I've recently setup the new Shodan Monitoring service from Shodan for all the world routeable IP's that the organisation I work for owns. I'm getting some strange results that are potentially false positives but are concerning me slightly. The results I keep getting are for IP addresses that aren't currently in use and always reference ports 8008 and 8010 which are the web filter bypass ports for our Fortigate firewall. Here is an example of the result I'm getting. // Trigger: uncommon // Port: 8008 / tcp // Hostname(s): // Timestamp: 2019-04-02T05:59:49.229479 // Alert ID: ###.###.###.* (################) Banner (http-simple-new) HTTP/1.1 302 Found Location: [link]https://###.###.###.188:8010/[/link] Connection: close X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors My concerns are I can't seem to replicate this result in a normal shodan query (this is often run at least 15 minutes after the report) and the detection rate of these seems to increase during "out of hours" (notably between midnight and 7am local time as well as Sundays). Is anyone else using Shodan Monitoring and a Fortigate seeing similar results?
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.