SQL Injection - Admin Portal IP Restricted - How?

Hi,

what port are you using for your access?

an

Not the standard 443.

Hi Flo

Thanks for the detailed article - very informative and nicely put together.

However, it still doesn't address exactly how they targeted the devices with SQL Injection if the device is not accessible from anywhere except for a trusted IP source..?

If you cannot get to the login form, how can you inject the malicious SQL Commands?

Hello,

I also don't have port 8443 or 443 open for WAN settings. I have admin services on for WAN on HTTPS but i am using a different port.

So, I dont understand how the firewall was compromised. Is it a False Positive?

Port scanning your WAN connection will reveal ports that have services running on them. They can then just launch the attack against whatever ports you have open.

Changing the default ports won't stop an attack like this if they scan for open ports.

Hello,

Was the User Portal accessible from WAN without filtering the source IPs ?

Because the issue is both on the Admin Portal and the User Portal.

Hi Viken

User Portal completely disabled on all interfaces, including WAN. We've never used it.

Admin Portal available on WAN, but only allowing connection from our main IP at our head office. I have tested this several times and it works. It's been in place for over a year now. We also have Geo-IP filtering enabled for inbound as well, excluding all countries except for a few that we need.

So... I am a bit confused. Maybe the fact that WAN was enabled, was enough for the Hotfix to trigger a "compromised" message..?

IT-Support-247 said:

Hi Viken

User Portal completely disabled on all interfaces, including WAN. We've never used it.

Admin Portal available on WAN, but only allowing connection from our main IP at our head office. I have tested this several times and it works. It's been in place for over a year now. We also have Geo-IP filtering enabled for inbound as well, excluding all countries except for a few that we need.

So... I am a bit confused. Maybe the fact that WAN was enabled, was enough for the Hotfix to trigger a "compromised" message..?

 

Hello,

How did you configure your Geo-IP filtering on the WAN Admin Portal? Did you allow directly countries in the ACL Exceptions?

My bad, I don't have any Geo-IP filtering enabled on Admin Portal, only on the Firewall rules.

The admin portal rule only allows trusted IPs. Everything that doesn't match, gets dropped.

Oh ok.

But are you really sure that your User Portal is closed from WAN, and that your Admin Portal is only accessible by trusted IPs ?

Could you please send a screenshot of your "Device Access" Tab ?

Yes I am sure. I’ve been working with these devices for over 2 years now.

I’ll find a screenshot soon when I’m back at my computer.

Yes I am sure. I’ve been working with these devices for over 2 years now.

I’ll find a screenshot soon when I’m back at my computer.