Re: [FW-1] SmartUpdate Strange Behavior
Felipe, First of all, is your SmartCenter completely exposed and reachable from everywhere on the internet ? What is your inbound firewall rule like ? only CPMI and SSH ? What did you set up as GUI clients ? Do you see corresponding logs in the Tracker from these IP addresses as well ? What else do you see ? How do you authenticate to your SmartCenter ? I would definitely consider changing every passwords / certs that are used by your firewall admins and also OS level credentials if SSH is also exposed. I am not aware of any regular activity that would generate this kind of behavior, and also I can't imagine any form of evil attack that would start with a firewall license change on your gear :) Hope this helps, I would personally not reply to any of the questions above on this list and try to deal with the incident directly with your response team. Cheers, Charles Charles-Etienne Prévost Analyste principal, sécurité de l'information / Chef d'équipe Senior Information Security Analyst / Team Lead GoSecure Inc. T 514-287-7427 ext. 242 | F 514-287-9734 | E cprev...@gosecure.ca 105, rue Saint-Paul O., bureau 400, Montréal (Québec), H2Y 1Z5 www.gosecure.ca -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Felipe Almeida MRS Sent: June-07-13 10:02 AM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: [FW-1] SmartUpdate Strange Behavior Hi, this is my first message on this list. I notice a strange behavior in the audit logs for the SmartUpdate. It is removing the licenses and the modifying the object but using a client IP so strange and different. The client IP is always changing and they are from several places in the World. From HP and University of California to the Philipines and Kroatia. Here are some logs. Number: 359621 Date: 6Jun2013 Time: 22:14:04 Application:SmartUpdate Subject:Object Manipulation Operation: Modify Object Type: Log Object Type:cp_license Performed On: aap4FPKc5xkUyAVt4nErumXFzzBi2dSn7SfA Changes:sku: added 'CPMP-EVR-1-NGX' ;sku: added 'CPMP-EVR-1-NGX' ; Administrator: SmartUpdate Client: localhost Client IP: 176-8-191-35- pmsk.broadband.kyivstar.net (176.8.191.35) Object Table: licenses Operation Number: 1 Origin: smartcenter-frwjf01 Uid:{32123F79-41F5-4DA8-96AC- 3892A3130EE5} Number: 359622 Date: 6Jun2013 Time: 22:14:04 Application:SmartUpdate Subject:Object Manipulation Operation: Modify Object Type: Log Object Type:cp_license Performed On: aY7y5YeUa587x2Mic3PWC2w4pgb55QLvNYhr Changes:sku: added 'CPSG-C-8-U' ; Administrator: SmartUpdate Client: localhost Client IP: 112.202.163.14.pldt.net (112.202.163.14) Object Table: licenses Operation Number: 1 Origin: smartcenter-frwjf01 Uid:{ED334410-2B17-4646-B7CE- 98E57763B529} Number: 359623 Date: 6Jun2013 Time: 22:14:04 Application:SmartUpdate Subject:Object Manipulation Operation: Modify Object Type: Log Object Type:cp_license Performed On: di89LY564bYrME5ixKHGAVZvEUgGbtSdrRhd Changes:sku: added 'CPSG-C-8-U' ; Administrator: SmartUpdate Client: localhost Client IP: 112.142.24.43.dynamic- range.ttt.co.th (112.142.24.43) Object Table: licenses Operation Number: 1 Origin: smartcenter-frwjf01 Uid:{FDFDF472-3155-11E2-A437- 5656} Could someone help me with that? Did my firewall suffered an hacker attack? Thank you. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] SmartUpdate Strange Behavior
Funny ass shit there -Original Message- From: Charles-Etienne Prévost Sent: Friday, June 07, 2013 3:47 PM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] SmartUpdate Strange Behavior Felipe, First of all, is your SmartCenter completely exposed and reachable from everywhere on the internet ? What is your inbound firewall rule like ? only CPMI and SSH ? What did you set up as GUI clients ? Do you see corresponding logs in the Tracker from these IP addresses as well ? What else do you see ? How do you authenticate to your SmartCenter ? I would definitely consider changing every passwords / certs that are used by your firewall admins and also