问题很简单,这些日志条目每天都会出现在我们的 Sonicwall 上,我以前从未见过这样的事情。我最初的想法是,这是另一个寻找漏洞的机器人,任何你提供的见解都会受到赞赏,他们可能试图利用的是什么
Sonicwall 固件:SonicOS Enhanced 6.5.4.9-92n
CSV 格式的日志:
AuditID Transaction_Id Time Audit_Path group Index Description Old New Status UUID User Session Mode Source Dest Interface
0 1 18:24:42 Jan 05 2022 Download file /scripts/cgi-bin/cbag/ag.exe Failed 146.70.38.12 (36825) <our external address> (700) X1
1 2 18:24:48 Jan 05 2022 Download file grn.exe Failed 146.70.38.12 (44723) <our external address> (700) X1
2 3 18:24:50 Jan 05 2022 Download file ag.exe Failed 146.70.38.12 (50973) <our external address> (700) X1
3 4 18:24:54 Jan 05 2022 Download file /cgi-bin/cbag/ag.exe Failed 146.70.38.12 (55745) <our external address> (700) X1
4 5 18:24:56 Jan 05 2022 Download file db.exe Failed 146.70.38.12 (39315) <our external address> (700) X1
5 6 18:24:58 Jan 05 2022 Download file mw.exe Failed 146.70.38.12 (37489) <our external address> (700) X1
6 7 18:25:20 Jan 05 2022 Download file /scripts/cgi-bin/cbag/ag.exe Failed 146.70.38.12 (60097) <our external address> (85) X1
7 8 18:25:22 Jan 05 2022 Download file grn.exe Failed 146.70.38.12 (44205) <our external address> (85) X1
8 9 18:25:23 Jan 05 2022 Download file ag.exe Failed 146.70.38.12 (59829) <our external address> (85) X1
9 10 18:25:25 Jan 05 2022 Download file /cgi-bin/cbag/ag.exe Failed 146.70.38.12 (51061) <our external address> (85) X1
10 11 18:25:25 Jan 05 2022 Download file db.exe Failed 146.70.38.12 (35567) <our external address> (85) X1
11 12 18:25:26 Jan 05 2022 Download file mw.exe Failed 146.70.38.12 (39315) <our external address> (85) X1
答案1
我也看到了来自 10Jan22 的相同条目,但来自 ip 45.133.173.12。这是在 TZ370 上。向 Sonicwall 提交了一个案例,试图获取更多信息。到目前为止还没有解释。
编辑- 我也在 Twitter 上提出了这个问题。请参阅 @Sonicwalltech 的回复
“我们与 PSIRT 团队进行了交谈。流量似乎与自动扫描器查询一致,以识别已知漏洞。屏幕截图中显示的‘URI’字符串与 Cybozu 的已知漏洞有关,https://exploit-db.com/exploits/2266,但IP可以被屏蔽。”
https://twitter.com/SonicWallTech/status/1485714306951958533