Intrusion Detection Import Question

Under Firewall->Intrusion Detection, where do the IPs pull from when selecting one of the Import options (Trusted Zone, Local Zone, etc.)?

I had a recent issue with unwanted external IPs registering with the server and making calls. They were whitelisted as they provided the correct credentials. I’ve since changed credentials and some provisioning settings and they are no longer accessing the server, but I found one other issue.

The external IPs they were using don’t show under Firewall->Networks as Local Zone, but if I
Import the Local Zone under Firewall->Intrusion Detection, they show up in the whitelist. Where are these IPs for Local Zone coming from if not the Networks tab and how can I delete them?

It looks like the other spot that import can pull from is a registered extension IP on top of the Networks tab.

Have you tried doing the Clear All and then re importing by selecting the categories that you’d want imported?

Yes, if I Clear All, and then Import the Registered Extension IPs, it imports all of the expected endpoints (currently connected ones, all on my local network). If I Import Local Zone, a bunch of external IPs show up in addition to those. These external IPs aren’t showing in Firewall->Networks tab, so I’m trying to figure out where they’re stored. There’s even one external IP in the Trusted Zone if I use Import, but it also does not show in the Networks tab.

Sorry, I don’t actually know of any other alternative locations for the import function. It’s possible that this function has been modified somehow by whomever compromised the system in the first place.

I realized that these whitelisted IPs are related to Acrobits Push: