Scribd Logo
Upload

Welcome to Scribd!

  • 1. 資安監控室發現 正式區主機異常 連線至可疑中繼站 IP,建議先透過 Firewall阻擋外部IP連線動作,並對觸發事件的電腦進行檢查動作。

    Uploaded by

    api-466678205
    17 views2 pages

    Original Title

    813119a5105445c74bab

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    17 views2 pages

    1. 資安監控室發現 正式區主機異常 連線至可疑中繼站 IP,建議先透過 Firewall阻擋外部IP連線動作,並對觸發事件的電腦進行檢查動作。

    Uploaded by

    api-466678205

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 2

    事件通知單

    問題單 180508-1 問題單開立時間 2018/05/08

    事件名稱 (SIEM) Suspicious ip 174.127.99.220 has been detected!


    來源主機名稱
    來源 IP 位址 140.92.66.16 (正式區主機)
    來源通訊埠 443
    目的主機名稱
    事件描述
    目的主機位址 174.127.99.220
    目的通訊埠 55367
    該事件為正式區主機屬網段電腦連線至 ICST 所列管的中繼
    事件描述
    站主機,有疑似惡意程式活動之行為特徵。
    1. 資安監控室發現 正式區主機異常性連線至可疑中繼站IP,建議先透過
    Firewall阻擋外部IP連線動作,並對觸發事件的電腦進行檢查動作。
    2. 檢查該電腦主機上是否有不明程式之異常連線、異常執行程序、異常服務
    及會異常開機自動執行等程式,若有則停止該程式並建議刪除系統上該不
    建議措施 明程式檔案。
    3. 檢查防火牆、IDS等設備之紀錄,查看內部是否有對外大量不同目的IP 之
    異常連線。
    4. 建議注意系統之安全修補、帳號管制、密碼管理、病毒碼更新、防火牆規
    則檢驗等等資安政策管理作業是否落實與完善。
    參考資料 附件資料
    如果您對此通告的內容有疑問或有關於此事件的建議,請勿直接回覆此信件,請以下述聯
    絡資訊與我們聯絡。
    資安科技研究所 技術研發中心 (http://ctti.iii.org.tw/)
    資策會資安所資安監控室(SOC)
    地 址: 臺北市松山區民生東路四段 133 號 2 樓
    聯絡電話: 02-66072057
    傳真電話: 02-66072026
    電子郵件信箱: smfwgroup@iii.org.tw

