Jump to content

Gregecslo

Members
 View Profile  See their activity

  • Posts

    60

  • Joined

  • Last visited

Kudos

  1. Upvote
    FranceBB
    Gregecslo received kudos from FranceBB in Eset linux security - web protection   
    Hi.
    We have ERA on prem and deployed new linux version on our webservers.
    Thing is, that "wapd" proccess is consuming CPU and eventually webserver stops working.
    How can we disable WebAccess protection or unload it forever?
    In policy I can`t see option at all...
    On linux we just need ondemand scan and RTP and nothing else.
    Also pages were loading really slow (those hosted on our webserver)....
    It seems like half baked solution for now, had to go to older version.
     
  2. Upvote
    FTL
    Gregecslo received kudos from FTL in Malicious file PHP/TrojanDownloader.Agent.CZ was detected   
    If somebody does POST request with malicious file inside POST request PHP will process it (execution is done in PHP TMP folder) and that is where detection comes from.
    This also happens to me on server where nothing is installed but apache + php...
    Deleted ESET, SAME post request came, no files were dropped (but file was naturally in PHP).
    Problem would be if you find XXXX.php file which was dropped in webserver folder...
  3. Upvote
    FTL
    Gregecslo received kudos from FTL in Malicious file PHP/TrojanDownloader.Agent.CZ was detected   
    Something like this:
    https://octobercms.com/forum/post/being-attacked-please-help?page=1#post-37387
     
  4. Upvote
    itman
    Gregecslo received kudos from itman in Malicious file PHP/TrojanDownloader.Agent.CZ was detected   
    Yes you did I also found it.
    URLSCAN.IO shows multiple scans for this domain with different Webshells hosted on it.
    @FTL
    We also got this detection, but it`s OK because at least for us, webserver returned 404 or 500 when POST request was made (we do not host wordpress at all). So basically this is automated script, that tries to exploit some wordpress vulnerability and if successful, curl downloads webshell.
    Example:
     
    95.214.27.5 - - [23/Oct/2023:05:39:30 +0200] "POST /wp-admin/admin-ajax.php HTTP/1.1" 500 1713 "-" mjdomain.com "Mozilla/6.4 (Windows NT 11.1) Gecko/2010102 Firefox/99.0" APACHELOG And yes, detection occurred on: file:///tmp/phpMjc32fg  which is normal, because PHP processed this POST request.
    So in my opinion nothing happened with your server, but check where that post request was made and make sure WP and plugins are up to date.
  5. Upvote
    stevenv
    Gregecslo received kudos from stevenv in Exchange server exclusions - clarification   
    Huh, so basically with this enabled eset dont scan common webshell folders and they can run almost unrestricted since you also dont scan w3wp proccess.
    MS wording has changed dramatically since last years proxylogon and proxyshell, have you adopted any of their recommendations from their offical blogs?
    Thanks!
  6. Upvote
    Gonzalo Alvarez
    Gregecslo received kudos from Gonzalo Alvarez in Endpoint Security can't connect to Push Notification Service   
    This 100% works, thanks guys!
     
  7. Upvote
    Peter Randziak
    Gregecslo received kudos from Peter Randziak in Endpoint Security can't connect to Push Notification Service   
    This 100% works, thanks guys!
     
  8. Upvote
    EmilioVS
    Gregecslo received kudos from EmilioVS in Endpoint Security can't connect to Push Notification Service   
    This 100% works, thanks guys!
     
×
×
  • Create New...