Astaro User Bulletin Board
Go Back   Astaro User Bulletin Board > Astaro Gateway Products > Network Security: Firewall, NAT, QoS, IPS and more
Reload this Page ATTACK-RESPONSES Microsoft cmd.exe banner
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Welcome to the Astaro User Bulletin Board.
If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 01-28-2010, 06:23 PM
Junior Member
  
Join Date: Jan 2010
Posts: 2
Default ATTACK-RESPONSES Microsoft cmd.exe banner
I am receiving the below Intrusion Prevention Alert message every 5 minutes or so.

-- background info --

172.20.1.1 (AstaroDevice01) is my Internet-facing ASG320
Destination IP address: 172.20.1.210 (ExhangeServer01) is my internal Exhange server

AstaroDevice01 is permitted to relay inbound e-mail to ExhangeServer01. Any idea what this message means? There are messages sitting in the Spool, quarantine, etc.

------------------------------
Message Below
------------------------------

Intrusion Prevention Alert

An intrusion has been detected. The packet has been dropped automatically.
You can toggle this rule between "drop" and "alert only" in WebAdmin.

Details about the intrusion alert:

Message........: ATTACK-RESPONSES Microsoft cmd.exe banner
Details........: http://www.snort.org/pub-bin/sigs.cgi?sid=2123
Time...........: 2010:01:28-14:11:00
Packet dropped.: yes
Priority.......: 1 (high)
Classification.: Successful Administrator Privilege Gain IP protocol....: 6 (TCP)

Source IP address: 172.20.1.1 (AstaroDevice01)
Source port: 39842

Destination IP address: 172.20.1.210 (ExhangeServer01)
Destination port: 25 (smtp)


--
HA Status : HA MASTER (node id: 1)
System Uptime : 19 days 1 hours 38 minutes
System Load : 0.40
System Version : Astaro Security Gateway Appliance 7.502

Please refer to the manual for detailed instructions.
------------------------------


Thanks!
Reply With Quote
  #2 (permalink)  
Old 01-28-2010, 09:04 PM
BAlfson's Avatar
Moderator
  
Join Date: Mar 2007
Location: Oklahoma City
Posts: 7,014
Default
Make sure that the Exchange server is in 'SMTP Servers' on the 'Advanced' tab of 'Network Security >> Intrusion Prevention'.

If that's already done, then try a 'Source network' exclusion for 'Internal (Address)'.

Cheers - Bob
__________________
ACE V7 - Astaro Preferred Partner since V3
Addicted to my iPhone!
Reply With Quote
  #3 (permalink)  
Old 01-29-2010, 03:33 PM
Junior Member
  
Join Date: Jan 2010
Posts: 2
Default
Yeah, I was thinking to do that -- adding the Exchange server in 'SMTP Servers' on the 'Advanced' tab of 'Network Security >> Intrusion Prevention'. However, prior to squashing the noise, I'd like to figure out why this issue is happening.
Last edited by MoneyMovers; 01-29-2010 at 03:34 PM. Reason: typo
Reply With Quote
  #4 (permalink)  
Old 01-29-2010, 04:36 PM
BAlfson's Avatar
Moderator
  
Join Date: Mar 2007
Location: Oklahoma City
Posts: 7,014
Default
Quote:
Yeah, I was thinking to do that -- adding the Exchange server in 'SMTP Servers' on the 'Advanced' tab of 'Network Security >> Intrusion Prevention'.
That's why the issue is occuring - you don't have IPS configured correctly! ;-)

Cheers - Bob
__________________
ACE V7 - Astaro Preferred Partner since V3
Addicted to my iPhone!
Reply With Quote
  #5 (permalink)  
Old 01-29-2010, 05:30 PM
Billybob's Avatar
Wizard
  
Join Date: Jul 2006
Location: United States
Posts: 898
Default
I don't know if you have owa (outlook web access) open via astaro. The cmd.exe is a probe for the old nimda worm. Some of us old folks still remember that disaster
Reply With Quote
Reply

Tags
ips, smtp

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT. The time now is 07:39 AM.

 
Contact Us - Astaro User Bulletin Board - Archive - Top

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2010, Jelsoft Enterprises Ltd.


These pages are specifically maintained for the discussion of firewall issues within the Open Source community, and might already reflect new alpha/beta releases under development. Please refer to our product specifications for the functionality of the actual release. Discussions of new/enhanced functionality does not constitute a commitment of Astaro, to integrate this functionality into future releases. issues within the Open Source community, and might already reflect new alpha/beta releases under development. Please refer to our product specifications for the functionality of the actual release. Discussions of new/enhanced functionality does not constitute a commitment of Astaro, to integrate this functionality into future releases.