Botnet Security Alert on Sonicwall
-
So just had an odd thing happen. I'm on my computer logging in to my bank's website to pay my mortgage when I start getting hammered with emails from Sonicwall about "Suspected Botnet responder blocked, Responder IP: 208.91.197.46" and my local IP address. I quickly search and see that this IP has been linked to Locky Ransomware so I immediately shut my computer down so I could research further.
I check the file server first to see if I can find anything that has been modified or changed. I check the FSRM logs since I've setup some blocks for known ransomware extensions to see if there were any hits, but there was nothing. I start my computer back in Safe Mode and run some scans which come up clean.
I then decide to fire it back up in normal mode and see if it was a particular site. I open back up my Chrome windows and keep watching my logs... no issue. I navigate to my mortgage site again and login. BOOM. Flooded with Sonicwall logs again. Log out and close the window and they immediately disappear. I tried to open it with Edge (which I rarely use) as well as Chrome which has uBlock Origin running in case there were any scripts it might block, but same result both times. I then tried a different machine just to see how it would react, and same issue.
How would you proceed from here? Is there reason to believe their site is truly compromised in some way, or potentially a false positive? I've logged into this site many times over the last few years without issues. My antivirus doesn't flag anything, only the Sonicwall botnet filter. I'm basically trying to decide if I have enough info or justification to alert them to this issue, or if it's a false positive from some CDN or hosting that was malicious at one time but may not be anymore, yet the IP address is still getting flagged.
-
@zachary715 I'd go ahead and report it. It could well not be anything, but if it is, then they need to know yesterday.
-
Is it calling the IP of that website a botmaster?
I'm risking the thrashing of JB.
But I'm just curious.. does it maybe think your PC is infected because you're going to a banking like site? I mean I would hope not.. but WTFK? -
@dashrender said in Botnet Security Alert on Sonicwall:
Is it calling the IP of that website a botmaster?
I'm risking the thrashing of JB.
But I'm just curious.. does it maybe think your PC is infected because you're going to a banking like site? I mean I would hope not.. but WTFK?I'm not totally sure what you're asking. Does what think my PC is infected? The Sonicwall? And I'm not sure why going to a "banking-like site" would make it scream infection. I login to Mint almost daily and my other bank accounts from time to time no issues.
Like I said I tried on different computers with same result. As soon as I would login to my account, my phone would start going off with email alerts constantly until I logged back out. The IP of the site (23.something) is not the same IP that it says is triggering the alert, so I don't know if it's some behind the scenes CDN or analytics or what. I was just looking to see if anyone had any suggestions on what to do beyond what I've done.
-
Did you notify your bank?
-
Sounds like your mortgage website was infected with malware, or it's running ads that are. Does your CPU jump when visiting that site more than others? It may not but still may be infected.
-
Latest news is saying a half million sized botnet is mining line to, and one of the targets are Linux SQL servers.
-
@tim_g said in Botnet Security Alert on Sonicwall:
Latest news is saying a half million sized botnet is mining line to, and one of the targets are Linux SQL servers.
Mining line to?
-
@tim_g said in Botnet Security Alert on Sonicwall:
Latest news is saying a half million sized botnet is mining line to, and one of the targets are Linux SQL servers.
What's a Linux SQL server? Anything running a relational database? How do they target them?
-
@scottalanmiller said in Botnet Security Alert on Sonicwall:
@tim_g said in Botnet Security Alert on Sonicwall:
Latest news is saying a half million sized botnet is mining line to, and one of the targets are Linux SQL servers.
What's a Linux SQL server? Anything running a relational database? How do they target them?
I assumed that one meant Linux servers running MS SQL.
-
@jaredbusch said in Botnet Security Alert on Sonicwall:
@scottalanmiller said in Botnet Security Alert on Sonicwall:
@tim_g said in Botnet Security Alert on Sonicwall:
Latest news is saying a half million sized botnet is mining line to, and one of the targets are Linux SQL servers.
What's a Linux SQL server? Anything running a relational database? How do they target them?
I assumed that one meant Linux servers running MS SQL.
I had thought of that, but that seemed so unlikely.
-
@scottalanmiller said in Botnet Security Alert on Sonicwall:
@jaredbusch said in Botnet Security Alert on Sonicwall:
@scottalanmiller said in Botnet Security Alert on Sonicwall:
@tim_g said in Botnet Security Alert on Sonicwall:
Latest news is saying a half million sized botnet is mining line to, and one of the targets are Linux SQL servers.
