Gregecslo
Members-
Posts
60 -
Joined
-
Last visited
About Gregecslo
-
Rank
Newbie
Profile Information
-
Location
Slovenia
Recent Profile Visitors
The recent visitors block is disabled and is not being shown to other users.
-
Eset linux security - web protection
Gregecslo replied to Gregecslo's topic in ESET Endpoint Products for Linux
Today (or yesterday) appeared new policy settings for WAP in policy manager. Disabled it all good. -
Eset linux security - web protection
Gregecslo replied to Gregecslo's topic in ESET Endpoint Products for Linux
I downgraded to 10.0.328.0 which works OK. No need to downgrade to V9 for me. -
FranceBB reacted to a post in a topic: Eset linux security - web protection
-
Hi. We have ERA on prem and deployed new linux version on our webservers. Thing is, that "wapd" proccess is consuming CPU and eventually webserver stops working. How can we disable WebAccess protection or unload it forever? In policy I can`t see option at all... On linux we just need ondemand scan and RTP and nothing else. Also pages were loading really slow (those hosted on our webserver).... It seems like half baked solution for now, had to go to older version.
-
FTL reacted to a post in a topic: Malicious file PHP/TrojanDownloader.Agent.CZ was detected
-
FTL reacted to a post in a topic: Malicious file PHP/TrojanDownloader.Agent.CZ was detected
-
Malicious file PHP/TrojanDownloader.Agent.CZ was detected
Gregecslo replied to FTL's topic in Malware Finding and Cleaning
Something like this: https://octobercms.com/forum/post/being-attacked-please-help?page=1#post-37387 -
Malicious file PHP/TrojanDownloader.Agent.CZ was detected
Gregecslo replied to FTL's topic in Malware Finding and Cleaning
If somebody does POST request with malicious file inside POST request PHP will process it (execution is done in PHP TMP folder) and that is where detection comes from. This also happens to me on server where nothing is installed but apache + php... Deleted ESET, SAME post request came, no files were dropped (but file was naturally in PHP). Problem would be if you find XXXX.php file which was dropped in webserver folder... -
Malicious file PHP/TrojanDownloader.Agent.CZ was detected
Gregecslo replied to FTL's topic in Malware Finding and Cleaning
This I don`t know. For me, detection came from this: 95.214.27.5 - - [23/Oct/2023:05:39:30 +0200] "POST /wp-admin/admin-ajax.php HTTP/1.1" 500 1713 "-" mjdomain.com "Mozilla/6.4 (Windows NT 11.1) Gecko/2010102 Firefox/99.0" APACHELOG And it seems that exploited vuln is: https://support.alertlogic.com/hc/en-us/articles/115005740363-Metasploit-WordPress-Ajax-Load-More-Arbitrary-File-Upload Again, I have NO wordpress site installed (but ESET did detect it anyways in PHP TEMP which IS NORMAL), server returns 404 or 500.... That`s why I said that OP should check POST requests on server... -
itman reacted to a post in a topic: Malicious file PHP/TrojanDownloader.Agent.CZ was detected
-
Malicious file PHP/TrojanDownloader.Agent.CZ was detected
Gregecslo replied to FTL's topic in Malware Finding and Cleaning
Yes you did I also found it. URLSCAN.IO shows multiple scans for this domain with different Webshells hosted on it. @FTL We also got this detection, but it`s OK because at least for us, webserver returned 404 or 500 when POST request was made (we do not host wordpress at all). So basically this is automated script, that tries to exploit some wordpress vulnerability and if successful, curl downloads webshell. Example: 95.214.27.5 - - [23/Oct/2023:05:39:30 +0200] "POST /wp-admin/admin-ajax.php HTTP/1.1" 500 1713 "-" mjdomain.com "Mozilla/6.4 (Windows NT 11.1) Gecko/2010102 Firefox/99.0" APACHELOG And yes, detection occurred on: file:///tmp/phpMjc32fg which is normal, because PHP processed this POST request. So in my opinion nothing happened with your server, but check where that post request was made and make sure WP and plugins are up to date. -
HotSpot login wrongly detected
Gregecslo replied to Gregecslo's topic in Malware Finding and Cleaning
Hi. I did contact them, waiting for response. But I think (have limited info here) that 2.2.2.2 does not belong to actual organisation that owns the hotspot I believe that they just used/abused this IP address (and addressing) in their INTERNAL network... Because this IP is owned by Orange and it`s located is Egypt, faaar from country our people had problems... -
Hi! Today we had to connect to guest WiFi hotspot and we encountered this: Uniform Resource Identifier (URI): hXXp://2.2.2.2/fs/customwebauth/login.html?switch_url=hxxp://2.2.2.2/login.html&ap_mac=00:44:33:04:5d:41&client_mac=00:22:33:ea:c2:41&wlan=COM-Guest&redirect=www.msftconnecttest.com/redirect Process name: C:\Program Files\Google\Chrome\Application\chrome.exe Event: An attempt to connect to URL Rule: Blocked by internal IP blacklist Scanner: HTTP filter Target address: 2.2.2.2 As a result, people were unable to attend meeting on time. Can you please explain why is this blocked and how to prevent connectivity issues in the future? Thanks!
-
Augur detecting Lenovo software
Gregecslo replied to Gregecslo's topic in Malware Finding and Cleaning
OK greta, will files be placed back to original location? Or do we have to do it manually? Thanks. -
I will start new topic.... We have at least 30 detections on 2 files from Eset ML engine: https://www.virustotal.com/gui/file/4e94404222b0c7c4a901c1b105deb1edde9ed7d8ea6fc7604cde04a907ac6c8a https://www.virustotal.com/gui/file/557980d06f68e4116683ac2e203b1dcbed78ea07352aa9481a807e9077f5a5ef Both are from Lenovo and both are cca 9-10 months old. FP? Thanks!
-
Exchange Server Exclusions
Gregecslo replied to Trooper's topic in ESET Products for Windows Servers
Hello. Do we have more info on this one? -
CAS-03808-C3Q7Y8
-
Can I open it directly with you guys? It`s rather high priority as this server must be online...