0

Simple question, These log entries have started appearing daily on our Sonicwall, I have never seen anything like them before. My initial thoughts are that it's yet another bot out there searching for vulnerabilities, any insight you might have is appreciated, specifically what it is that they might be trying to exploit

Sonicwall Firmware: SonicOS Enhanced 6.5.4.9-92n

Logs in CSV:

AuditID Transaction_Id  Time                            Audit_Path                              group                   Index                   Description                             Old                             New                             Status          UUID                            User    Session Mode    Source                          Dest                            Interface
0       1       18:24:42 Jan 05 2022                            Download file           /scripts/cgi-bin/cbag/ag.exe    Failed                            146.70.38.12 (36825)    <our external address> (700)     X1
1       2       18:24:48 Jan 05 2022                            Download file           grn.exe Failed                            146.70.38.12 (44723)    <our external address> (700)     X1
2       3       18:24:50 Jan 05 2022                            Download file           ag.exe  Failed                            146.70.38.12 (50973)    <our external address> (700)     X1
3       4       18:24:54 Jan 05 2022                            Download file           /cgi-bin/cbag/ag.exe    Failed                            146.70.38.12 (55745)    <our external address> (700)     X1
4       5       18:24:56 Jan 05 2022                            Download file           db.exe  Failed                            146.70.38.12 (39315)    <our external address> (700)     X1
5       6       18:24:58 Jan 05 2022                            Download file           mw.exe  Failed                            146.70.38.12 (37489)    <our external address> (700)     X1
6       7       18:25:20 Jan 05 2022                            Download file           /scripts/cgi-bin/cbag/ag.exe    Failed                            146.70.38.12 (60097)    <our external address> (85)      X1
7       8       18:25:22 Jan 05 2022                            Download file           grn.exe Failed                            146.70.38.12 (44205)    <our external address> (85)      X1
8       9       18:25:23 Jan 05 2022                            Download file           ag.exe  Failed                            146.70.38.12 (59829)    <our external address> (85)      X1
9       10      18:25:25 Jan 05 2022                            Download file           /cgi-bin/cbag/ag.exe    Failed                            146.70.38.12 (51061)    <our external address> (85)      X1
10      11      18:25:25 Jan 05 2022                            Download file           db.exe  Failed                            146.70.38.12 (35567)    <our external address> (85)      X1
11      12      18:25:26 Jan 05 2022                            Download file           mw.exe  Failed                            146.70.38.12 (39315)    <our external address> (85)      X1
Stillkill
  • 3
  • 2

1 Answers1

0

I'm also seeing these same entries from 10Jan22, but from ip 45.133.173.12. This is on a TZ370. Opened a case with Sonicwall trying to get more information. No explanation so far.

EDIT - I posed the question on Twitter as well. see response from @Sonicwalltech

"We spoke with our PSIRT team. The traffic appears to be consistent with automated scanner queries to identify known vulnerabilities. The ‘URI’ strings shown in the screenshot are tied to a known Exploit for Cybozu, https://exploit-db.com/exploits/2266, but the IP can be blocked."

https://twitter.com/SonicWallTech/status/1485714306951958533

user951269
  • 1
  • 1