OS level credentials if SSH is also exposed. I am not aware of any regular activity that would generate this kind of behavior, and also I can't imagine any form of evil attack that would start with a firewall license change on your gear :) Hope this helps, I would personally not reply to any of the questions above on this list and try to deal with the incident directly with your response team. Cheers, Charles Charles-Etienne Prévost Analyste principal, sécurité de l'information / Chef d'équipe Senior Information Security Analyst / Team Lead GoSecure Inc. T 514-287-7427 ext. 242 | F 514-287-9734 | E cprev...@gosecure.ca 105, rue Saint-Paul O., bureau 400, Montréal (Québec), H2Y 1Z5 www.gosecure.ca -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Felipe Almeida MRS Sent: June-07-13 10:02 AM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: [FW-1] SmartUpdate Strange Behavior Hi, this is my first message on this list. I notice a strange behavior in the audit logs for the SmartUpdate. It is removing the licenses and the modifying the object but using a client IP so strange and different. The client IP is always changing and they are from several places in the World. From HP and University of California to the Philipines and Kroatia. Here are some logs. Number: 359621 Date: 6Jun2013 Time: 22:14:04 Application:SmartUpdate Subject: Object Manipulation Operation: Modify Object Type: Log Object Type: cp_license Performed On:aap4FPKc5xkUyAVt4nErumXFzzBi2dSn7SfA Changes:sku: added 'CPMP-EVR-1-NGX' ;sku: added 'CPMP-EVR-1-NGX' ; Administrator:SmartUpdate Client: localhost Client IP:176-8-191-35- pmsk.broadband.kyivstar.net (176.8.191.35) Object Table: licenses Operation Number: 1 Origin:smartcenter-frwjf01 Uid:{32123F79-41F5-4DA8-96AC- 3892A3130EE5} Number: 359622 Date: 6Jun2013 Time: 22:14:04 Application:SmartUpdate Subject: Object Manipulation Operation: Modify Object Type: Log Object Type: cp_license Performed On:aY7y5YeUa587x2Mic3PWC2w4pgb55QLvNYhr Changes:sku: added 'CPSG-C-8-U' ; Administrator:SmartUpdate Client: localhost Client IP:112.202.163.14.pldt.net (112.202.163.14) Object Table: licenses Operation Number: 1 Origin:smartcenter-frwjf01 Uid:{ED334410-2B17-4646-B7CE- 98E57763B529} Number: 359623 Date: 6Jun2013 Time: 22:14:04 Application:SmartUpdate Subject: Object Manipulation Operation: Modify Object Type: Log Object Type: cp_license Performed On:di89LY564bYrME5ixKHGAVZvEUgGbtSdrRhd Changes:sku: added 'CPSG-C-8-U' ; Administrator:SmartUpdate Client: localhost Client IP:112.142.24.43.dynamic- range.ttt.co.th (112.142.24.43) Object Table: licenses Operation Number: 1 Origin:smartcenter-frwjf01 Uid:{FDFDF472-3155-11E2-A437- 5656} Could someone help me with that? Did my firewall suffered an hacker attack? Thank you. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = = To set
Re: [FW-1] SmartUpdate Strange Behavior
Hj Charles. Thank you for your answer. I'll check on those issues you said. I forgot to check the tracker logs. Tks, --- Felipe Almeida felipe.alme...@mrs.com.br -Charles-Etienne Prévost cprev...@gosecure.ca wrote: - === To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM From: Charles-Etienne Prévost cprev...@gosecure.ca Date: 07-06-2013 08:02PM Subject: Re: [FW-1] SmartUpdate Strange Behavior === Felipe, First of all, is your SmartCenter completely exposed and reachable from everywhere on the internet ? What is your inbound firewall rule like ? only CPMI and SSH ? What did you set up as GUI clients ? Do you see corresponding logs in the Tracker from these IP addresses as well ? What else do you see ? How do you authenticate to your SmartCenter ? I would definitely consider changing every passwords / certs that are used by your firewall admins and also OS level credentials if SSH is also exposed. I am not aware of any regular activity that would generate this kind of behavior, and also I can't imagine any form of evil attack that would start with a firewall license change on your gear :) Hope this helps, I would personally not reply to any of the questions above on this list and try to deal with the incident directly with your response team. Cheers, Charles Charles-Etienne Prévost Analyste principal, sécurité de l'information / Chef d'équipe Senior Information Security Analyst / Team Lead GoSecure Inc. T 514-287-7427 ext. 242 | F 514-287-9734 | E cprev...