Hi, this is my first message on this list. I notice a strange behavior in the audit logs for the SmartUpdate. It is removing the licenses and the modifying the object but using a client IP so strange and different.
The client IP is always changing and they are from several places in the World. From HP and University of California to the Philipines and Kroatia. Here are some logs. Number: 359621 Date: 6Jun2013 Time: 22:14:04 Application: SmartUpdate Subject: Object Manipulation Operation: Modify Object Type: Log Object Type: cp_license Performed On: aap4FPKc5xkUyAVt4nErumXFzzBi2dSn7SfA Changes: sku: added 'CPMP-EVR-1-NGX' ;sku: added 'CPMP-EVR-1-NGX' ; Administrator: SmartUpdate Client: localhost Client IP: 176-8-191-35- pmsk.broadband.kyivstar.net (176.8.191.35) Object Table: licenses Operation Number: 1 Origin: smartcenter-frwjf01 Uid: {32123F79-41F5-4DA8-96AC- 3892A3130EE5} Number: 359622 Date: 6Jun2013 Time: 22:14:04 Application: SmartUpdate Subject: Object Manipulation Operation: Modify Object Type: Log Object Type: cp_license Performed On: aY7y5YeUa587x2Mic3PWC2w4pgb55QLvNYhr Changes: sku: added 'CPSG-C-8-U' ; Administrator: SmartUpdate Client: localhost Client IP: 112.202.163.14.pldt.net (112.202.163.14) Object Table: licenses Operation Number: 1 Origin: smartcenter-frwjf01 Uid: {ED334410-2B17-4646-B7CE- 98E57763B529} Number: 359623 Date: 6Jun2013 Time: 22:14:04 Application: SmartUpdate Subject: Object Manipulation Operation: Modify Object Type: Log Object Type: cp_license Performed On: di89LY564bYrME5ixKHGAVZvEUgGbtSdrRhd Changes: sku: added 'CPSG-C-8-U' ; Administrator: SmartUpdate Client: localhost Client IP: 112.142.24.43.dynamic- range.ttt.co.th (112.142.24.43) Object Table: licenses Operation Number: 1 Origin: smartcenter-frwjf01 Uid: {FDFDF472-3155-11E2-A437- 000000005656} Could someone help me with that? Did my firewall suffered an hacker attack? Thank you. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =================================================