Endpoint Protection

Afternoon All,

After searching all over the place, I am totally scratching my head with this issue. Over the last week, end point has been reporting Critical "Intrusion Prevention" events with the following message:

[SID: 28665] System Infected: Trojan.Backdoor Activity 179 attack blocked. Traffic has been blocked for this application: SYSTEM

What is puzzling me is the Direction of the events are "outgoing" and are being reported as if they came from our web server port which is 80.  

Protocol: TCP
Direction: Outgoing

Remote host: xxx.xxx.xxx.xxx (external net address)
Remote Port: 24252  (random really)
Remote MAC N/A

Local host 192.168.4.2 (NAT)
Local Port: 80
Local Mac: N/A

Application: SYSTEM
Signature Id: 28665
Signature SubID: 72438
Signature Name: System Infected: Trojan.Backdoor Activity 179
Intrusion-URL: yyy.yyy.yyy.yyy/admin/  (our external IP address - i.e. yyy.yyy.yyy.yyy maps to 192.168.4.2)
Server: Microsoft 2016

I've done of the usual checks and done multiple full scans and I cannot find anything.  I am beginning to believe that "outgoing" means the outgoing packet response has been blocked and not the in-bound request. 

Does Endpoint do this type of confusing reporting?  Should I actually be REALLY worried?  What else can I look for?  I would really appreciate some help on this one?

Thanks in advance,
M

Did you lookup the remote IP to see who it belongs to? I've seen this lately with scans coming from IPs belonging to Shodan when they do their scans. Exact same behavior in terms of the response.

you might want to perform a threat analysis with symdiag to check if there are any undetected binaries present in the system. 

Same here, I'm finding that "Direction: Outbound" a little confusing.
For example, below report shows clients attacked by my webmail server since yesterday!? Log details for one of the attacks to the predominant IP address, in the bottom, shows intrusion URL [my public IP address]/phpmyadmin3/ which, of course, does not exist (webmail server in question is mentioned application WorldClient.exe).

I've done same as you, checked everything, found nothing.
So, I've decided to treat them as incoming attacks, exploit attempts (as they are only happening at webmail server). Solution, for the time being at least, block offending IP addresses.
 

.

The addresses are random every time and vary from countries across the global.  I am seeing very similar requests to your screenshot.  What I have been able to do is match some incoming requests before the servers that match the external IP address and remote port as incoming source traffic.  

After finding this, I am now more convinced this originated externally.  Has anybody else managed to see this as well?

I think what's happening is these remote IP's are doing some sort of scanning and are able to ellicit a response from your servers which SEP flags as malicious.

I had this issue a few months back from Ghostnet Activity and this is how Symantec explained it to me.

I'm getting a couple of "sessions" (50+ hits in a minute or so) of these once or twice a day...each time with a different IP address.

The details show a little differently in SEP SBE (SEP Small Business Edition), showing that the "Attacker" is external and the "Attacked" is internal (the Attack URL in the image is my public IP):

And since I'm getting 50+ of these at a time, all targeting urls for admin apps (/phpmanager, /phpmyadmin2018, /phpmyadmin2017, /db/dbweb, etc.), I'm with the rest of you in thinking that these are external attacks...I'm guessing from some compromised computer or device since the IP address changes each time.

Yes, I can corroborate your findings with my own analysis which indicate that there is an external scan over port 80 preceding immediately prior to SEP blocking the outgoing response to the rogue entity.

Hello MarcoCarlo and other followers of this thread,

Thanks for the query.  There have been many detections seen on this signature worldwide in the past many weeks.  Brian is correct in comparing this to the Ghostnet IPS detections triggered by Shodan's scan traffic.  Though certain malware triggers the IPS signature 28665 "System Infected: Trojan.Backdoor Activity 179" it is also triggered by the traffic of the Jorgee vulnerability scanner.  (This is not a False Positive- the traffic that the scanner is sending matches what certain malware does).

Jorgee has been very active lately, as noted by other bloggers, and thus the many IPS SID 28665 events seen. 

https://blog.paranoidpenguin.net/2017/04/jorgee-goes-on-a-rampage/

I recommend scanning any computer which is showing any "System Infected" IPS event.  A full system scan by SEP should suffice or a Threat Analysis Scan from SymHelp.  If there is actual malware on the computer, those scans should bring it to light.

Using Today's SymDiag to Combat Today's Threats
https://www.symantec.com/connect/articles/using-todays-symhelp-combat-todays-threats

If the scan comes back clean, then the most likely explanation for the IPS SID 28665 events is that a vulnerability scan triggered the events.

The following article may help to clear up some confusion, too:

 
“SEP and Norton Network Threat Protection/IPS Signature Naming Improvements”
http://www.symantec.com/docs/TECH152794
 

Please do update this thread with any additional queries, or mark it solved if this has answered your question!

Hello MarcoCarlo,

Just a ping to see if the question has been answered?  This thread is still marked "needs solution."

Since last week, these are now being reported as Web Attack: Jorgee Vulnerability Scanner, which seems to be a more accurate description than the "backdoor activity 179".

The attack parameters are the same, so my guess would be that Symantec with updated their Jorgee matching or updated the naming and this is correct now.

Well spotted, Mark!  That is accurate.  These IPS signatures are constantly monitored and tweaked for precision and effectiveness.