@gosecure.ca 105, rue Saint-Paul O., bureau 400, Montréal (Québec), H2Y 1Z5 www.gosecure.ca -Original Message- From: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Felipe Almeida MRS Sent: June-07-13 10:02 AM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: [FW-1] SmartUpdate Strange Behavior Hi, this is my first message on this list. I notice a strange behavior in the audit logs for the SmartUpdate. It is removing the licenses and the modifying the object but using a client IP so strange and different. The client IP is always changing and they are from several places in the World. From HP and University of California to the Philipines and Kroatia. Here are some logs. Number: 359621 Date: 6Jun2013 Time: 22:14:04 Application:SmartUpdate Subject:Object Manipulation Operation: Modify Object Type: Log Object Type:cp_license Performed On: aap4FPKc5xkUyAVt4nErumXFzzBi2dSn7SfA Changes:sku: added 'CPMP-EVR-1-NGX' ;sku: added 'CPMP-EVR-1-NGX' ; Administrator: SmartUpdate Client: localhost Client IP: 176-8-191-35- pmsk.broadband.kyivstar.net (176.8.191.35) Object Table: licenses Operation Number: 1 Origin: smartcenter-frwjf01 Uid:{32123F79-41F5-4DA8-96AC- 3892A3130EE5} Number: 359622 Date: 6Jun2013 Time: 22:14:04 Application:SmartUpdate Subject:Object Manipulation Operation: Modify Object Type: Log Object Type:cp_license Performed On: aY7y5YeUa587x2Mic3PWC2w4pgb55QLvNYhr Changes:sku: added 'CPSG-C-8-U' ; Administrator: SmartUpdate Client: localhost Client IP: 112.202.163.14.pldt.net (112.202.163.14) Object Table: licenses Operation Number: 1 Origin: smartcenter-frwjf01 Uid:{ED334410-2B17-4646-B7CE- 98E57763B529} Number: 359623 Date: 6Jun2013 Time: 22:14:04 Application:SmartUpdate Subject:Object Manipulation Operation: Modify Object Type: Log Object Type:cp_license Performed On: di89LY564bYrME5ixKHGAVZvEUgGbtSdrRhd Changes:sku: added 'CPSG-C-8-U' ; Administrator: SmartUpdate Client: localhost Client IP: 112.142.24.43.dynamic- range.ttt.co.th (112.142.24.43) Object Table: licenses Operation Number: 1 Origin: smartcenter-frwjf01 Uid:{FDFDF472-3155-11E2-A437- 5656} Could someone help me with that? Did my firewall suffered an hacker attack? Thank you. = To set vacation, Out-Of-Office, or away messages, send an email to lists
Re: [FW-1] SmartUpdate Strange Behavior
What version are you using? We're seeing the same continual license delete and add nonsense on R76 Gaia and it was not there on R75.20. I'll have to look and see what the client IP is on Monday. We noticed it because if the syslog alerts. Ray Date: Fri, 7 Jun 2013 07:02:00 -0700 From: felipe.alme...@mrs.com.br Subject: [FW-1] SmartUpdate Strange Behavior To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Hi, this is my first message on this list. I notice a strange behavior in the audit logs for the SmartUpdate. It is removing the licenses and the modifying the object but using a client IP so strange and different. The client IP is always changing and they are from several places in the World. From HP and University of California to the Philipines and Kroatia. Here are some logs. Number: 359621 Date: 6Jun2013 Time: 22:14:04 Application: SmartUpdate Subject: Object Manipulation Operation:Modify Object Type: Log Object Type: cp_license Performed On: aap4FPKc5xkUyAVt4nErumXFzzBi2dSn7SfA Changes: sku: added 'CPMP-EVR-1-NGX' ;sku: added 'CPMP-EVR-1-NGX' ; Administrator:SmartUpdate Client: localhost Client IP:176-8-191-35- pmsk.broadband.kyivstar.net (176.8.191.35) Object Table: licenses Operation Number: 1 Origin: smartcenter-frwjf01 Uid: {32123F79-41F5-4DA8-96AC- 3892A3130EE5} Number: 359622 Date: 6Jun2013 Time: 22:14:04 Application: SmartUpdate Subject: Object Manipulation Operation:Modify Object Type: Log Object Type: cp_license Performed On: aY7y5YeUa587x2Mic3PWC2w4pgb55QLvNYhr Changes: sku: added 'CPSG-C-8-U' ; Administrator:SmartUpdate Client: localhost Client IP:112.202.163.14.pldt.net (112.202.163.14) Object Table: licenses Operation Number: 1 Origin: smartcenter-frwjf01 Uid: {ED334410-2B17-4646-B7CE- 98E57763B529} Number: 359623 Date: 6Jun2013 Time: 22:14:04 Application: SmartUpdate Subject: Object Manipulation Operation:Modify Object Type: Log Object Type: cp_license Performed On: di89LY564bYrME5ixKHGAVZvEUgGbtSdrRhd Changes: sku: added 'CPSG-C-8-U' ; Administrator:SmartUpdate Client: localhost Client IP:112.142.24.43.dynamic- range.ttt.co.th (112.142.24.43) Object Table: licenses Operation Number: 1 Origin: smartcenter-frwjf01 Uid: {FDFDF472-3155-11E2-A437- 5656} Could someone help me with that? Did my firewall suffered an hacker attack? Thank you. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Email secured by Check Point = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =
Re: [FW-1] SmartUpdate Strange Behavior
I am using version R75.40. --- Felipe Almeida felipe.alme...@mrs.com.br De: Ray sixsigm...@hotmail.com Para: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Data: 07/06/2013 22:24 Assunto:Re: [FW-1] SmartUpdate Strange Behavior Enviado por:Mailing list for discussion of Firewall-1 FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM What version are you using? We're seeing the same continual license delete and add nonsense on R76 Gaia and it was not there on R75.20. I'll have to look and see what the client IP is on Monday. We noticed it because if the syslog alerts. Ray Date: Fri, 7 Jun 2013 07:02:00 -0700 From: felipe.alme...@mrs.com.br Subject: [FW-1] SmartUpdate Strange Behavior To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Hi, this is my first message on this list. I notice a strange behavior in the audit logs for the SmartUpdate. It is removing the licenses and the modifying the object but using a client IP so strange and different. The client IP is always changing and they are from several places in the World. From HP and University of California to the Philipines and Kroatia. Here are some logs. Number:359621 Date: 6Jun2013 Time: 22:14:04 Application: SmartUpdate Subject: Object Manipulation Operation: Modify Object Type: Log Object Type: cp_license Performed On: aap4FPKc5xkUyAVt4nErumXFzzBi2dSn7SfA Changes: sku: added 'CPMP-EVR-1-NGX' ;sku: added 'CPMP-EVR-1-NGX' ; Administrator: SmartUpdate Client:localhost Client IP: 176-8-191-35- pmsk.broadband.kyivstar.net (176.8.191.35) Object Table: licenses Operation Number: 1 Origin:smartcenter-frwjf01 Uid: {32123F79-41F5-4DA8-96AC- 3892A3130EE5} Number:359622 Date: 6Jun2013 Time: 22:14:04 Application: SmartUpdate Subject: Object Manipulation Operation: Modify Object Type: Log Object Type: cp_license Performed On: aY7y5YeUa587x2Mic3PWC2w4pgb55QLvNYhr Changes: sku: added 'CPSG-C-8-U' ; Administrator: SmartUpdate Client:localhost Client IP: 112.202.163.14.pldt.net (112.202.163.14) Object Table: licenses Operation Number: 1 Origin:smartcenter-frwjf01 Uid: {ED334410-2B17-4646-B7CE- 98E57763B529} Number:359623 Date: 6Jun2013 Time: 22:14:04 Application: SmartUpdate Subject: Object Manipulation Operation: Modify Object Type: Log Object Type: cp_license Performed On: di89LY564bYrME5ixKHGAVZvEUgGbtSdrRhd Changes: sku: added 'CPSG-C-8-U' ; Administrator: SmartUpdate Client:localhost Client IP: 112.142.24.43.dynamic- range.ttt.co.th (112.142.24.43) Object Table: licenses Operation Number: 1 Origin:smartcenter-frwjf01 Uid: {FDFDF472-3155-11E2-A437- 5656} Could someone help me with that? Did my firewall suffered an hacker attack? Thank you. = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail = To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html = If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com = Email secured by Check Point = To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY