Juan 0 Posted July 9, 2019 Share Posted July 9, 2019 Hi Team, could you plesase help me with this topic. My firewall provider "fortinet" says that I have a virus in my network, when I perform a deep scan on one of the computers, no virus is registered. At the moment I have the ESMC console installed and the ESET Endpoint Security version 7.1 on the computers. and the possible viruses registered in the fortinet are: - tcp.split.handskshaked.pakets - php.malicious.shell - smb.login.brute.force These elements announced. Questions: Are updates or patches of windows, some application or are false postives. Thanks for your help Link to comment Share on other sites More sharing options...
itman 1,667 Posted July 9, 2019 Share Posted July 9, 2019 (edited) These are all Fortinet IPS detections: https://fortiguard.com/encyclopedia/ips/26339 https://fortiguard.com/encyclopedia/ips/44580 https://fortiguard.com/encyclopedia/ips/12090 The possible malware is php.malicious.shell. Per the Fortinet description indicates a malicious php script running on a php server. Do you have a php/web server installed? Edited July 9, 2019 by itman Link to comment Share on other sites More sharing options...
Administrators Marcos 5,088 Posted July 9, 2019 Administrators Share Posted July 9, 2019 The best would be to get a pcap log with such detections and provide it also to the maker of the firewall who should be able to confirm or deny if it was false positives. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 205 Posted July 9, 2019 Most Valued Members Share Posted July 9, 2019 1 hour ago, Juan said: Hi Team, could you plesase help me with this topic. My firewall provider "fortinet" says that I have a virus in my network, when I perform a deep scan on one of the computers, no virus is registered. At the moment I have the ESMC console installed and the ESET Endpoint Security version 7.1 on the computers. and the possible viruses registered in the fortinet are: - tcp.split.handskshaked.pakets - php.malicious.shell - smb.login.brute.force These elements announced. Questions: Are updates or patches of windows, some application or are false postives. Thanks for your help The Brute Force means that someone is trying to bruteforce your SMB folders , make sure you don't use SMB v1 ,as per ITmans' link Fortinet says that it will be logged once there is 500 failed attempts. TCP Split Hand shakes it happens sometimes as false positive but you could double check it And about the malicious you should double check the code, even if ESET finds nothing or atleast try to know in which file it's originating. Link to comment Share on other sites More sharing options...
itman 1,667 Posted July 9, 2019 Share Posted July 9, 2019 (edited) A few comments about php server use. It was designed for internal development usage and definitely should not be allowed access to the external network: Quote Built-in web server ¶ Warning This web server was designed to aid application development. It may also be useful for testing purposes or for application demonstrations that are run in controlled environments. It is not intended to be a full-featured web server. It should not be used on a public network. https://www.php.net/manual/en/features.commandline.webserver.php Edited July 9, 2019 by itman Link to comment Share on other sites More sharing options...
jdashn 12 Posted July 9, 2019 Share Posted July 9, 2019 @itman thats only for the webserver built into PHP (that is designed for app dev, and shouldn't be forwarded to the net), not PHP it's self, right? Link to comment Share on other sites More sharing options...
itman 1,667 Posted July 9, 2019 Share Posted July 9, 2019 18 minutes ago, jdashn said: @itman thats only for the webserver built into PHP (that is designed for app dev, and shouldn't be forwarded to the net), not PHP it's self, right? I believe that is correct. But in this case, it appears the php server was not locked down; was hacked to deploy a malicious script; and that script is now attacking the internal network. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,088 Posted July 10, 2019 Administrators Share Posted July 10, 2019 Ideally pcap logs should be analyzed by the firewall maker Fortinet, otherwise it's more just speculations as to what happened and if there was a malicious activity or if the detection was a result of some non-standard communication that was detected by the firewall, maybe correctly or incorrectly as a false positive. Link to comment Share on other sites More sharing options...
zafirkalvin 0 Posted July 17, 2019 Share Posted July 17, 2019 (edited) On 7/9/2019 at 3:16 PM, Juan said: Hi Team, could you plesase help me with this topic. My firewall provider "fortinet" says that I have a virus in my network, when I perform a deep scan on one of the computers, no virus is registered. At the moment I have the Nox Vidmate VLC console installed and the ESET Endpoint Security version 7.1 on the computers. and the possible viruses registered in the fortinet are: - tcp.split.handskshaked.pakets - php.malicious.shell - smb.login.brute.force These elements announced. Questions: Are updates or patches of windows, some application or are false postives. Thanks for your help shouldn't be forwarded to the net), not PHP it's self, right? Edited July 17, 2019 by zafirkalvin Link to comment Share on other sites More sharing options...
Recommended Posts