Endpoint Protection

Hi, 

I am constantly receiving alerts in Outbound attacks logs with [SID: 28127] System Infected: Ghostnet Backdoor Activity 4 attack blocked. Traffic has been blocked for this application: SYSTEM.

Can someone please help me out?

This started out for me yesterday and have been reviewing a few machines but not finding anything out of the ordinary. I would suggest running the Threat Analysis Scan included within SymDiag. I would also suggest kicking off a SEP full scan with up to date content. See what that all returns.

Actually, I have done full scan but it did not return anything.

As it is on one of the server, threat analysis will result in reboots of the server. 

Didn't for me. I ran the 5 minute TA scan. It does file reputation checking. No reboot needed or necessary.

Threat analysis will result in reboot only if you choose to do a root kit scan which is not nessary for the issue you are facing. just do a general threat analysis scan it should give you some more insight.

Thank! I will run Threat Analysis. Hopefully will get more results.

do let us know how it goes and if you need more assistance.

Has anyone opened a case on this and by chance do you have an FTP service running on the affected machine(s)? Also, are your affected machines external facing?

Excahnge server with OWA (port 443) open to the internet.

No FTP services are running ont he server.

Linking a similar thread:

https://www-secure.symantec.com/connect/forums/sid-28127-system-infected-ghostnet-backdoor-activity-4

Hi abcd26,

Please do ensure that you check thoroughly for threats.  The IPS signature corresponds to:

Backdoor.Ghostnet
https://www.symantec.com/security_response/writeup.jsp?docid=2009-033015-5616-99

Ghostnet Toolset—Back Door at the Click of a Button
https://www-secure.symantec.com/connect/blogs/ghostnet-toolset-back-door-click-button

There may be undetected malware which has injected itself into a legitimate process and is attempting to communicate with that remote IP.

Please do keep this thread up-to-date with your progress!

With thanks and best regards,

Mick

Thought I would mention I just noticed this threat yesterday on my SBS 2011/Exchange server.  Outbound to 61.216.2.13 port 443, which is open for Exchange/OWA.  I am in the process of running scans but so far I have found nothing else to indicate an active threat so I am a little baffled as to what really caused this. 

Does anyone have an update on this?  We also received a warning and have been unable to detect anything wrong with the affected server.

Not much to update and in the same boat here as everyone else.

I have logs in my gateway firewall to indicate 61.216.2.13 as the source attempting to scan our external IPs. SEP IPS obviously blocked it so there was nothing going back. I still feel this was initiated from 61.216.2.13 (and is a false positive as the system is not truly infected IMO) but without seeing how the IPS rule is written, I don't have a solid answer.