewall).

    3-

    'MW victims' denotes the destination IP address of traffic that contained malware.

    'MW sources' denotes the source IP address of traffic that contained malware.

    Both addresses come from the session in which malware occurred. This can happen even if you have FortiClient installed - no software is 100% perfect. Without further investigation, it's only speculation why this happened. It might even be that anti-malware is not active in the Fclient, or the signatures are old, or ... You will have to examine this closely, directly on the host, preferably with a second anti-malware diagnostic software (e.g. Kaspersky, Malwarebytes).

    4-

    IPS detection is somewhat less precise, there might be some false positives. In your case, all alerts sound reasonable though. Have you enabled ALL IPS signatures? If yes, this doesn't make sense. Select only signatures (or categories) which apply to your network. For instance, if you don't use D-Link switches you don't have to scan for D-Link specific attacks. This will reduce the chances for false positives and reduce the CPU load on your Fortigate.

    Split your policies into server-specific and client-specific, and use corresponding categories in several IPS profiles.

    5-

    You find explanations for these attacks on fortiguard.com, although sometimes they are not very elaborate. Then you hopefully find some more info via Google.

     

    Hope this helps,

    SCSIraidGURU
    SCSIraidGURU
    New Member
    December 19, 2016

    I would look in the logs and find those threats and the device on your network they seem to have attacked and infected.   Even if the Fortinet said blocked.  I would still run Malwarebytes and a virus scan on those devices to verify they are clean.   I use my 800C to find outbound threats too.   Devices like workstations that are infected trying to send outbound to the source of the infection.  

    SCSIraidGURU
    SCSIraidGURU
    New Member
    January 3, 2017

    Fortinet is great and something and average at other things.   My Cisco ASA and IPS modules never stopped anything serious.   I still use a good anti-virus and watch the Fortinet logs for outbound traffic from my workstations and outbound detections and run Malwarebytes on them.   Most malware is layered with 8-10 levels of threats.  Usually Fortinet gets 2-3 of them and the rest hit the workstation.  When you see these types of notifications.  Run Malwarebytes on that workstation or server. 

    NeilG
    NeilG
    New Member
    January 6, 2017

    If you have important Windows computers running older OS (windows 7), you should look at Microsoft's free EMET toolkit. Here is a slightly old video that gives an overview.

    https://technet.microsoft.com/en-us/security/ff859539.aspx

     

    If you aren't technical then you might want to find a good consultant/advisor to help you with this stuff.

    -N

    Terms & ConditionsAccessibility statement