This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Attack on WebAdmin-port: many failed logins

Does anyone else experience attacks on the WebAdmin-port with many failed logins? [WARN-005]

This evening I received from all of the Sophos UTM's from my clients (15 in The Netherlands) notifications of failed logins. All with username "admin" and all from 65.21.141.30 (Germany) [edit: correction: Finland].

I can block this off course, but I don't understand who could find out all the ip-addresses. Only Sophos can know those from the update servers. So I would like to know if others are experiencing the same.



This thread was automatically locked due to age.
  • Same here, attacks on two devices/two different IP adresses from:

    65.21.141.30

    since a few days.

    I followed BAlfson´s advice with removing "any" Networks.

    I am located in Austria.

  • I would challenge the "extra security" by changing the port. 

    Shodan and all the other scanner will scan the header. So therefore, you can easily find all UTMs in the internet. 

    __________________________________________________________________________________________________________________

  • here also 2 totally different ip ranges almost on the same time from 65.21.141.30 ? could it be that the scanned url's are from the lastpass hack? i read that those url's were not encrypted. i'am from the Netherlands

  • The original poster thinks that there was a leak of IP addresses of Sophos users. This doesn't have to happen. All that has to happen is someone scanning IP addresses on port 4444 to find any that are open. Then this would indicate that it is probably a Sophos firewall, and then they use tools to try to log in using the default admin account.

    If the port was random, but open, could an attacker know that it is Sophos firewall. If not, then it would make it even harder to try a brute force attack. I don't know what Shodan is, but at least a different port would provide obscurity and security as the IPS should be blocking port scans anyway.

    Elaborate on what Shodan does and how they know the IP addresses of everyone using Sophos UTM...even if the Webadmin port was changed.

    Edit: I went to the site and looked pretty shady to me. $69 a month. Wow....

    A web filtering policy scan of the site listed it as "Information Security" but it seems more like a hacking / criminal activities site.

  • Essentially Shodan is a platform, which has scanner and keeps track like a database of which IP has which ports open and what is being used. 

    See: https://en.wikipedia.org/wiki/Shodan_(website)

    Shodan also tracks the HTML content and what the website is offering. Therefore you can scan the entire internet and get the IPs of all UTM Users, if they have a open Webadmin (regardless of the port). 

    __________________________________________________________________________________________________________________