Re: [FW-1] SmartUpdate Strange Behavior
Felipe,
First of all, is your SmartCenter completely exposed and reachable from
everywhere on the internet ? What is your inbound firewall rule like ? only
CPMI and SSH ? What did you set up as GUI clients ?
Do you see corresponding logs in the Tracker from these IP addresses as well ?
What else do you see ?
How do you authenticate to your SmartCenter ? I would definitely consider
changing every passwords / certs that are used by your firewall admins and also
OS level credentials if SSH is also exposed.
I am not aware of any regular activity that would generate this kind of
behavior, and also I can't imagine any form of evil attack that would start
with a firewall license change on your gear :)
Hope this helps, I would personally not reply to any of the questions above on
this list and try to deal with the incident directly with your response team.
Cheers,
Charles
Charles-Etienne Prévost
Analyste principal, sécurité de l'information / Chef d'équipe
Senior Information Security Analyst / Team Lead
GoSecure Inc.
T 514-287-7427 ext. 242 | F 514-287-9734 | E cprev...@gosecure.ca
105, rue Saint-Paul O., bureau 400, Montréal (Québec), H2Y 1Z5
www.gosecure.ca
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Felipe Almeida
MRS
Sent: June-07-13 10:02 AM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: [FW-1] SmartUpdate Strange Behavior
Hi, this is my first message on this list.
I notice a strange behavior in the audit logs for the SmartUpdate. It is
removing the licenses and the modifying the object but using a client IP so
strange and different.
The client IP is always changing and they are from several places in the World.
From HP and University of California to the Philipines and Kroatia.
Here are some logs.
Number: 359621
Date: 6Jun2013
Time: 22:14:04
Application:SmartUpdate
Subject:Object Manipulation
Operation: Modify Object
Type: Log
Object Type:cp_license
Performed On: aap4FPKc5xkUyAVt4nErumXFzzBi2dSn7SfA
Changes:sku: added 'CPMP-EVR-1-NGX'
;sku: added 'CPMP-EVR-1-NGX' ;
Administrator: SmartUpdate
Client: localhost
Client IP: 176-8-191-35-
pmsk.broadband.kyivstar.net (176.8.191.35)
Object Table: licenses
Operation Number: 1
Origin: smartcenter-frwjf01
Uid:{32123F79-41F5-4DA8-96AC-
3892A3130EE5}
Number: 359622
Date: 6Jun2013
Time: 22:14:04
Application:SmartUpdate
Subject:Object Manipulation
Operation: Modify Object
Type: Log
Object Type:cp_license
Performed On: aY7y5YeUa587x2Mic3PWC2w4pgb55QLvNYhr
Changes:sku: added 'CPSG-C-8-U' ;
Administrator: SmartUpdate
Client: localhost
Client IP: 112.202.163.14.pldt.net
(112.202.163.14)
Object Table: licenses
Operation Number: 1
Origin: smartcenter-frwjf01
Uid:{ED334410-2B17-4646-B7CE-
98E57763B529}
Number: 359623
Date: 6Jun2013
Time: 22:14:04
Application:SmartUpdate
Subject:Object Manipulation
Operation: Modify Object
Type: Log
Object Type:cp_license
Performed On: di89LY564bYrME5ixKHGAVZvEUgGbtSdrRhd
Changes:sku: added 'CPSG-C-8-U' ;
Administrator: SmartUpdate
Client: localhost
Client IP: 112.142.24.43.dynamic-
range.ttt.co.th (112.142.24.43)
Object Table: licenses
Operation Number: 1
Origin: smartcenter-frwjf01
Uid:{FDFDF472-3155-11E2-A437-
5656}
Could someone help me with that? Did my firewall suffered an hacker attack?
Thank you.
=
To set vacation, Out-Of-Office, or away messages, send an email to
lists...@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your subscription options, email
fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] SmartUpdate Strange Behavior
Funny ass shit there
-Original Message-
From: Charles-Etienne Prévost
Sent: Friday, June 07, 2013 3:47 PM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] SmartUpdate Strange Behavior
Felipe,
First of all, is your SmartCenter completely exposed and reachable from
everywhere on the internet ? What is your inbound firewall rule like ? only
CPMI and SSH ? What did you set up as GUI clients ?
Do you see corresponding logs in the Tracker from these IP addresses as well
? What else do you see ?
How do you authenticate to your SmartCenter ? I would definitely consider
changing every passwords / certs that are used by your firewall admins and
also OS level credentials if SSH is also exposed.
I am not aware of any regular activity that would generate this kind of
behavior, and also I can't imagine any form of evil attack that would start
with a firewall license change on your gear :)
Hope this helps, I would personally not reply to any of the questions above
on this list and try to deal with the incident directly with your response
team.
