Suspicious traffic over GTM

Question

Hi,&nbsp;
We are seeing some suspicious traffic over GTM. We are seeing its listener IP address making multiple conmectiins to some IP addresses over the internet over port 22.&nbsp;
This is generating traffic over the GTm to the amount of TB. We are seeing close to 3 lakh connection in connection table. &nbsp;
What can be the cause of this. How to prevent this. We have GTM directly exposed to internet and no FW in between&nbsp;

boneyard · Answer

what is: 3 lakh connection ?

are you sure the traffic is outgoing? what kind of IPs are involved, do they make sense for you company or ...?

if you are unsure i would call support directly and let them investigate, if the box is compromised you want that fixed asap.

mohanish_169493 · Answer

hi,

I can see multiple IP addresses from my Public segment making connections to some unknown randon IP's over the internet on port 80. Can it be possible that my GTM is compromised or it could be that some servers sitting behind it are compromised.

ianb · Answer

a lakh = 1 hundred thousand.&nbsp;

I would suggest the box has probably been compromised. You should reinstall the OS and restore the config from a UCS, and open a support case to check there aren't unexpected files in the UCS.   Make sure that your port lockdown settings are appropriate and do not allow connections to public facing self-ips (allow none), allowing tcp/4353 where appropriate for iQuery.&nbsp;

Forum Discussion

Suspicious traffic over GTM

3 Replies

Recent Discussions

preserve client IP on layer 4 VIP

Failed to convert character dclid=%EDclid!

ASM - Parent policy vs OWASPcompliance

Rewrite uri translation not working

CONNECTION IS LOST DUE TO SELF IP IS DELIVERED

Related Content

fellow traffic

Block traffic

Did you know - Someone is trying to sanitize suspicious traffic?

Traffic Intelligence in AFM through Categories

iRule to log traffic details