BI server initiated intrusion attempt?!

[Steve Pepin]

I'm running BI 4.5.7.0 on a Optiplex 5040 that was purchased new and has only ever been used for BI. It's headless, and has never even been used to browse the internet. I'm running Symantec Endpoint Protection, and following the WannaCry scare, added Malwarebytes just for a little additional peace of mind.

Last night, I got the following email alert from SEP:

A high-risk intrusion was detected on Blue Iris within group Default Group on 5/24/2017 7:12:32 PM.
IPS Alert Name
Attack: Apache Struts CVE-2017-5638
Status
Blocked
Attack Signature
N/A
Targeted Application
N/A
Targeted IP
222.186.34.148
Targeted Port Number
1694
Targeted Host Name
N/A

When I first saw the email, I thought it had detected and blocked an incoming attack, but upon further inspection, it indicated that my BI server was the source of the attack, and that it attempted to attack the target IP through the target port. My network sits behind a Ubiquiti USG and only port 90 is forwarded to the BI PC, so that's why I initially thought it was strange for an incoming attack to have been detected.

Researching this attack, it seems to stem from a vulnerability with Apache Struts that was patched back in March. I'm curious if BI uses Struts and if it is or will be patched in an upcoming version. On the other hand, the current version was only released yesterday, and my system auto updated. I'm also wondering if it has a compromised version of Struts as part of it, and the attack was initiated after the upgrade.

Incidentally, running full system scans with both SEP and Malwarebytes revealed no detected threats on the system.

 

[Jareds]

A stretch but have you blocked your cameras from accessing the internet completely. If not u should. Only allow the BI server the access to the wan. That is the safest bet.

 

[Jareds]

It seems odd but who knows. I don't think I would worry too much. it was blocked so that's a good thing.

 

[Steve Pepin]

A stretch but have you blocked your cameras from accessing the internet completely. If not u should. Only allow the BI server the access to the wan. That is the safest bet.

Yes, the cameras are not accessible from the outside.

 

[jkthomas3480]

I'm running BI 4.5.7.0 on a Optiplex 5040 that was purchased new and has only ever been used for BI. It's headless, and has never even been used to browse the internet. I'm running Symantec Endpoint Protection, and following the WannaCry scare, added Malwarebytes just for a little additional peace of mind.

Last night, I got the following email alert from SEP:

A high-risk intrusion was detected on Blue Iris within group Default Group on 5/24/2017 7:12:32 PM.
IPS Alert Name
Attack: Apache Struts CVE-2017-5638
Status
Blocked
Attack Signature
N/A
Targeted Application
N/A
Targeted IP
222.186.34.148
Targeted Port Number
1694
Targeted Host Name
N/A

When I first saw the email, I thought it had detected and blocked an incoming attack, but upon further inspection, it indicated that my BI server was the source of the attack, and that it attempted to attack the target IP through the target port. My network sits behind a Ubiquiti USG and only port 90 is forwarded to the BI PC, so that's why I initially thought it was strange for an incoming attack to have been detected.

Researching this attack, it seems to stem from a vulnerability with Apache Struts that was patched back in March. I'm curious if BI uses Struts and if it is or will be patched in an upcoming version. On the other hand, the current version was only released yesterday, and my system auto updated. I'm also wondering if it has a compromised version of Struts as part of it, and the attack was initiated after the upgrade.

Incidentally, running full system scans with both SEP and Malwarebytes revealed no detected threats on the system.

I'm getting the same alert from Norton. When I do a IP whois lookup for the destination address, it is in China. That always concerns me.