    1
    事件通知單

    附件
    事件趨勢圖

    RawData
    [**] [1:9703248:1] Suspicious ip 174.127.99.220 has been detected! [**] [Classification: suspicious IP connection]
    [Priority: 1] 05/08-01:21:34.015247 174.127.99.220:55387 -> 140.92.66.16:443 TCP TTL:107 TOS:0x0 ID:4656
    IpLen:20 DgmLen:40 DF ***A**** Seq: 0x479238B2 Ack: 0x3C8F55E Win: 0x400 TcpLen: 20
    [**] [1:9703248:1] Suspicious ip 174.127.99.220 has been detected! [**] [Classification: suspicious IP connection]
    [Priority: 1] 05/08-01:21:34.015247 174.127.99.220:55387 -> 140.92.66.16:443 TCP TTL:107 TOS:0x0 ID:4656
    IpLen:20 DgmLen:40 DF ***A**** Seq: 0x479238B2 Ack: 0x3C8F55E Win: 0x400 TcpLen: 20
    [**] [1:9703248:1] Suspicious ip 174.127.99.220 has been detected! [**] [Classification: suspicious IP connection]
    [Priority: 1] 05/08-01:21:33.767012 174.127.99.220:55387 -> 140.92.66.16:443 TCP TTL:107 TOS:0x0 ID:4655
    IpLen:20 DgmLen:301 DF ***AP*** Seq: 0x479237AD Ack: 0x3C8EBBA Win: 0x3FE TcpLen: 20
    [**] [1:9703248:1] Suspicious ip 174.127.99.220 has been detected! [**] [Classification: suspicious IP connection]
    [Priority: 1] 05/08-01:21:33.767012 174.127.99.220:55387 -> 140.92.66.16:443 TCP TTL:107 TOS:0x0 ID:4655
    IpLen:20 DgmLen:301 DF ***AP*** Seq: 0x479237AD Ack: 0x3C8EBBA Win: 0x3FE TcpLen: 20
    [**] [1:9703248:1] Suspicious ip 174.127.99.220 has been detected! [**] [Classification: suspicious IP connection]
    [Priority: 1] 05/08-01:21:33.767012 174.127.99.220:55387 -> 140.92.66.16:443 TCP TTL:107 TOS:0x0 ID:4655
    IpLen:20 DgmLen:301 DF ***AP*** Seq: 0x479237AD Ack: 0x3C8EBBA Win: 0x3FE TcpLen: 20
    [**] [1:9703248:1] Suspicious ip 174.127.99.220 has been detected! [**] [Classification: suspicious IP connection]
    [Priority: 1] 05/08-01:21:33.767012 174.127.99.220:55387 -> 140.92.66.16:443 TCP TTL:107 TOS:0x0 ID:4655
    IpLen:20 DgmLen:301 DF ***AP*** Seq: 0x479237AD Ack: 0x3C8EBBA Win: 0x3FE TcpLen: 20
    [**] [1:9703248:1] Suspicious ip 174.127.99.220 has been detected! [**] [Classification: suspicious IP connection]
    [Priority: 1] 05/08-01:21:33.522524 140.92.66.16:443 -> 174.127.99.220:55387 TCP TTL:62 TOS:0x0 ID:20003
    IpLen:20 DgmLen:322 DF ***AP*** Seq: 0x3C8EAA0 Ack: 0x479237AD Win: 0x3F TcpLen: 20
    [**] [1:9703248:1] Suspicious ip 174.127.99.220 has been detected! [**] [Classification: suspicious IP connection]
    [Priority: 1] 05/08-01:21:33.522524 140.92.66.16:443 -> 174.127.99.220:55387 TCP TTL:62 TOS:0x0 ID:20003
    IpLen:20 DgmLen:322 DF ***AP*** Seq: 0x3C8EAA0 Ack: 0x479237AD Win: 0x3F TcpLen: 20
    [**] [1:9703248:1] Suspicious ip 174.127.99.220 has been detected! [**] [Classification: suspicious IP connection]
    [Priority: 1] 05/08-01:21:33.522524 140.92.66.16:443 -> 174.127.99.220:55387 TCP TTL:62 TOS:0x0 ID:20003
    IpLen:20 DgmLen:322 DF ***AP*** Seq: 0x3C8EAA0 Ack: 0x479237AD Win: 0x3F TcpLen: 20
    [**] [1:9703248:1] Suspicious ip 174.127.99.220 has been detected! [**] [Classification: suspicious IP connection]
    [Priority: 1] 05/08-01:21:33.522524 140.92.66.16:443 -> 174.127.99.220:55387 TCP TTL:62 TOS:0x0 ID:20003
    IpLen:20 DgmLen:322 DF ***AP*** Seq: 0x3C8EAA0 Ack: 0x479237AD Win: 0x3F TcpLen: 20
    [**] [1:9703248:1] Suspicious ip 174.127.99.220 has been detected! [**] [Classification: suspicious IP connection]
    [Priority: 1] 05/08-01:21:33.245651 140.92.66.16:443 -> 174.127.99.220:55387 TCP TTL:62 TOS:0x0 ID:20000
    IpLen:20 DgmLen:40 DF ***A**** Seq: 0x3C8E2DE Ack: 0x47923727 Win: 0x36 TcpLen: 20
    [**] [1:9703248:1] Suspicious ip 174.127.99.220 has been detected! [**] [Classification: suspicious IP connection]
    [Priority: 1] 05/08-01:21:33.245651 140.92.66.16:443 -> 174.127.99.220:55387 TCP TTL:62 TOS:0x0 ID:20000
    IpLen:20 DgmLen:40 DF ***A**** Seq: 0x3C8E2DE Ack: 0x47923727 Win: 0x36 TcpLen: 20
    …more

    You might also like