Tuesday, December 8, 2020

Unusual login names and attempts.

Recently noticed an unusual login name attempting to access AirWave in our ISE TACACS logs. At least once a day username XOEL3G attempts to login to AirWave never at exactly the same time but around the same time daily +/- a hour.

QRadar logs show source and destination IP as our ISE server. Which is a little strange.

ISE logs show source IP as 127.0.0.1 (also strange) to AirWave, each attempt is sourcing a different unassigned port or some uncommon port. Each attempt is hitting port 49 TACACS.

Someone with our Telecom team says the name sounds like a carrier device, as in XO Telecom which is a part of Verizon who happens to be one of our ISPs.

The attempts out being more closely monitored now.

Had anyone seen or heard of something like this? Especially with the source IP being a 127 address ?

Thanks for any advice :)



No comments:

Post a Comment