Cheers,
Charles
Charles-Etienne Prévost
Analyste principal, sécurité de l'information / Chef d'équipe
Senior Information Security Analyst / Team Lead
GoSecure Inc.
T 514-287-7427 ext. 242 | F 514-287-9734 | E cprev...@gosecure.ca
105, rue Saint-Paul O., bureau 400, Montréal (Québec), H2Y 1Z5
www.gosecure.ca
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Felipe
Almeida MRS
Sent: June-07-13 10:02 AM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: [FW-1] SmartUpdate Strange Behavior
Hi, this is my first message on this list.
I notice a strange behavior in the audit logs for the SmartUpdate. It is
removing the licenses and the modifying the object but using a client IP so
strange and different.
The client IP is always changing and they are from several places in the
World. From HP and University of California to the Philipines and Kroatia.
Here are some logs.
Number: 359621
Date: 6Jun2013
Time: 22:14:04
Application:SmartUpdate
Subject: Object Manipulation
Operation: Modify Object
Type: Log
Object Type: cp_license
Performed On:aap4FPKc5xkUyAVt4nErumXFzzBi2dSn7SfA
Changes:sku: added 'CPMP-EVR-1-NGX'
;sku: added 'CPMP-EVR-1-NGX' ;
Administrator:SmartUpdate
Client: localhost
Client IP:176-8-191-35-
pmsk.broadband.kyivstar.net (176.8.191.35)
Object Table: licenses
Operation Number: 1
Origin:smartcenter-frwjf01
Uid:{32123F79-41F5-4DA8-96AC-
3892A3130EE5}
Number: 359622
Date: 6Jun2013
Time: 22:14:04
Application:SmartUpdate
Subject: Object Manipulation
Operation: Modify Object
Type: Log
Object Type: cp_license
Performed On:aY7y5YeUa587x2Mic3PWC2w4pgb55QLvNYhr
Changes:sku: added 'CPSG-C-8-U' ;
Administrator:SmartUpdate
Client: localhost
Client IP:112.202.163.14.pldt.net
(112.202.163.14)
Object Table: licenses
Operation Number: 1
Origin:smartcenter-frwjf01
Uid:{ED334410-2B17-4646-B7CE-
98E57763B529}
Number: 359623
Date: 6Jun2013
Time: 22:14:04
Application:SmartUpdate
Subject: Object Manipulation
Operation: Modify Object
Type: Log
Object Type: cp_license
Performed On:di89LY564bYrME5ixKHGAVZvEUgGbtSdrRhd
Changes:sku: added 'CPSG-C-8-U' ;
Administrator:SmartUpdate
Client: localhost
Client IP:112.142.24.43.dynamic-
range.ttt.co.th (112.142.24.43)
Object Table: licenses
Operation Number: 1
Origin:smartcenter-frwjf01
Uid:{FDFDF472-3155-11E2-A437-
5656}
Could someone help me with that? Did my firewall suffered an hacker attack?
Thank you.
=
To set vacation, Out-Of-Office, or away messages, send an email to
lists...@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your subscription options, email
fw-1-ow...@ts.checkpoint.com
=
=
To set
Re: [FW-1] SmartUpdate Strange Behavior
Hj Charles. Thank you for your answer. I'll check on those issues you said.
I forgot to check the tracker logs.
Tks,
---
Felipe Almeida
felipe.alme...@mrs.com.br
-Charles-Etienne Prévost cprev...@gosecure.ca wrote: -
===
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
From: Charles-Etienne Prévost cprev...@gosecure.ca
Date: 07-06-2013 08:02PM
Subject: Re: [FW-1] SmartUpdate Strange Behavior
===
Felipe,
First of all, is your SmartCenter completely exposed and reachable from
everywhere on the internet ? What is your inbound firewall rule like ? only
CPMI and SSH ? What did you set up as GUI clients ?
Do you see corresponding logs in the Tracker from these IP addresses as well ?
What else do you see ?
How do you authenticate to your SmartCenter ? I would definitely consider
changing every passwords / certs that are used by your firewall admins and also
OS level credentials if SSH is also exposed.
I am not aware of any regular activity that would generate this kind of
behavior, and also I can't imagine any form of evil attack that would start
with a firewall license change on your gear :)
Hope this helps, I would personally not reply to any of the questions above on
this list and try to deal with the incident directly with your response team.
Cheers,
Charles
Charles-Etienne Prévost
Analyste principal, sécurité de l'information / Chef d'équipe
Senior Information Security Analyst / Team Lead
GoSecure Inc.
