04-20-2023 08:01 AM
Hi Folks,
In our data center vulnerability scanning from outside we are getting these two infections. we have two FWSM one at the internet gateway and the other internal FWSM. Now the management wants me to trace the source of this infection and stop them. But as we can see in the below image we have not enabled ports 9817 and 3077 anywhere in FWSM but still connections are established via these ports. I am not able to trace the endpoints also from where these connections are created. Please help me with how to stop these. I have denied connections to these IPs in FWSM rules also but still, these connections are happening. Please suggest a way to get rid of these
04-20-2023 11:01 AM
It appears those are source ports on the affected hosts. They are communicating outbound to the suspicious server on tcp 55507. It is that destination address or port that you need to block.
04-21-2023 02:58 AM
I would like to clarify two points FWSM we have already blocked these IPs but it is not stopping. in FWSM by default, everything is denied and we have not permitted any such port plus the port number is also changing daily. But we don't see these IPs anywhere in translations, so could not locate the source.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide