Why/How was this allowed? Help to resolve please - IDS Alert - Allowed - BO_CLIENT_TRAFFIC_DETECT

Zac
Conversationalist

Why/How was this allowed? Help to resolve please - IDS Alert - Allowed - BO_CLIENT_TRAFFIC_DETECT

Hello, this is my first time posting on a forum ever, but the issue is serious enough for me to do so.  Any help to unpack this issue is appreciated.

 

A bit of my background: Doing IT for 10+ years, not a security/network expert by any means, but competent enough to figure most things out with broad talent.

 

Overview:

- We have multiple sites that have seen the event below.  Not every site has seen this Alert.

- The Destination is always the MX and this single event only.

- Threat is in reference to: "Back Orifice" a Remote Access Tool "RAT".  The nature of the Port 80 is a hint that confirms this.  I have read up on "Back Orifice" and have a knowledge for how it works to a degree in avoiding detection.

- All source IP's are China and those IP ranges are now blocked in addition to country block that was previously established.

- We have an Enterprise Endpoint Security system in place on all clients and servers.  We cannot find anything in logs to indicate an issue (partly because we don't know what we are digging for). 

- We have begun contact with Meraki and our enterprise security system 

 

We have taken some security steps, but would like input on how to proceed. My main concern is a endpoint that has become compromised allowing the attacker to move latterly through the network.  I don't feel our Servers are at an immediate risk at the moment as we have implemented new security practices since I have started that should make it *difficult* to gain control of.  (Though nothing is impossible)

 

I appreciate you taking your time to read all of this!

 

Zac_1-1583954306692.png

 

I appreciate you taking your time to read all of this!

2 Replies 2
BrechtSchamp
Kind of a big deal

Do you have any port forwarding setup for port 80? Because if you don't and the destination was the MX's IP, then whether they see anything will depend on this setting: https://documentation.meraki.com/zGeneral_Administration/Tools_and_Troubleshooting/Using_the_Cisco_M....

 

By default it's off and they will not see anything, so you haven't got much to worry about.

Zac
Conversationalist

Thanks for reaching out.  I'll do my best to organize my response here:

 

1. No we do not have port forwarding setup for port 80 at any location.

2. You can view the MX's Remotely.  We'll need to get that restricted here as we do view remote when we have service issues at those locations.  Good news is sensitive info is password protected.  And aside from MAC info there isn't anything else to gain since you have to know the IP address to get to the portal anyway.

3. I discovered one of the hits was to an old decommissioned server NAT address.  The address is no longer in use and all of the config was removed from Meraki.  So it "Allowed" a connection to something that isn't there anymore... which is odd.

 

 If they all hit at the same time I would be less worried, but it happened over the course of 5 days 1-3 sites each, all at different times.  Then went quiet and a week later saw it at a new site.  I thought about it being a traveling employee, but that much ground (multiple states) couldn't have been covered, nor the times of the alerts.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels