Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Wondering if anyone has done this,

Status
Not open for further replies.

wpetilli

Technical User
May 17, 2011
1,877
US
Wondering if anyone has done this, but our security folks flagged our Utility server as trying to make an outbound connection to a malicious IP address. They want to install a security agent on it. Is that permitted w/o violating support?
 
Do you have root access? Usually Avaya charges for root access. If you do not have root, then they won't be able to install the agent.
 
Avaya typically voids support if you have 3rd party software installed with their servers.
 
Can they give you any more details about the malicious IP address?

I had to argue with Avaya for a bit because I couldn't download Workplace for a bit. Because they package ZIP files with the app and there's Outlook add-ins bundled in there and they're lazy about it, Google can consider the web page malicious. I'd be interested in what IP they said did it and then do some ARIN lookup of who owns that IP. Maybe it was just reaching out to Avaya.

I can't see why it would necessarily need to reach out to Avaya, but it's just a guess about why it might have shown up on security's radar.

 
The alert came from the Utility server, which is internal. It tried to connect outbound to some known malicious IP. Other than SAL, the SBC should be the only thing able to hit that via reverse proxy.
 
What port was the connection trying to use as that may give you an idea of what it was trying to do.

You should be blocking any outbound connections that don't match an ACL on your firewall so I'd ask them why it was being permitted outbound and tell them to block external traffic for the util server.
 
Problem was legit.. utility server was compromised via the SBC. the phonebackup directory had malicious entries of php files that called back out. In case anyone uses Utility server.. be aware of the vulnerability.
 
Yes Avaya SBC via reverse proxy. We are on the latest version of utility server. This vulnerability was addressed in AADS but there’s no patch for the utility server. Trying to get someone in support to opine on if the AADS patch can be applied to the utility server.
 
For the filexfer we have in the reverse proxy B1 HTTPS --> A1 to host 10.x.x.x port 80 - Avaya produced a fix for this exact vulnerability for the AADS server, but not the Utility Server. Prob cause it's not being updated going forward. We are trying to find out if the fix that was applied to AADS can be installed on the Utility server. The documented vulnerability is pretty much the same thing.
 
Starting with 8.0 the utility server went away. Since 7.x is no longer supported, Avaya probably won't be creating any patches. Assuming this was a log4j issue?
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top