This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Attack on WebAdmin-port: many failed logins

Does anyone else experience attacks on the WebAdmin-port with many failed logins? [WARN-005]

This evening I received from all of the Sophos UTM's from my clients (15 in The Netherlands) notifications of failed logins. All with username "admin" and all from 65.21.141.30 (Germany) [edit: correction: Finland].

I can block this off course, but I don't understand who could find out all the ip-addresses. Only Sophos can know those from the update servers. So I would like to know if others are experiencing the same.



This thread was automatically locked due to age.
Parents
  • We had this attack exact with this IP address for more than 2 hours. (in Germany)

    I simply blocked public access and enabled Two Authentication Factor

    I heard in Germany that happen to many Company they have Sophos Firewall. I think there is a SOPHOS data leak (IP leak)!? I'm not sure. but I called a friend's company, they have the attack at the exact same time. To me that means they have all Sophos customer IP addresses, they wouldn't randomly check the IP ports!

  • Please note this does not mean that customer IP data has leaked from Sophos. There are plenty of easier ways an attacker could create a list of IP addresses to target - they would not need to randomly check IP ports/addresses to find devices. As I mentioned in my original reply, websites like Shodan provide a really easy way to get a list of IPv4 addresses that are listening on a specific port, and they even provide further search criteria to narrow things down. I'm not going to link to them here, but if you're curious, go take a look.

Reply
  • Please note this does not mean that customer IP data has leaked from Sophos. There are plenty of easier ways an attacker could create a list of IP addresses to target - they would not need to randomly check IP ports/addresses to find devices. As I mentioned in my original reply, websites like Shodan provide a really easy way to get a list of IPv4 addresses that are listening on a specific port, and they even provide further search criteria to narrow things down. I'm not going to link to them here, but if you're curious, go take a look.

Children
No Data