• State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 24 subscribers
  • Views 2038 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Hotfix Link Leads back to Blocked IP

jeffpahf

Very interesting, well likely I'm not understanding something...

These two IP were blocked by Admin, not sure when... note: Serv-U sometimes adds the http probably on a DNS lookup

"120.245.64.189","Admin "0"">www.labs.greynoise.io/.../","0"
"221.4.215.215","Admin "0"">www.labs.greynoise.io/.../","0"

However, SW email notice... 
https://launch.solarwinds.com/index.php/email/emailWebview?email=NTY0LVZGUi0wMDgAAAGUGQF7JGUSYv8JGuiQlsgp4tkWVZheT6sH45qJQVvGA6tgFIjYdBWXWnhbOhA89SJXyh8TJJLiWxRkVNIE9O3W9xJ65esPh1tzosI

Contains a link to CVE-2024-28995, which is here... same server as the one attempting to logon to our mFTP server
https://www.labs.greynoise.io/grimoire/2024-06-solarwinds-serv-u/

How is it that the SW Vulnerability notice contains a Link for an IP that's Attempting to Log into our mFTP Server?


Regards, JeffP...

  • +1

    Hello Jeff,

    neither 120.245.64.189 nor 221.4.215.215 belongs to www.labs.greynoise.io at public DNS. If Serv-U would do a reverse DNS-lookup, it wouldn't get the complete URL (https://www.labs.greynoise.io/grimoire/2024-06-solarwinds-serv-u/), but only the domain (www.labs.greynoise.io), so this doesn't seem to be a reverse DNS-lookup. Where are these two lines from? Serv-U Log?
    For me, it looks like the two urls are http-referer, but without background-info, where these two lines are from, it's only a blind shot.

    best regards,
    Markus

  • 0 in reply to maeh

    first off thanks... these are in the Domain Details IP tab, normally set to Allow or Deny

    So, the moniker isn't correct, but here's the first one... before & after updating

    After...


    ...the other after



    Here are others that are normal, well expected from manually scanning logs (I hate the task but when I find suspects I block'm)

    The bot work-around is an example of how the One Rule fails; IMHO there's a bug in the logic
    If the rule is 4 attempts in 8 seconds, the user is allowed 6 attempts in 7 seconds, exceeding the 4 attempts, but within the 8 seconds; if anyone is asking Who would/could "try" to login more than 4 times in 8 seconds, ans. a Bot; SW should really allow more rules to effectively thwart BFA's

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 200,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification SolarWinds Lab Link Customer Portal
About THWACK SolarWinds Blog Federal & Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2021 SolarWinds Worldwide, LLC. All Rights Reserved.