Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 5027 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Security alerts from ios device

Patrick Haase

Hello,

some time ago I get messages from my UTM9 like these two following

 

2018:05:09-07:53:21 lyra snort[17243]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="EXPLOIT-KIT Rig Exploit Kit redirection attempt" group="500" srcip="88.208.20.24" dstip="172.16.28.11" proto="6" srcport="80" dstport="53601" sid="43217" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"
 
 
2018:05:09-08:26:01 lyra ulogd[8476]: id="2104" severity="info" sys="SecureNet" sub="ips" name="ICMP flood detected" action="ICMP flood" fwrule="60014" initf="wlan0" srcmac="80:ce:05:7b:74:57" dstmac="00:1a:9c:0a:a5:00" srcip="172.16.28.11" dstip="172.16.28.1" proto="1" length="1376" tos="0x00" prec="0x00" ttl="64" type="8" code="0"
 
The allerts only come up when I use Safari (any site) on my iphone or ipad.
 
The ip 172.16.28.11 is my iphone
 
With the firs alert comes the information that is comming from ip 88.208.20.24 wich is a company in the netherlands. On this ip are some internet sites connected, all with pornographic content. That much I have found out yet.
 
I would appreciate some advice here.
Regards
Patrick


This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    Looking at the log lines, the UTM is simply dropping malicious traffic and an ICMP flood attempt. If your observation tells you that this occurs during the time you use Safari, then you must get the devices scanned. Alongside, make sure the UTM's patterns are up2date. 

    Thanks,

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Hey,

    thank you for your reply.

    I whiped the devices and I hopefully got rid of the Rig Exploid kit alert.

    Now I have to deal with the ICPM flood

    LG
    Patrick

  • 0 in reply to Patrick Haase

    Hello,

    short notice on the intrusion alert issue.

    After I contacted apple support (very helpful by the way), I went the hard way and reinstalled back both devices by using the DFU or Recovery mode.

    First everything looks all right, but after a day same problem starts again. Only with the safari browser. I installed as an alternative firefox and I don't get any alerts from the sophos.

    So, I'm still on the job. Any advice would be helpful

    Regards Patrick

Reply
  • 0 in reply to Patrick Haase

    Hello,

    short notice on the intrusion alert issue.

    After I contacted apple support (very helpful by the way), I went the hard way and reinstalled back both devices by using the DFU or Recovery mode.

    First everything looks all right, but after a day same problem starts again. Only with the safari browser. I installed as an alternative firefox and I don't get any alerts from the sophos.

    So, I'm still on the job. Any advice would be helpful

    Regards Patrick

Children
Unfiltered HTML