Strange activity on network.. assistance appreciated!

ScottyB · February 3, 2021, 9:42pm

I have been getting hits like below as reported by bitdefender on my network. it appears to becoming from my network gateway, not sure if it is just the network scanner, but the events have been escalating lately and happening on all of the networks. Made a port group 554, 445,137,138,139 and blocked on wan in, local lan, and lan in , but still getting the hits. I have blocked all networks from gateways, (tested all networks and not connectivity to GW’s, and blocked pings), also have blocked all RFC1918 traffic between lans. I know this group does not like unifi firewalls… but i have not had an issue with them, reminds me of the old school rule sets back in the days of dialup. . Any thoughts would be greatly appreciated…

Detection name: Exploit.PentestingTool.HTTP.3
Attack Technique: Lateral Movement
Attacker’s IP: 192.168.5.1
Targeted IP: 192.168.5.50
Port: 445

Scott

ScottyB · February 3, 2021, 10:56pm

Problem solved. Thank you.

netmanb2k · October 28, 2021, 12:27pm

How did you solve it as i am having same issue

ScottyB · October 28, 2021, 1:20pm

I blocked the SMB ports on wan out which worked. Then went into the HP printer settings and turned those ports off except 1900 and it resolved the issue. To check, I then disabled the fire wall rule, and the traffic alerts stopped. So it was not incoming traffic it was traffic being generated by the printer. By turning off those ports manually on the printer it resolved the issue. If your clients need those ports to connect to your printer then leave the fire wall rule in place.