Hotfix Link Leads back to Blocked IP

Very interesting, well likely I'm not understanding something...

These two IP were blocked by Admin, not sure when... note: Serv-U sometimes adds the http probably on a DNS lookup

"120.245.64.189","Admin "0"">www.labs.greynoise.io/.../","0"
"221.4.215.215","Admin "0"">www.labs.greynoise.io/.../","0"

However, SW email notice... 
https://launch.solarwinds.com/index.php/email/emailWebview?email=NTY0LVZGUi0wMDgAAAGUGQF7JGUSYv8JGuiQlsgp4tkWVZheT6sH45qJQVvGA6tgFIjYdBWXWnhbOhA89SJXyh8TJJLiWxRkVNIE9O3W9xJ65esPh1tzosI

Contains a link to CVE-2024-28995, which is here... same server as the one attempting to logon to our mFTP server
https://www.labs.greynoise.io/grimoire/2024-06-solarwinds-serv-u/

How is it that the SW Vulnerability notice contains a Link for an IP that's Attempting to Log into our mFTP Server?


Regards, JeffP...

Parents
  • Hello Jeff,

    neither 120.245.64.189 nor 221.4.215.215 belongs to www.labs.greynoise.io at public DNS. If Serv-U would do a reverse DNS-lookup, it wouldn't get the complete URL (https://www.labs.greynoise.io/grimoire/2024-06-solarwinds-serv-u/), but only the domain (www.labs.greynoise.io), so this doesn't seem to be a reverse DNS-lookup. Where are these two lines from? Serv-U Log?
    For me, it looks like the two urls are http-referer, but without background-info, where these two lines are from, it's only a blind shot.

    best regards,
    Markus

  • first off thanks... these are in the Domain Details IP tab, normally set to Allow or Deny

    So, the moniker isn't correct, but here's the first one... before & after updating

    After...


    ...the other after



    Here are others that are normal, well expected from manually scanning logs (I hate the task but when I find suspects I block'm)

    The bot work-around is an example of how the One Rule fails; IMHO there's a bug in the logic
    If the rule is 4 attempts in 8 seconds, the user is allowed 6 attempts in 7 seconds, exceeding the 4 attempts, but within the 8 seconds; if anyone is asking Who would/could "try" to login more than 4 times in 8 seconds, ans. a Bot; SW should really allow more rules to effectively thwart BFA's

Reply
  • first off thanks... these are in the Domain Details IP tab, normally set to Allow or Deny

    So, the moniker isn't correct, but here's the first one... before & after updating

    After...


    ...the other after



    Here are others that are normal, well expected from manually scanning logs (I hate the task but when I find suspects I block'm)

    The bot work-around is an example of how the One Rule fails; IMHO there's a bug in the logic
    If the rule is 4 attempts in 8 seconds, the user is allowed 6 attempts in 7 seconds, exceeding the 4 attempts, but within the 8 seconds; if anyone is asking Who would/could "try" to login more than 4 times in 8 seconds, ans. a Bot; SW should really allow more rules to effectively thwart BFA's

Children
No Data