T 514-287-7427 ext. 242 | F 514-287-9734 | E cprev...@gosecure.ca
105, rue Saint-Paul O., bureau 400, Montréal (Québec), H2Y 1Z5
www.gosecure.ca
-Original Message-
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Felipe Almeida
MRS
Sent: June-07-13 10:02 AM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: [FW-1] SmartUpdate Strange Behavior
Hi, this is my first message on this list.
I notice a strange behavior in the audit logs for the SmartUpdate. It is
removing the licenses and the modifying the object but using a client IP so
strange and different.
The client IP is always changing and they are from several places in the World.
From HP and University of California to the Philipines and Kroatia.
Here are some logs.
Number: 359621
Date: 6Jun2013
Time: 22:14:04
Application:SmartUpdate
Subject:Object Manipulation
Operation: Modify Object
Type: Log
Object Type:cp_license
Performed On: aap4FPKc5xkUyAVt4nErumXFzzBi2dSn7SfA
Changes:sku: added 'CPMP-EVR-1-NGX'
;sku: added 'CPMP-EVR-1-NGX' ;
Administrator: SmartUpdate
Client: localhost
Client IP: 176-8-191-35-
pmsk.broadband.kyivstar.net (176.8.191.35)
Object Table: licenses
Operation Number: 1
Origin: smartcenter-frwjf01
Uid:{32123F79-41F5-4DA8-96AC-
3892A3130EE5}
Number: 359622
Date: 6Jun2013
Time: 22:14:04
Application:SmartUpdate
Subject:Object Manipulation
Operation: Modify Object
Type: Log
Object Type:cp_license
Performed On: aY7y5YeUa587x2Mic3PWC2w4pgb55QLvNYhr
Changes:sku: added 'CPSG-C-8-U' ;
Administrator: SmartUpdate
Client: localhost
Client IP: 112.202.163.14.pldt.net
(112.202.163.14)
Object Table: licenses
Operation Number: 1
Origin: smartcenter-frwjf01
Uid:{ED334410-2B17-4646-B7CE-
98E57763B529}
Number: 359623
Date: 6Jun2013
Time: 22:14:04
Application:SmartUpdate
Subject:Object Manipulation
Operation: Modify Object
Type: Log
Object Type:cp_license
Performed On: di89LY564bYrME5ixKHGAVZvEUgGbtSdrRhd
Changes:sku: added 'CPSG-C-8-U' ;
Administrator: SmartUpdate
Client: localhost
Client IP: 112.142.24.43.dynamic-
range.ttt.co.th (112.142.24.43)
Object Table: licenses
Operation Number: 1
Origin: smartcenter-frwjf01
Uid:{FDFDF472-3155-11E2-A437-
5656}
Could someone help me with that? Did my firewall suffered an hacker attack?
Thank you.
=
To set vacation, Out-Of-Office, or away messages, send an email to
lists
Re: [FW-1] SmartUpdate Strange Behavior
What version are you using? We're seeing the same continual license delete and
add nonsense on R76 Gaia and it was not there on R75.20. I'll have to look and
see what the client IP is on Monday. We noticed it because if the syslog alerts.
Ray
Date: Fri, 7 Jun 2013 07:02:00 -0700
From: felipe.alme...@mrs.com.br
Subject: [FW-1] SmartUpdate Strange Behavior
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Hi, this is my first message on this list.
I notice a strange behavior in the audit logs for the
SmartUpdate. It is removing the licenses and the modifying the
object but using a client IP so strange and different.
The client IP is always changing and they are from several
places in the World. From HP and University of California to
the Philipines and Kroatia.
Here are some logs.
Number: 359621
Date: 6Jun2013
Time: 22:14:04
Application: SmartUpdate
Subject: Object Manipulation
Operation:Modify Object
Type: Log
Object Type: cp_license
Performed On: aap4FPKc5xkUyAVt4nErumXFzzBi2dSn7SfA
Changes: sku: added 'CPMP-EVR-1-NGX'
;sku: added 'CPMP-EVR-1-NGX' ;
Administrator:SmartUpdate
Client: localhost
Client IP:176-8-191-35-
pmsk.broadband.kyivstar.net (176.8.191.35)
Object Table: licenses
Operation Number: 1
Origin: smartcenter-frwjf01
Uid: {32123F79-41F5-4DA8-96AC-
3892A3130EE5}
Number: 359622
Date: 6Jun2013
Time: 22:14:04
Application: SmartUpdate
Subject: Object Manipulation
Operation:Modify Object
Type: Log
Object Type: cp_license
Performed On: aY7y5YeUa587x2Mic3PWC2w4pgb55QLvNYhr
Changes: sku: added 'CPSG-C-8-U' ;
Administrator:SmartUpdate
Client: localhost
Client IP:112.202.163.14.pldt.net
(112.202.163.14)
Object Table: licenses
Operation Number: 1
Origin: smartcenter-frwjf01
Uid: {ED334410-2B17-4646-B7CE-
98E57763B529}
Number: 359623
Date: 6Jun2013
Time: 22:14:04
Application: SmartUpdate
Subject: Object Manipulation
Operation:Modify Object
Type: Log
Object Type: cp_license
Performed On: di89LY564bYrME5ixKHGAVZvEUgGbtSdrRhd
Changes: sku: added 'CPSG-C-8-U' ;
Administrator:SmartUpdate
Client: localhost
Client IP:112.142.24.43.dynamic-
range.ttt.co.th (112.142.24.43)
Object Table: licenses
Operation Number: 1
Origin: smartcenter-frwjf01
Uid: {FDFDF472-3155-11E2-A437-
5656}
Could someone help me with that? Did my firewall suffered an
hacker attack?
