Gregecslo
-
Posts
60 -
Joined
-
Last visited
Kudos
-
Gregecslo received kudos from FranceBB in Eset linux security - web protection
Hi.
We have ERA on prem and deployed new linux version on our webservers.
Thing is, that "wapd" proccess is consuming CPU and eventually webserver stops working.
How can we disable WebAccess protection or unload it forever?
In policy I can`t see option at all...
On linux we just need ondemand scan and RTP and nothing else.
Also pages were loading really slow (those hosted on our webserver)....
It seems like half baked solution for now, had to go to older version.
-
Gregecslo received kudos from FTL in Malicious file PHP/TrojanDownloader.Agent.CZ was detected
If somebody does POST request with malicious file inside POST request PHP will process it (execution is done in PHP TMP folder) and that is where detection comes from.
This also happens to me on server where nothing is installed but apache + php...
Deleted ESET, SAME post request came, no files were dropped (but file was naturally in PHP).
Problem would be if you find XXXX.php file which was dropped in webserver folder...
-
Gregecslo received kudos from FTL in Malicious file PHP/TrojanDownloader.Agent.CZ was detected
Something like this:
https://octobercms.com/forum/post/being-attacked-please-help?page=1#post-37387
-
Gregecslo received kudos from itman in Malicious file PHP/TrojanDownloader.Agent.CZ was detected
Yes you did I also found it.
URLSCAN.IO shows multiple scans for this domain with different Webshells hosted on it.
@FTL
We also got this detection, but it`s OK because at least for us, webserver returned 404 or 500 when POST request was made (we do not host wordpress at all). So basically this is automated script, that tries to exploit some wordpress vulnerability and if successful, curl downloads webshell.
Example:
95.214.27.5 - - [23/Oct/2023:05:39:30 +0200] "POST /wp-admin/admin-ajax.php HTTP/1.1" 500 1713 "-" mjdomain.com "Mozilla/6.4 (Windows NT 11.1) Gecko/2010102 Firefox/99.0" APACHELOG And yes, detection occurred on: file:///tmp/phpMjc32fg which is normal, because PHP processed this POST request.
So in my opinion nothing happened with your server, but check where that post request was made and make sure WP and plugins are up to date.
-
Gregecslo received kudos from stevenv in Exchange server exclusions - clarification
Huh, so basically with this enabled eset dont scan common webshell folders and they can run almost unrestricted since you also dont scan w3wp proccess.
MS wording has changed dramatically since last years proxylogon and proxyshell, have you adopted any of their recommendations from their offical blogs?
Thanks!
-
Gregecslo received kudos from Gonzalo Alvarez in Endpoint Security can't connect to Push Notification Service
This 100% works, thanks guys!
-
Gregecslo received kudos from Peter Randziak in Endpoint Security can't connect to Push Notification Service
This 100% works, thanks guys!
-
Gregecslo received kudos from EmilioVS in Endpoint Security can't connect to Push Notification Service
This 100% works, thanks guys!