Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA Botnet Filter, how do I work with the infected hosts, that is remove the Malware, its not showing up in Xprotect, or ClamXav,

Hi

Working with a ASA 5505, BotNet Filter shows all Mac Devices, Server, Clients, and Iphones as infected, all connections logged, threat level Very High, all Dropped. Service Port 443, tcp 5000, Tcp 8192, udp 8192, tcp 80.

IP's: 199.16.156.230, 199.16.156.0/22, 192.168.1.10, 93.184.216.146, 199.96.57.6, 199.16.156.73.

Showing that they are heading to Twitter:

platform.twitter.com

s.twitter.com

I have wiresharked the packets, that the BotNet Filter is filtering from the Mac devices. I have  wiped/erased a iphone, and the ASA BNF still reports its infected. I have ClamXav running with no detection, there is no use of Twitter on any devices. There are no plugins on the browsers, and browsers are using FIPS Firefox. I am using Yosemite, and OS X server 3.5.7, iphone IOS v 8.0.2. 

Java is up to date, XProtect is the built-in with the latest. I have checked for Flash Back on all Mac devices. I am trying to determine if this is a valid threat, I am collecting lsof -a and wireshark reports and have span switch recordings.

Lastly the Linux box's are not effected, only Mac is in effected client list.

So is there any more information that i can get from Cisco's BotNet Filter as to what is being blocked by the IP address's provided above?

Thank you

Chris

 

 

Everyone's tags (1)
1 REPLY
New Member

Did find firefox calling for

Did find firefox calling for a sync:

$ lsof -i:443
COMMAND  PID  USER   FD   TYPE             DEVICE SIZE/OFF NODE NAME
firefox 6842 blade  165u  IPv4 0x16d1bc097204d5ff      0t0  TCP 172.16.222.4:61725->199.16.156.52:https (SYN_SENT)
firefox 6842 blade  170u  IPv4 0x16d1bc0972f5d20f      0t0  TCP 172.16.222.4:61747->199.16.156.52:https (SYN_SENT)

Sync sent no return because ASA BNF is blocking, But this does not explain the iPhone and other devices, removing FireFox. Port 8192 belongs to Sophos Remote Management System (Unofficial), no management software installed. Sophos manages encryption on BitLocker and FileVault.

Recording lsof -i:8192 and lsof -i:443  

 

107
Views
0
Helpful
1
Replies
CreatePlease login to create content