Professional Documents
Culture Documents
We have observed this incident in between 1 Oct 2018 16:56:40 PM till 1 Oct 2018
16:58:40 PM ( Indonesian Time ( GMT+7))
The Source Zone Name : 179.0.0.0-179.255.255.255 (IANA) and the Destination Zone
Name : JTrust Bank Fall Back Zone 10
Asset criticality: unknown (0)
The source address is located in Dominican Republic . We have obtained the following
whois information:
IP Location Dominican Republic Santo Domingo Mercado Electronico Dominicano
ASN AS52471 Columbus Networks Dominicana, DO (registered May 10, 2013)
Whois Server whois.lacnic.net
IP Address 179.51.66.45
inetnum: 179.51.66.40/29
status: reallocated
owner: Mercado Electrónico Dominicano
ownerid: DO-MEDO6-LACNIC
responsible: Ignacio Zanotto
address: Av. John F. Kennedy, 14,
address: - Santo Domingo - DN
We have also investigated the source reputation and as per NTT Security Threat
intelligence : It has a Malicious reputation
The following signature was triggered upon detection of this event:
HTTP: ZmEu Exploit Scanner ( Device action - Unknown)
The device action specified for this signature is " Unknown " . The attempt was not
dropped.
The sample alert detail is given below -
Name : HTTP: ZmEu Exploit Scanner
Manager Receipt Time : 1 Oct 2018 16:58:38 PM
Application Protocol : HOPOPT
Customer Name : JTrust Bank
Category Technique : /Exploit/Vulnerability
Category Outcome : /Attempt
Device Severity : Medium
Device Action : Unknown
Device Direction : Outbound
Device Host Name : IPS-IB02
Device Address : 10.87.1.15
Device Vendor : McAfee
Device Product : Network Security Manager
Device Inbound Interface : Vlan_15_Data
Source Address : 179.51.66.45
Source Zone Name : 179.0.0.0-179.255.255.255 (IANA)
Source Dns Domain : smtp2.med.com.do.
Source Geo Country Name : Dominican Republic
Destination Address : 10.100.1.6
Destination Zone Name : JTrust Bank Fall Back Zone 10
ACTION_CODE : 200
IV_ADMIN_DOMAIN : My Company
Note the traffic is currently being allowed by the IPS : IPS-IB02 (10.87.1.15) . However
we haven't seen any reverse traffic towards the attacker IP.
SOC has Observed Multiple Malware Alerts on Fortinet Email Gateway Device Address
192.168.118.100.
ZmEu is a computer vulnerability We are considering this activity as 1- Place the signature " HTTP: ZmEu
scanner which searches for web moderate severity since traffic is Exploit Scanner " in block mode to
servers that are open to attack currently being allowed . However avoid future attempts.
through the phpMyAdmin program . we haven't seen any reverse traffic
The attack is harmless if towards the attacker IP.
phpmyadmin is not utilised in the
target web server
- The Attacker is Targetting multiple Successful infection may cause Please consider using anti-virus
Internal Users of JTrust Bank. losses to confidentiality, integrity, software and registry inspection tools
or availability. to diagnose and clean the infection.
- The Attacker Username belongs to Yikang Marine Services Co. Ltd. .However,
If after scanning
we have no
observed
malwareEvidences
has beensuggesting Poss
identified, please let the SOC know so
we can assist you further.