Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
666
Views
0
Helpful
1
Replies

ASA Botnet Filter, how do I work with the infected hosts, that is remove the Malware, its not showing up in Xprotect, or ClamXav,

chgallup
Level 1
Level 1

‎09-30-2014 08:07 AM - edited ‎03-10-2019 06:15 AM

Hi

Working with a ASA 5505, BotNet Filter shows all Mac Devices, Server, Clients, and Iphones as infected, all connections logged, threat level Very High, all Dropped. Service Port 443, tcp 5000, Tcp 8192, udp 8192, tcp 80.

IP's: 199.16.156.230, 199.16.156.0/22, 192.168.1.10, 93.184.216.146, 199.96.57.6, 199.16.156.73.

Showing that they are heading to Twitter:

platform.twitter.com

s.twitter.com

I have wiresharked the packets, that the BotNet Filter is filtering from the Mac devices. I have  wiped/erased a iphone, and the ASA BNF still reports its infected. I have ClamXav running with no detection, there is no use of Twitter on any devices. There are no plugins on the browsers, and browsers are using FIPS Firefox. I am using Yosemite, and OS X server 3.5.7, iphone IOS v 8.0.2. 

Java is up to date, XProtect is the built-in with the latest. I have checked for Flash Back on all Mac devices. I am trying to determine if this is a valid threat, I am collecting lsof -a and wireshark reports and have span switch recordings.

Lastly the Linux box's are not effected, only Mac is in effected client list.

So is there any more information that i can get from Cisco's BotNet Filter as to what is being blocked by the IP address's provided above?

Thank you

Chris

 

 

Labels:
0 Helpful
1 Reply 1

chgallup
Level 1
Level 1

‎09-30-2014 09:08 AM

Did find firefox calling for a sync:

$ lsof -i:443
COMMAND  PID  USER   FD   TYPE             DEVICE SIZE/OFF NODE NAME
firefox 6842 blade  165u  IPv4 0x16d1bc097204d5ff      0t0  TCP 172.16.222.4:61725->199.16.156.52:https (SYN_SENT)
firefox 6842 blade  170u  IPv4 0x16d1bc0972f5d20f      0t0  TCP 172.16.222.4:61747->199.16.156.52:https (SYN_SENT)

Sync sent no return because ASA BNF is blocking, But this does not explain the iPhone and other devices, removing FireFox. Port 8192 belongs to Sophos Remote Management System (Unofficial), no management software installed. Sophos manages encryption on BitLocker and FileVault.

Recording lsof -i:8192 and lsof -i:443  

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card