Thank you.
=
To set vacation, Out-Of-Office, or away messages,
send an email to lists...@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
fw-1-ow...@ts.checkpoint.com
=
Email secured by Check Point
=
To set vacation, Out-Of-Office, or away messages,
send an email to lists...@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
fw-1-ow...@ts.checkpoint.com
=
Re: [FW-1] SmartUpdate Strange Behavior
I am using version R75.40.
---
Felipe Almeida
felipe.alme...@mrs.com.br
De: Ray sixsigm...@hotmail.com
Para: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Data: 07/06/2013 22:24
Assunto:Re: [FW-1] SmartUpdate Strange Behavior
Enviado por:Mailing list for discussion of Firewall-1
FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
What version are you using? We're seeing the same continual license delete
and add nonsense on R76 Gaia and it was not there on R75.20. I'll have to
look and see what the client IP is on Monday. We noticed it because if the
syslog alerts.
Ray
Date: Fri, 7 Jun 2013 07:02:00 -0700
From: felipe.alme...@mrs.com.br
Subject: [FW-1] SmartUpdate Strange Behavior
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Hi, this is my first message on this list.
I notice a strange behavior in the audit logs for the
SmartUpdate. It is removing the licenses and the modifying the
object but using a client IP so strange and different.
The client IP is always changing and they are from several
places in the World. From HP and University of California to
the Philipines and Kroatia.
Here are some logs.
Number:359621
Date: 6Jun2013
Time: 22:14:04
Application: SmartUpdate
Subject: Object Manipulation
Operation: Modify Object
Type: Log
Object Type: cp_license
Performed On: aap4FPKc5xkUyAVt4nErumXFzzBi2dSn7SfA
Changes: sku: added 'CPMP-EVR-1-NGX'
;sku: added 'CPMP-EVR-1-NGX' ;
Administrator: SmartUpdate
Client:localhost
Client IP: 176-8-191-35-
pmsk.broadband.kyivstar.net (176.8.191.35)
Object Table: licenses
Operation Number: 1
Origin:smartcenter-frwjf01
Uid: {32123F79-41F5-4DA8-96AC-
3892A3130EE5}
Number:359622
Date: 6Jun2013
Time: 22:14:04
Application: SmartUpdate
Subject: Object Manipulation
Operation: Modify Object
Type: Log
Object Type: cp_license
Performed On: aY7y5YeUa587x2Mic3PWC2w4pgb55QLvNYhr
Changes: sku: added 'CPSG-C-8-U' ;
Administrator: SmartUpdate
Client:localhost
Client IP: 112.202.163.14.pldt.net
(112.202.163.14)
Object Table: licenses
Operation Number: 1
Origin:smartcenter-frwjf01
Uid: {ED334410-2B17-4646-B7CE-
98E57763B529}
Number:359623
Date: 6Jun2013
Time: 22:14:04
Application: SmartUpdate
Subject: Object Manipulation
Operation: Modify Object
Type: Log
Object Type: cp_license
Performed On: di89LY564bYrME5ixKHGAVZvEUgGbtSdrRhd
Changes: sku: added 'CPSG-C-8-U' ;
Administrator: SmartUpdate
Client:localhost
Client IP: 112.142.24.43.dynamic-
range.ttt.co.th (112.142.24.43)
Object Table: licenses
Operation Number: 1
Origin:smartcenter-frwjf01
Uid: {FDFDF472-3155-11E2-A437-
5656}
Could someone help me with that? Did my firewall suffered an
hacker attack?
Thank you.
=
To set vacation, Out-Of-Office, or away messages,
send an email to lists...@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=
If you have any questions on how to change your
subscription options, email
fw-1-ow...@ts.checkpoint.com
=
Email secured by Check Point
=
To set vacation, Out-Of-Office, or away messages,
send an email to lists...@amadeus.us.checkpoint.com
in the BODY
