
JamesR
ESET Staff-
Content Count
47 -
Joined
-
Last visited
-
Days Won
3
JamesR last won the day on June 26 2018
JamesR had the most liked content!
About JamesR
-
Rank
ESET North America
Profile Information
-
Gender
Not Telling
-
Location
USA
Recent Profile Visitors
-
Aryeh Goretsky reacted to a post in a topic: Win64/CoinMiner.ZF
-
JamesR started following EIS blocks toolslib.net, Win64/CoinMiner.ZF and Malicious Powershell Script, Persistent WMI 2019
-
I agree with Marcos, this looks like a WMI persistent threat. Manually telling ESET to update its detection engine, should correct the issue of the threat continually being detected. Although, there is a good chance you may already have the update (ESET checks for these updates once per hour). If this does not fix the issue, definitely generate an Autoruns log. Lastly, its not uncommon for Servers to have been infected due to unexpected ports being exposed to the internet. I highly recommend you audit your public IP Addresses with some simple nmap scans to verify what ports are ex
-
JamesR reacted to a post in a topic: Win64/CoinMiner.ZF
-
tons of emails showing infected, no active threats
JamesR replied to Ziceman's topic in Malware Finding and Cleaning
Just so you are aware, Emotet uses an email phishing technique where it uses legitimate stolen emails and then spoofs the sender to make it look like a continued email communication. It sounds like these trojan downloaders are appearing via that tactic. Do not exclude them or you risk getting a very dangerous worm like Emotet on your network. "One of Emotet's most devious methods of self-propagation centers around its use of socially engineered spam emails. Emotet's reuse of stolen email content is extremely effective. Once they have swiped a victim's email, Emotet constructs new attack -
Network attack exploitation+application vulnerability attack
JamesR replied to kevroc's topic in Malware Finding and Cleaning
It sounds like you have purchased 2 internet lines. One where you have a WIFI Router, and one where you are directly connected to the internet. You should put a router between your computer and the internet. You can easily purchase a router that uses a physical network cable instead of using wifi. Your Wifi router may even have extra Ethernet ports as well. But the key thing is, a router is what hides your computer from others being able to directly see and attack your computer. In short, you need some form of physical hardware that will assign your computer a private IP address, thus st -
Network attack exploitation+application vulnerability attack
JamesR replied to kevroc's topic in Malware Finding and Cleaning
The ESET Log Collector log you supplied shows you have a public IP address directly on your computer. This means you are not behind a router. This is very insecure and you will continue to see these attacks until you place your computer behind a router. If you contact your Internet Service Provider (ISP), they may refer to a router as a gateway, residential gateway, 2 in 1 modem, etc... If my talk of Router/Gateway and Public IP address is a new concept for you, I recommend working with your ISP or a local computer technician who can assist in setting up a router to hide your computer -
I do not believe the process path of VNC is a problem, its likely that you utilized a custom path for the install. However, if you have not installed VNC or do not allow it, remove it. The root of the problem is that the computer triggering these detections is exposed to the the internet (directly or via port forwarding). I highly recommend you perform an audit of your public IP addresses. If needed, contact your ISP to get a list of IPs you own/use from them or use google to search for "whats my IP address" on different segments of your network. Next, from a computer which is not
-
JamesR reacted to a post in a topic: Getting address blocked messages too frequently from the same site
-
JamesR reacted to a post in a topic: Understanding EEI Dashboard
-
JamesR reacted to a post in a topic: A message from malware writers to ESET found in Emotet
-
One other thing. If you are using Services.msc to start the service, it is not uncommon that the Services.msc GUI can not handle a service that takes a long time to start. Instead, can you do the following after you get an error in Services.msc? Open the properties of your MySQL service and and copy the highlighted "Service Name:" at the top of the properties window. This will likely be mysql57 or mysql8 Open an administrative command prompt and issue the following command: sc query ServiceName Replace ServiceName with the name you identified in step one. Like: sc quer
-
JamesR reacted to a post in a topic: Ransomware SDEN
-
"firefox.VisualElementsManifest.xml" (Generik.HBKPFTF trojan)
JamesR replied to cmit's topic in Malware Finding and Cleaning
Hello, please update the detection engine in ESET and the detection method should now be corrected, and the .xml no longer detected. -
Win64.Vools.L Can not be cleaned
JamesR replied to kamiran.asia's topic in Malware Finding and Cleaning
Which version of ESET is installed? If not on v7.x, you will want to upgrade to v7.x ASAP as it has Network Attack Protection which can block EternalBlue (MS17-010) and help prevent reinfection and assist in identifying IP addresses that are attacking computers on your network. This will also help you verify if this infection is spreading via a network exploit or not. From everything you have posted so far, I see no hard evidence of exploitation via MS17-010. Also, if you can provide logs using ELC (https://support.eset.com/kb3466/?locale=en_US&viewlocale=en_US) this can help ident -
Malicious Powershell Script, Persistent WMI 2019
JamesR replied to dandodds's topic in Malware Finding and Cleaning
I have replied directly to dandodds. I have been sick lately, but am feeling much better now.- 8 replies
-
- powershell
- eternalblue
-
(and 1 more)
Tagged with:
-
JamesR reacted to a post in a topic: False Positive in MiniTool Partition Wizard Free 11.0
-
@itman - Screenshot should be there now. Thanks.
-
If an issue like this ever returns, I recommend using ESET's Firewall to log or block the activity. To do this, simply make a firewall rule similar to the following: Then you should be able to see the offending exe in the Firewall Log for ESET.
-
@mayowa or others in similar situations. Reasons files on a server get encrypted, regardless of security solution: RDP Brute Force succeeded and security solution was removed, then encryption of files began. If Admin rights are gained to a network and an attacker logs in just like an Admin would, then nothing can protect you against any actions they would like to take (Install/uninstall applications, creation of new user accounts, password scrambling of accounts, encryption, stolen data, crypto-currency mining, etc). To mitigate this, either implement 2FA for RD
-
persian-boy started following JamesR
-
Infection Alert - Log Results Are not Clear
JamesR replied to AndyfromIMPACT's topic in Malware Finding and Cleaning
Using Notepad++ and Regex I was able to strip down all the irrelevant errors and attached the filtered log to this post. All the "archived damaged" and other errors can be ignored as they happen on all computers because ESET will try to treat each file it scans as an archive and will log when it fails to treat it as an archive. The only threat found was this: name="C:\Users\dcombs\Downloads\10.23_request.doc � ZIP � word/vbaProject.bin", threat="VBA/TrojanDownloader.Agent.EVX trojan", action="unable to clean", info="" It might be a good idea to turn on strict cleaning for your -
Patch the server and the threat detection's will stop. Or disconnect the server from the network and the detection's will stop. ESET is cleaning the threats off and a hacker is placing them back due to the fact that the server (or another server) is exploitable from the outside world. I strongly advise that you seek help from a penetration testing team to locate the holes in your network which are being exploited. Not patching the server and all software on the server will lead to detection's continuing while the server is connected to the network. In short, the only way to fix this i
-
The threats Win32/Rozena and Win32/RiskWare.Meterpeter are both clear indicators that someone is exploiting this server from the outside. You need to update all software on the server and secure any ports on your perimeter firewall to stop this from happening. If you believe all software is already updated on the server, then I would suggest you invest in a pentest where the pentester could tell you what services are exploitable from outside your network. If the holes in the network are not located, isolated, and corrected, you will continue to have security breaches reoccur and ESET will c