What's a Linux SQL server? Anything running a relational database? How do they target them?
I assumed that one meant Linux servers running MS SQL.
I had thought of that, but that seemed so unlikely.
Not really. I mean you know how good Windows people patch right?
-
@jaredbusch said in Botnet Security Alert on Sonicwall:
@scottalanmiller said in Botnet Security Alert on Sonicwall:
@jaredbusch said in Botnet Security Alert on Sonicwall:
@scottalanmiller said in Botnet Security Alert on Sonicwall:
@tim_g said in Botnet Security Alert on Sonicwall:
Latest news is saying a half million sized botnet is mining line to, and one of the targets are Linux SQL servers.
What's a Linux SQL server? Anything running a relational database? How do they target them?
I assumed that one meant Linux servers running MS SQL.
I had thought of that, but that seemed so unlikely.
Not really. I mean you know how good Windows people patch right?
That's true. But it seems like a worthless target. How many of these can there be yet?
-
@danp said in Botnet Security Alert on Sonicwall:
Did you notify your bank?
Yes I did. It was forwarded to the mortgage department. Who knows what they'll do with it.
-
@scottalanmiller said in Botnet Security Alert on Sonicwall:
What's a Linux SQL server?
Meaning an SQL server running on a Linux OS. I don't know if it's MySQL specific or not, so I didn't say it specifically. (yes I know MySQL can run on Windows too... I wish I didn't have to add so much detail all the time and risk everyone firing bullets as if I'm clueless)
I couldn't imagine his mortgage company running on Windows... so that's why I mentioned Linux, even though the botnet targets Windows too.
-
@scottalanmiller said in Botnet Security Alert on Sonicwall:
@jaredbusch said in Botnet Security Alert on Sonicwall:
@scottalanmiller said in Botnet Security Alert on Sonicwall:
@jaredbusch said in Botnet Security Alert on Sonicwall:
@scottalanmiller said in Botnet Security Alert on Sonicwall:
@tim_g said in Botnet Security Alert on Sonicwall:
Latest news is saying a half million sized botnet is mining line to, and one of the targets are Linux SQL servers.
What's a Linux SQL server? Anything running a relational database? How do they target them?
I assumed that one meant Linux servers running MS SQL.
I had thought of that, but that seemed so unlikely.
Not really. I mean you know how good Windows people patch right?
That's true. But it seems like a worthless target. How many of these can there be yet?
Probably nothing outside of labs / testing.
Why would you run MS SQL on Linux when an MS SQL license includes an OS license?
Why would you run MS SQL on Linux when there are better options to run on Linux? -
@tim_g said in Botnet Security Alert on Sonicwall:
@scottalanmiller said in Botnet Security Alert on Sonicwall:
What's a Linux SQL server?
Meaning an SQL server running on a Linux OS. I don't know if it's MySQL specific or not, so I didn't say it specifically. (yes I know MySQL can run on Windows too... I wish I didn't have to add so much detail all the time and risk everyone firing bullets as if I'm clueless)
I couldn't imagine his mortgage company running on Windows... so that's why I mentioned Linux, even though the botnet targets Windows too.
It's just that those things aren't generic. The only thing that makes them similar is that they use relational math in the storing of the data. SQL is the query language, but not the protocol. for accessing them. So SQL servers aren't a group of things in any meaningful way.
-
@tim_g said in Botnet Security Alert on Sonicwall:
@scottalanmiller said in Botnet Security Alert on Sonicwall:
@jaredbusch said in Botnet Security Alert on Sonicwall:
@scottalanmiller said in Botnet Security Alert on Sonicwall:
@jaredbusch said in Botnet Security Alert on Sonicwall:
@scottalanmiller said in Botnet Security Alert on Sonicwall:
@tim_g said in Botnet Security Alert on Sonicwall:
Latest news is saying a half million sized botnet is mining line to, and one of the targets are Linux SQL servers.
What's a Linux SQL server? Anything running a relational database? How do they target them?
I assumed that one meant Linux servers running MS SQL.
I had thought of that, but that seemed so unlikely.
Not really. I mean you know how good Windows people patch right?
That's true. But it seems like a worthless target. How many of these can there be yet?
Probably nothing outside of labs / testing.
Why would you run MS SQL on Linux when an MS SQL license includes an OS license?
Why would you run MS SQL on Linux when there are better options to run on Linux?MS SQL licenses include an OS license?
-
At some point they had a Locky infection as below:
https://www.abuseipdb.com/check/208.91.197.46
-
