Hi All,
My First post so bear with me.
I recently took over the IT Manager position for a small internet company.
I have setup centralized management and monitoring and have been digging into things as I go.
I found some suspicious log entries in the Cisco RV042 firewall router, like this:
| Mar 28 08:12:57 2015 |
ACCESS_RULE |
UDP 112.90.82.194:53->192.168.0.181:1495 on eth1 |
| Mar 28 08:13:58 2015 |
ACCESS_RULE |
UDP 50.132.20.147:53->192.168.0.215:1495 on eth1 |
| Mar 28 08:14:10 2015 |
ACCESS_RULE |
UDP 112.90.82.194:53->192.168.0.181:1495 on eth1 |
So I checked, and there is no .181 on my network that I can find with any network tools, HMMM.
Then I look at the FW access rules, and there is not such rule, in fact there is an exclusive deny rule for any WAN address to .181, that I created.
Now it is getting bizarre, I look at the logs and there are scores of access rules to various ports on .181 from various Ext. IPs.
Do I have to consider that this router is compromised?
Is there a CLI that I could look at the ACLs and rules as they are on the router or no?
Any help is appreciated.
