Jump to content

Gregecslo

Members
  • Posts

    60
  • Joined

  • Last visited

About Gregecslo

  • Rank
    Newbie
    Newbie

Profile Information

  • Location
    Slovenia

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Hi. We have same issue but with Firefox. Error 0xc0000005 After pre-release updates all if fine again. When can we expect this to be released to prod?
  2. Today (or yesterday) appeared new policy settings for WAP in policy manager. Disabled it all good.
  3. I downgraded to 10.0.328.0 which works OK. No need to downgrade to V9 for me.
  4. Hi. We have ERA on prem and deployed new linux version on our webservers. Thing is, that "wapd" proccess is consuming CPU and eventually webserver stops working. How can we disable WebAccess protection or unload it forever? In policy I can`t see option at all... On linux we just need ondemand scan and RTP and nothing else. Also pages were loading really slow (those hosted on our webserver).... It seems like half baked solution for now, had to go to older version.
  5. Something like this: https://octobercms.com/forum/post/being-attacked-please-help?page=1#post-37387
  6. If somebody does POST request with malicious file inside POST request PHP will process it (execution is done in PHP TMP folder) and that is where detection comes from. This also happens to me on server where nothing is installed but apache + php... Deleted ESET, SAME post request came, no files were dropped (but file was naturally in PHP). Problem would be if you find XXXX.php file which was dropped in webserver folder...
  7. This I don`t know. For me, detection came from this: 95.214.27.5 - - [23/Oct/2023:05:39:30 +0200] "POST /wp-admin/admin-ajax.php HTTP/1.1" 500 1713 "-" mjdomain.com "Mozilla/6.4 (Windows NT 11.1) Gecko/2010102 Firefox/99.0" APACHELOG And it seems that exploited vuln is: https://support.alertlogic.com/hc/en-us/articles/115005740363-Metasploit-WordPress-Ajax-Load-More-Arbitrary-File-Upload Again, I have NO wordpress site installed (but ESET did detect it anyways in PHP TEMP which IS NORMAL), server returns 404 or 500.... That`s why I said that OP should check POST requests on server...
  8. Yes you did I also found it. URLSCAN.IO shows multiple scans for this domain with different Webshells hosted on it. @FTL We also got this detection, but it`s OK because at least for us, webserver returned 404 or 500 when POST request was made (we do not host wordpress at all). So basically this is automated script, that tries to exploit some wordpress vulnerability and if successful, curl downloads webshell. Example: 95.214.27.5 - - [23/Oct/2023:05:39:30 +0200] "POST /wp-admin/admin-ajax.php HTTP/1.1" 500 1713 "-" mjdomain.com "Mozilla/6.4 (Windows NT 11.1) Gecko/2010102 Firefox/99.0" APACHELOG And yes, detection occurred on: file:///tmp/phpMjc32fg which is normal, because PHP processed this POST request. So in my opinion nothing happened with your server, but check where that post request was made and make sure WP and plugins are up to date.
  9. Hi. I did contact them, waiting for response. But I think (have limited info here) that 2.2.2.2 does not belong to actual organisation that owns the hotspot I believe that they just used/abused this IP address (and addressing) in their INTERNAL network... Because this IP is owned by Orange and it`s located is Egypt, faaar from country our people had problems...
  10. Hi! Today we had to connect to guest WiFi hotspot and we encountered this: Uniform Resource Identifier (URI): hXXp://2.2.2.2/fs/customwebauth/login.html?switch_url=hxxp://2.2.2.2/login.html&ap_mac=00:44:33:04:5d:41&client_mac=00:22:33:ea:c2:41&wlan=COM-Guest&redirect=www.msftconnecttest.com/redirect Process name: C:\Program Files\Google\Chrome\Application\chrome.exe Event: An attempt to connect to URL Rule: Blocked by internal IP blacklist Scanner: HTTP filter Target address: 2.2.2.2 As a result, people were unable to attend meeting on time. Can you please explain why is this blocked and how to prevent connectivity issues in the future? Thanks!
  11. OK greta, will files be placed back to original location? Or do we have to do it manually? Thanks.
  12. I will start new topic.... We have at least 30 detections on 2 files from Eset ML engine: https://www.virustotal.com/gui/file/4e94404222b0c7c4a901c1b105deb1edde9ed7d8ea6fc7604cde04a907ac6c8a https://www.virustotal.com/gui/file/557980d06f68e4116683ac2e203b1dcbed78ea07352aa9481a807e9077f5a5ef Both are from Lenovo and both are cca 9-10 months old. FP? Thanks!
  13. Can I open it directly with you guys? It`s rather high priority as this server must be online...
×
×
  • Create New...