B - Production Support » Agrobank Support

Hi,
Kindly attend below request:

E-corp has reported below incident. Kindly advise.

_____________________________________________________________________________________________________________
From: GCC MASTER [mailto:gccmaster@e-cop.net]
Sent: Sunday, September 06, 2015 5:45 PM
To: IT OERATOR2; Service Desk; Darren Shei; HISHAMMUDDIN MUHAMED; MAHAZAN BIN ABDUL MANAN; MOHD FIKRIEZUDIN BIN MOHD FAUZI; NOORSHAFIDA RASIDI; ROFADIAH BINTI MOHAMAD; SHAIFUL AZWAN ADNAN BIN ABD. RAHMAN; SIMON TOH BOO GUAN
Subject: Incident Notification (Ref: 1EB9832F)

Dear Customer,

This is an incident notification from e-Cop 24x7 Global Command Center. e-Cop had detected the following incidents on your network. Please take note of the following that had occurred:

Incident alert was detected by IIS Server:agronet.com.my (Leboh Pasar Besar, MY) (172.16.50.21).

On 06 September 2015, source IP 203.106.156.209 has attempted

GET /bib/bib114/administrationUser.do?nId=78e129c0ff615e16aa12a9715a34d01016f233cf79f7c3676b769b66b3
GET /bib/bib101/ibWelcome.do?SECONDARY_TOKEN=c8497ebea72e38d6796dfd022fd9002a 200
GET /bib/bib114/administrationUser.do?nId=a82a368945989e4a20d33068a7a41beae3246d4f6650137a9682c429c4
GET /bib/bib101/ibWelcome.do?SECONDARY_TOKEN=e0897546dd752a6d585955b64cc9390d 200
GET /bib/bib114/dashboard.css 404

towards target IP: 172.16.50.22

Occurrences: 11
Event Classification: Suspicious Activity
Severity: Medium

____________________________________________________________________________________________________________________
Incident Descriptions:

This event indicates that scanning attempt toward the webpages above has been made. Since all requested pages are resulted in 404 (Not Found), the source were unable to obtain a valid page.

Note: Please check the application for any abnormality. Kindly ensure the system is using an up to date version of the software and have had all vendor supplied patches applied.

Please verify if the source is attempting legitimate traffic. If the traffic is not legitimate and has no impact to your business, please block the source IP at the router level.

______________________________________________________________________________________________________________
Excerpts of Log:

172.16.50.22<182>Sep 06 16:39:46 ibwebsvr2 HTTP[info] 203.106.156.209 - - [06/Sep/2015:16:39:43 +0800] "GET /bib/bib114/administrationUser.do?nId=78e129c0ff615e16aa12a9715a34d01016f233cf79f7c3676b769b66b3a13229&SECONDARY_TOKEN=0c4d18bc2d1afbed26fb7e65d45f9df2 200 39347 "https://www.agronet.com.my/bib/common/ibChannel.do?nId=fe62a09461cabb89ef5a8861177fe74346f48871d04203d52c490d18ca10e893&SECONDARY_TOKEN=50bbbefc37ac92ebdb7f697775263e75" "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko" - 0 LocalAddr=172.16.50.22 LocalPort=80 Host=www.agronet.com.my - 00008vEOrphOAYa0CWbT_xqIg-4:app1bibsrv1 IBAPPSVR1:9082

172.16.50.22<182>Sep 06 16:48:56 ibwebsvr2 HTTP[info] 203.106.156.209 - - [06/Sep/2015:16:48:55 +0800] "GET /bib/bib101/ibWelcome.do?SECONDARY_TOKEN=c8497ebea72e38d6796dfd022fd9002a 200 37531 "https://www.agronet.com.my/bib/bib114/administrationUser.do?nId=a82a368945989e4a20d33068a7a41beae3246d4f6650137a9682c429c47d0595&SECONDARY_TOKEN=c8497ebea72e38d6796dfd022fd9002a" "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko" - 0 LocalAddr=172.16.50.22 LocalPort=80 Host=www.agronet.com.my - 0000XP6SjgNB_YPL2yxRLS_pZnI:app1bibsrv1 IBAPPSVR1:9082

172.16.50.22<182>Sep 06 16:48:46 ibwebsvr2 HTTP[info] 203.106.156.209 - - [06/Sep/2015:16:48:44 +0800] "GET /bib/bib114/administrationUser.do?nId=a82a368945989e4a20d33068a7a41beae3246d4f6650137a9682c429c47d0595&SECONDARY_TOKEN=c8497ebea72e38d6796dfd022fd9002a 200 39347 "https://www.agronet.com.my/bib/common/ibChannel.do?nId=53eaa14001e0acb5ea7921a532f7ef7da80b831c876bc1e39cf3aeaff54210a5&SECONDARY_TOKEN=89713e12ead31b952bf23c929a057970" "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko" - 0 LocalAddr=172.16.50.22 LocalPort=80 Host=www.agronet.com.my - 0000XP6SjgNB_YPL2yxRLS_pZnI:app1bibsrv1 IBAPPSVR1:9082

172.16.50.22<182>Sep 06 16:50:40 ibwebsvr2 HTTP[info] 203.106.156.209 - - [06/Sep/2015:16:50:38 +0800] "GET /bib/bib101/ibWelcome.do?SECONDARY_TOKEN=e0897546dd752a6d585955b64cc9390d 200 37531 "https://www.agronet.com.my/bib/bib114/administrationUser.do?nId=a82a368945989e4a20d33068a7a41beae3246d4f6650137a9682c429c47d0595&SECONDARY_TOKEN=e0897546dd752a6d585955b64cc9390d" "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko" - 0 LocalAddr=172.16.50.22 LocalPort=80 Host=www.agronet.com.my - 0000XP6SjgNB_YPL2yxRLS_pZnI:app1bibsrv1 IBAPPSVR1:9082

172.16.50.22<182>Sep 06 16:39:46 ibwebsvr2 HTTP[info] 203.106.156.209 - - [06/Sep/2015:16:39:44 +0800] "GET /bib/bib114/dashboard.css 404 3781 "https://www.agronet.com.my/bib/bib114/administrationUser.do?nId=78e129c0ff615e16aa12a9715a34d01016f233cf79f7c3676b769b66b3a13229&SECONDARY_TOKEN=0c4d18bc2d1afbed26fb7e65d45f9df2" "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko" - 0 LocalAddr=172.16.50.22 LocalPort=80 Host=www.agronet.com.my - 00008vEOrphOAYa0CWbT_xqIg-4:app1bibsrv1 IBAPPSVR1:9082

________________________________________________________________________________________________________
WhoIs Lookup of the Source IP: 203.106.156.209

inetnum: 203.106.144.0 - 203.106.159.255
netname: INFRA-TMNET
descr: TMNET
country: MY

_________________________________________________________________________________________________________
Note: Source has been notified via e-mail.

For more information please call e-Cop's hotline @ +603-89961045.

Regards
GCC Master – Zharifah
Global Command Center

Managing Risk. Securing Enterprise.
Hotline SG : (65) 6590 3266
Hotline MY : (60) 3 8996 1045
Hotline HK : (852)2100 0111
E-Mail : gccmaster@e-cop.net
Homepage: www.e-Cop.net