09-30-2014 08:07 AM - edited 03-10-2019 06:15 AM
Hi
Working with a ASA 5505, BotNet Filter shows all Mac Devices, Server, Clients, and Iphones as infected, all connections logged, threat level Very High, all Dropped. Service Port 443, tcp 5000, Tcp 8192, udp 8192, tcp 80.
IP's: 199.16.156.230, 199.16.156.0/22, 192.168.1.10, 93.184.216.146, 199.96.57.6, 199.16.156.73.
Showing that they are heading to Twitter:
platform.twitter.com
s.twitter.com
I have wiresharked the packets, that the BotNet Filter is filtering from the Mac devices. I have wiped/erased a iphone, and the ASA BNF still reports its infected. I have ClamXav running with no detection, there is no use of Twitter on any devices. There are no plugins on the browsers, and browsers are using FIPS Firefox. I am using Yosemite, and OS X server 3.5.7, iphone IOS v 8.0.2.
Java is up to date, XProtect is the built-in with the latest. I have checked for Flash Back on all Mac devices. I am trying to determine if this is a valid threat, I am collecting lsof -a and wireshark reports and have span switch recordings.
Lastly the Linux box's are not effected, only Mac is in effected client list.
So is there any more information that i can get from Cisco's BotNet Filter as to what is being blocked by the IP address's provided above?
Thank you
Chris
09-30-2014 09:08 AM
Did find firefox calling for a sync:
$ lsof -i:443
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
firefox 6842 blade 165u IPv4 0x16d1bc097204d5ff 0t0 TCP 172.16.222.4:61725->199.16.156.52:https (SYN_SENT)
firefox 6842 blade 170u IPv4 0x16d1bc0972f5d20f 0t0 TCP 172.16.222.4:61747->199.16.156.52:https (SYN_SENT)
Sync sent no return because ASA BNF is blocking, But this does not explain the iPhone and other devices, removing FireFox. Port 8192 belongs to Sophos Remote Management System (Unofficial), no management software installed. Sophos manages encryption on BitLocker and FileVault.
Recording lsof -i:8192 and lsof -i:443
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide