• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

This forum thread needs a solution.
Kudos0

Apache Struts CVE-2017-5638

Apache Struts attack. I have my port 80 open for a reason but am not running apache. The main issue is that the threat specifies that it is originating from my computer to a destination address on a none 80 port: 222.186.21.154:3562.

Replies

Kudos0

Re: Apache Struts CVE-2017-5638

Hi @Michael J Robinson

Could you please past the exact log from the security-->history?

based on the information provided it seems that the attack was targeted to your destination and IPS blocked the response packet (sourcing from port 80 to the random port)

Kudos0

Re: Apache Struts CVE-2017-5638

Hi,

Here is the entry, I do not believe that my system is the attacking computer but that is what Norton is telling me.

Category: Intrusion Prevention
Date & Time,Risk,Activity,Status,Recommended Action,IPS Alert Name,Default Action,Action Taken,Attacking Computer,Attacker URL,Destination Address,Source Address,Traffic Description
10/04/2017 12:03:08 PM,High,An intrusion attempt by SIMTOUCH-WS01 was blocked.,Blocked,No Action Required,Attack: Apache Struts CVE-2017-5638,No Action Required,No Action Required,"SIMTOUCH-WS01 (10.5.5.133, 80)",203.59.127.86/,"122.225.98.178, 42657",SIMTOUCH-WS01 (10.5.5.133),"TCP, www-http"
Network traffic from <b>203.59.127.86/</b> matches the signature of a known attack.  The attack was resulted from SYSTEM.  To stop being notified for this type of traffic, in the <b>Actions</b> panel, click <b>Stop Notifying Me</b>.


Obviously SIMTOUCH-WS01 (10.5.5.133) is my computer and 203.59.127.86 is my router address. The history implies to me that my computer originated the attack pointed to 122.225.98.178 on port 42657.

regards

Michael Robinson

Kudos1 Stats

Re: Apache Struts CVE-2017-5638

It appears that your Pc is blocking traffic originated from 122.225.98.178 (I assume you have port forwarding on your router for port 80 pointing to your PC). This is based on the source/destination port information provided You can have a wireshark running and try to replicate this in order to understand what the pattern is that norton is triggering on but since you do not have struts running ,I wouldn't worry too much

This thread is closed from further comment. Please visit the forum to start a new thread.