Endpoint SWAT: Protect the Endpoint Community

This appeears to be an inbound attack of some kind, yet the IPS alert says it is Outbound.  Any thoughts?  Also what's with the timestamps?  Notice there is about 3 months time between the event time and then the begin/end time. 

Edited:  Sorry, completely forgot to mention but this internal IP is our Exchange 2010 server which has Outlook Web App set up for external access via port 443.  Technically port 80 is open, but just goes to the IIS (or Exchange) error page since we do not have redirection enabled. 

IP Address 
Current: 192.168.5.5
When event occurred: 192.168.5.5
Local MAC: N/A
User Name: USER
Operating system: Windows Server 2008 R2 Enterprise Edition
Location Name: Location
Domain Name: SEP Domain 1
Group Name: My Company\SERVERS\2008 R2
Server Name: SERVERNAME
Site Name: SITENAME
 

Risk Detected
Event Time: 09/19/2014 05:36:49
Begin Time: 06/11/2014 18:08:59
End Time: 06/11/2014 18:08:59
Occurrence: 1
Signature Name: Web Attack: PHP CGI CVE-2012-1823 2
Signature ID: 27798
Signature Sub ID: 71150
Intrusion URL: OUREXTERNALIP/cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E
Intrusion Payload URL: N/A
Event Description: [SID: 27798] Web Attack: PHP CGI CVE-2012-1823 2 attack blocked. Traffic has been blocked for this application: SYSTEM
Event Type: Intrusion Prevention
Hack Type: 0
Severity: Critical
Application Name: SYSTEM
Network Protocol: TCP
Traffic Direction: Outbound
Remote IP: SOME IP IN BRAZIL
Remote MAC: N/A
Remote Host Name: N/A
Alert: 1
Local Port: 80
Remote Port: 50198
 
 

Hi MIXIT,

In this instance I would not pay much heed to the direction of the attack- the important thing is that IPS raised a red flag when it encountered traffic that matches teh attack signature assocuated with that vulnerability.

Just a quick recommendation: ensure that your PHP on that Exchange server is updated to a version not vulnerable to CVE-2012-1823.  IPS is a great defense, but IPS and patching are even better.  More news: http://www.cvedetails.com/cve/CVE-2012-1823/    

Hope this helps!  Please do continue to remain ths vigilent about activity on your systems and continue looking into potential security incidents like this.  If everyone did, the world would be a safer place.

Mick

Thanks Mick I appreciate it.  Question:  do you think Exchange 2010 uses PHP or CGI by default?  I could Google it but thought I'd ask here.  To my knowledge I'm not running anything like mySQL or Apache or anything like that, so when I saw this attack I thought it maybe wasn't a concern anyway, despite the IPS block since you can't get Joe to respond by calling out his name as Fred, right?  A CGI can't work if there's no CGI (I assume, but in IT you never know, sometimes the way a system doesn't respond tells you as much as if it does respond). 

Most people aren't aware but IPS will also detect and block outbound connects from infected machines using network protection technology so it's possible there's something nasty hiding that only shows itself very periodically.

Note this technology doesn't rely on a list of blacklisted, known bad hosts as that is not reliable.  C&C's have too many tricks to hide and will pop up for an hour and then go dormant for weeks only to come back up with a different IP, country, etc. 

Lists don't work very well.  It's like relying on URL filtering for your web security, impossible to build and maintain an accurate list, just too much flux out there.  To be at all reliable which is a prereq to protection, you need to look at the payload which is one of the things IPS does in this scenario.

I'd recommend opening a case to have the alert looked at just to be safe given those log details, unless there's a good reason why your mail servers should be reaching out to a host in Brazil.

Definitely no cause.  I obfuscated the details just in case the dummy who initiated the attack knows what IP's he/she's attacking from and Google's it to find my little Symantec Connect article, thus knowing who he/she is attacking :) Buggers all of them. 

So in opening a case, would support look at my system (Exchange server) for me to see what they can learn?  I'd very much like to let that occur for certain, the more eyes on an issue the better usually and I don't know IPS nearly well enough as I shoulld.  Who do I call to open a ticket?  Since I am SMB Specialist for SEP, I think I have something called the SOS team, but for issues like this does it trace back to the same team supporting NTP? 

I assume you have a support contract?  Either basic - daytime hours only, Essential, 24x7, Business Critical - you'd know as you'd have a direct connect to the same person for every case.  

Call the support number (found on support.symantec.com and give them your support ID) and you'll reach a SEP tech who can give you more detail on the unobfuscated logs and likely run a log collection on that box to see if there are any sighs of nefarious activity.

Ok will do.  I don't mind sharing real data with tech support, just don't want actual data posted here in the searhable archives :) My customer has a contract yep.