cancel
Showing results for 
Search instead for 
Did you mean: 
rbecker
Level 7
Report Inappropriate Content
Message 1 of 17

Rogue Sensor calling external IPs

Has anyone else experienced rogue sensors calling out to external IPs over TCP ports 22 and 443 or UDP ports 65534?  Had this issue yesterday where a rogue sensor updated and then called out to an external IP 198.84.127.238, which is a web hosting domain in Washington state.  I saw one posting from 2015 that seems similar but it went cold.  Anyone else experience anything like this?  

16 Replies
McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 2 of 17

Re: Rogue Sensor calling external IPs

If you identify the system belonging to that sensor that reported that IP, is it a system that sometimes connects outside your network or does that system have a need to connect to that external server for anything?  A sensor listens to the traffic that is on its network card, so it would seem feasible that the system could see traffic from it under some slight circumstances.  The sensor basically does a type of port scan on everything it finds on its network, so you will see it scanning on a wide variety of ports.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

rbecker
Level 7
Report Inappropriate Content
Message 3 of 17

Re: Rogue Sensor calling external IPs

I can confirm through netstat that the system the offending sensor is on does not have any active connections to the external IP address nor is it a vendor that we use for anything.  I had another sensor the other day call out to an external IP in Helsinki, Finland as well over the same ports.  I've only see this happen on two sensors.

Highlighted
McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 4 of 17

Re: Rogue Sensor calling external IPs

What version are you running?  Are you sure it is the sensor making the connection and not some malware?  How are you determining it is the sensor itself?

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

rbecker
Level 7
Report Inappropriate Content
Message 5 of 17

Re: Rogue Sensor calling external IPs

Sensor version is 5.0.6.125.  I'm thinking it's the sensor because it's occurring over the UDP port for the sensor.  McAfee VirusScan Enterprise hasn't picked up anything on the machine after a comprehensive system scan.

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 6 of 17

Re: Rogue Sensor calling external IPs

how frequently is it connecting?  If you can run tcpview from sysinternals.com when it is trying to connect, that will tell you the exact process that is generating the traffic.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

rbecker
Level 7
Report Inappropriate Content
Message 7 of 17

Re: Rogue Sensor calling external IPs

It's not connecting frequently at all.  I'm certainly hoping that it's an issue with the rogue and not part of a c2 type botnet.  Again, McAfee virusscan enterprise didn't pick anything up.

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 8 of 17

Re: Rogue Sensor calling external IPs

That is going to be hard to track down.  When it connects, does it connect just one attempt or multiple times?  Do you have ENS on that system?  I would suggest, if so, make sure the ENS firewall is installed, set up a rule to log any traffic to one or all the external ip's you are trying to track.  Not block but log.  That should show you the process that initiated the traffic.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

rbecker
Level 7
Report Inappropriate Content
Message 9 of 17

Re: Rogue Sensor calling external IPs

We currently do not have ENS on any workstations.  I was under the impression that McAfee VirusScan Enterprise also scans for rootkits.  I have my enterprise firewall logs to confirm when the traffic called out. 

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 10 of 17

Re: Rogue Sensor calling external IPs

Yes, it does scan for rootkits.  Your network firewall, however, won't tell you the process on the system that initiated the traffic.  If it was a malware issue, I would assume it would be more frequent.  Can they capture the network trace of that traffic to see the actual packets being sent?  That would be most helpful.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator