What is Intrusion Victims !

Ali_Jassim · ‎12-15-2016

Greetings to you

Dears Security team

Today I generate a reports for Threats Report! I saw many things but really I don't understand what going on

for example part of report showing like

Malware Detected # Malware Name Malware Type 1 JS/FakeJQuery.16F!tr Virus 2 JS/FBJack.A!tr Virus 3 JS/Agent.9E8!tr Virus

Is this real?

and

Malware Victims # Victim Name (or IP) 1 10.111.0.5 2 10.91.5.97 3 10.111.0.17 4 guest 5 10.91.150.234

All these computer have forticlient ! up to date ! is the false report ! ?

and also showing Malware Source

Malware Source # Malware Source Hostname (or IP) 1 10.111.0.5 arabianventureforum.org 2 10.91.5.97 www.tecnoqaisi.com 3 10.91.150.234 4 10.110.2.48 arabianventureforum.org 5 10.111.0.17 arabianventureforum.org

could you tell me what Malware Source dose mean ? is this really true alarm ? as I tolled you All Computers has forticlient

and what about these !

Intrusions Detected # Attack Name Severity 1 udp_flood Critical 2 Bash.Function.Definitions.Remote.Code.Execution Critical 3 SSLv2.Openssl.Get.Shared.Ciphers.Overflow.Attempt high 4 Novell.ZENworks.Desktop.Management.TFTPD.Buffer.Overflow high 5 TLS.Cross.Protocol.Attack.SSL2.DROWN high 6 Multiple.CCTV.DVR.Vendors.Remote.Code.Execution high 7 TCP.Split.Handshake medium 8 Obfuscated.JavaScript.Access medium 9 Squid.Proxy.String.Processing.NULL.Pointer.Dereference.DoS medium 10 DLink.Devices.Unauthenticated.Remote.Command.Execution medium

Could you explain for me how this attack work? I mean could you provide me any video explain any kind of these attack ?

And what about Intrusion Victims ? All below IP is not belongs to my network ! its public IP for company in internet !

what dose this mean? is there DDOS ? Inside my network ? so in my local network there is warms preform attack to outside website ? Please I want more explain in this point !

Intrusion Victims # Attack Victim 1 104.40.210.32 2 103.243.221.87 3 103.243.221.112 4 40.127.142.76 5 103.243.220.231 6 103.243.221.109 7 172.16.80.132 8 52.51.125.107 9 103.243.221.75 10 54.229.33.74

and this is my local IP

Intrusion Sources # Attack Source 1 10.203.0.62 2 10.91.5.144 3 10.93.205.253 4 10.203.2.93 5 10.91.5.38 6 10.110.2.12 7 10.203.1.44 8 10.91.5.182 9 10.91.4.62 10 10.191.5.20

Need explain

Ali_Jassim · ‎12-17-2016

Hmmm. not possible no security expert here ? or I post in wrong section ?

Please Could you explain for me

ede_pfau · ‎12-18-2016

hi,

first, this is a user forum - we all use Fortinet equipment, either as endusers or partners, but we do not offer professional service here. Think of "best effort". We share experiences, problems and solutions on a voluntary basis. Close to the Chrismas holidays I do not wonder why there's little resonance as everybody is busier than at other times.

Now to your questions:

1- I cannot foresee in what state your network is. Based only on the reported messages I would think there are some problems. Generally, false positives are less common than true positives, that is, I would first assume the threats are real, and try to prove they are not.

2-

'Malware detected' is serious - some trojans were recognized. This doesn't mean they have infected your hosts, only that they tried to enter your network (tried to traverse the firewall).

3-

'MW victims' denotes the destination IP address of traffic that contained malware.

'MW sources' denotes the source IP address of traffic that contained malware.

Both addresses come from the session in which malware occurred. This can happen even if you have FortiClient installed - no software is 100% perfect. Without further investigation, it's only speculation why this happened. It might even be that anti-malware is not active in the Fclient, or the signatures are old, or ... You will have to examine this closely, directly on the host, preferably with a second anti-malware diagnostic software (e.g. Kaspersky, Malwarebytes).

4-

IPS detection is somewhat less precise, there might be some false positives. In your case, all alerts sound reasonable though. Have you enabled ALL IPS signatures? If yes, this doesn't make sense. Select only signatures (or categories) which apply to your network. For instance, if you don't use D-Link switches you don't have to scan for D-Link specific attacks. This will reduce the chances for false positives and reduce the CPU load on your Fortigate.

Split your policies into server-specific and client-specific, and use corresponding categories in several IPS profiles.

5-

You find explanations for these attacks on fortiguard.com, although sometimes they are not very elaborate. Then you hopefully find some more info via Google.

Hope this helps,

Ede

"Kernel panic: Aiee, killing interrupt handler!"

SCSIraidGURU · ‎12-19-2016

I would look in the logs and find those threats and the device on your network they seem to have attacked and infected. Even if the Fortinet said blocked. I would still run Malwarebytes and a virus scan on those devices to verify they are clean. I use my 800C to find outbound threats too. Devices like workstations that are infected trying to send outbound to the source of the infection.

Ali_Jassim · ‎01-02-2017

Thank you guys really you gave me new info + saved in my maid

I used malwarebytes and it detected malware inside some computer! but I'm wondering why forticlient not detected that malware and as fortinet guys says forticlient is efficient and doing update everyday !

boneyard · ‎01-07-2017

Ali_Jassim wrote:
I used malwarebytes and it detected malware inside some computer! but I'm wondering why forticlient not detected that malware and as fortinet guys says forticlient is efficient and doing update everyday !

if you do some research on malware detection / prevention you will find that no single tool will give you 100% security. even with using several tools, different types of tools, ... won't give you 100% security.

first you can contact fortinet support and let them look at your setup, perhaps the client can be setup stricter (which might also cause issues with people not be able to do what they want, this is always a two side decision, security vs usability), perhaps the updating doesn't work correctly. but even with everything setup correctly you won't be 100% secure and something can slip through.

if it is in your budget you might look at talking with some IT security companies that can help with having a look a your environment and determining if there are other measures to take. they should certainly be able to help you better explain such a report.

SCSIraidGURU · ‎01-08-2017

I run a data center. From what I read about the newest malware, once it gets on Windows 8.x or 10, you can only get it off with a complete factory reinstall. Microsoft made is impossible to run Malwarebytes or other tools to remove it. My brother's Windows 8 laptop was infected. After 6 hours to trying to remove it, I backed up and reinstalled. I don't recommend either 8 or 10 for any business customers. I found it funny that a friend's company bought computers in December. Dell said to get 7 x64 business and don't run 10.

SCSIraidGURU · ‎01-03-2017

Fortinet is great and something and average at other things. My Cisco ASA and IPS modules never stopped anything serious. I still use a good anti-virus and watch the Fortinet logs for outbound traffic from my workstations and outbound detections and run Malwarebytes on them. Most malware is layered with 8-10 levels of threats. Usually Fortinet gets 2-3 of them and the rest hit the workstation. When you see these types of notifications. Run Malwarebytes on that workstation or server.

NeilG · ‎01-06-2017

If you have important Windows computers running older OS (windows 7), you should look at Microsoft's free EMET toolkit. Here is a slightly old video that gives an overview.

https://technet.microsoft.com/en-us/security/ff859539.aspx

If you aren't technical then you might want to find a good consultant/advisor to help you with this stuff.

-N