Jump to content

kamiran.asia

Members
  • Posts

    256
  • Joined

  • Last visited

  • Days Won

    1

kamiran.asia last won the day on January 7

kamiran.asia had the most liked content!

About kamiran.asia

  • Rank
    Newbie
    Newbie

Profile Information

  • Gender
    Male
  • Location
    United Arab Emirates
  • Interests
    ESET Softwares

Recent Profile Visitors

3,815 profile views
  1. Thank you dear @Marcos , As we mentioned , We block all incoming TCP and UDP port in windows Server Firewall. So in this case ESET Firewall scan traffics before windows firewall. So we are waiting for any update to enable IDS again.
  2. Yes ,we agree with you. in many other project and servers when we block incoming port ( i.e 445 ) ESET did not report any attack from those blocked ports. But in this case we are confused ! how these traffic are received by ESET firewall driver. or may be these attacks are not TCP / UDP that cause IDS performance issue ! ( because we just Block TCP / UDP inbound protocol in WF) but while ESET IDS did not report any target port we can not realize how these black list ip are accessing the server.
  3. Nothing changed , We still saw these attacks while no ports was open and still performance issue occur. seems that ESET Firewall driver work before windows firewall and still analyze inbound packets !
  4. The exploitation attempts that dear @Marcos mentioned was occurred before we configure Windows Firewall to block all inbound TCP and UDP. So we have no open port right now. Just a limited secure RDP on special IPs. ekrn still use high cpu in this situation. Yes we think that s.th go wrong and IDS must not involved like this in such attacks. We temporary Disable IDS so Server work probably and waiting for analysis report and any updates. while there is no open inbound port , there is no worries to temporary disable IDs.
  5. Dear friends. Thank you all for you useful information. 🤩 Our customer just rent a vps in OVH ( Exactly a Cloud server at a VPS ) , he have no access to virtualization firewall or ... , Their support said " These udp attacks are general and normal at many servers !! " They advice him to block such these traffics by Windows Firewall. ( As we do ) right now we are not sure that IDS high usage of cpu is related to these udp packets. Right now we block all inbound UDP and TCP port by windows firewall and we must disable IDS and botnet Permanently ( Because they can not work with server due to cpu usage over 70%) We are waiting for dear @Marcos that if he find any thing in advanced OS logging that can help : https://we.tl/t-MRdRdaMqvF
  6. Hi dear @itman This Server is our customer's VPS in OVH DataCenter. and we have not any access to gateway/router. We know that s.th is wrong here that ESET IDS is involved. We are working on it and waiting for @Marcos to check the ESET Log Collector.
  7. Here is your requested log dear marcos : https://we.tl/t-MRdRdaMqvF
  8. Windows Firewall Dropped Log is attached. also Uploaded to https://we.tl/t-rU7u763VGL 2021-07-14 10:19:31 DROP UDP 51.255.115.138 239.255.255.250 57942 1900 201 - - - - - - - RECEIVE 2021-07-14 10:19:31 DROP UDP 152.228.149.234 239.255.255.250 50664 1900 202 - - - - - - - RECEIVE 2021-07-14 10:19:32 DROP UDP 51.255.115.138 239.255.255.250 57942 1900 201 - - - - - - - RECEIVE 2021-07-14 10:19:32 DROP UDP 152.228.149.234 239.255.255.250 50664 1900 202 - - - - - - - RECEIVE 2021-07-14 10:19:33 DROP UDP 51.255.115.138 239.255.255.250 57942 1900 201 - - - - - - - RECEIVE 2021-07-14 10:19:33 DROP UDP 152.228.149.234 239.255.255.250 50664 1900 202 - - - - - - - RECEIVE 2021-07-14 10:19:34 DROP UDP 51.255.115.138 239.255.255.250 57942 1900 201 - - - - - - - RECEIVE 2021-07-14 10:19:55 DROP UDP 51.255.115.140 239.255.255.250 51999 1900 201 - - - - - - - RECEIVE 2021-07-14 10:19:56 DROP UDP 51.255.115.140 239.255.255.250 51999 1900 201 - - - - - - - RECEIVE 2021-07-14 10:19:57 DROP UDP 51.255.115.140 239.255.255.250 51999 1900 201 - - - - - - - RECEIVE 2021-07-14 10:19:58 DROP UDP 51.255.115.140 239.255.255.250 51999 1900 201 - - - - - - - RECEIVE 2021-07-14 10:20:07 DROP UDP 54.38.229.21 239.255.255.250 55629 1900 202 - - - - - - - RECEIVE 2021-07-14 10:20:08 DROP UDP 54.38.229.21 239.255.255.250 55629 1900 202 - - - - - - - RECEIVE 2021-07-14 10:20:09 DROP UDP 54.38.229.21 239.255.255.250 55629 1900 202 - - - - - - - RECEIVE 2021-07-14 10:20:10 DROP UDP 54.38.229.21 239.255.255.250 55629 1900 202 - - - - - - - RECEIVE 2021-07-14 10:20:12 DROP UDP 51.255.115.139 239.255.255.250 60076 1900 202 - - - - - - - RECEIVE 2021-07-14 10:20:13 DROP UDP 51.255.115.139 239.255.255.250 60076 1900 202 - - - - - - - RECEIVE 2021-07-14 10:20:14 DROP UDP 51.255.115.139 239.255.255.250 60076 1900 202 - - - - - - - RECEIVE 2021-07-14 10:20:14 DROP UDP 152.228.149.239 239.255.255.250 52484 1900 202 - - - - - - - RECEIVE 2021-07-14 10:20:15 DROP UDP 51.255.115.139 239.255.255.250 60076 1900 202 - - - - - - - RECEIVE 2021-07-14 10:20:15 DROP UDP 152.228.149.239 239.255.255.250 52484 1900 202 - - - - - - - RECEIVE 2021-07-14 10:20:16 DROP UDP 152.228.149.239 239.255.255.250 52484 1900 202 - - - - - - - RECEIVE 2021-07-14 10:20:17 DROP UDP 152.228.149.239 239.255.255.250 52484 1900 202 - - - - - - - RECEIVE 2021-07-14 10:20:25 DROP UDP 152.228.149.237 152.228.149.255 138 138 229 - - - - - - - RECEIVE 2021-07-14 10:20:40 DROP UDP 152.228.149.244 239.255.255.250 60322 1900 202 - - - - - - - RECEIVE 2021-07-14 10:20:41 DROP UDP 152.228.149.244 239.255.255.250 60322 1900 202 - - - - - - - RECEIVE 2021-07-14 10:20:42 DROP UDP 152.228.149.244 239.255.255.250 60322 1900 202 - - - - - - - RECEIVE 2021-07-14 10:20:43 DROP UDP 152.228.149.244 239.255.255.250 60322 1900 202 - - - - - - - RECEIVE 2021-07-14 10:20:44 DROP UDP 152.228.149.252 239.255.255.250 61878 1900 202 - - - - - - - RECEIVE 2021-07-14 10:20:45 DROP UDP 152.228.149.252 239.255.255.250 61878 1900 202 - - - - - - - RECEIVE 2021-07-14 10:20:46 DROP UDP 51.255.115.141 239.255.255.250 64900 1900 202 - - - - - - - RECEIVE 2021-07-14 10:20:46 DROP UDP 152.228.149.242 239.255.255.250 55633 1900 202 - - - - - - - RECEIVE 2021-07-14 10:20:46 DROP UDP 152.228.149.252 239.255.255.250 61878 1900 202 - - - - - - - RECEIVE 2021-07-14 10:20:47 DROP UDP 51.255.115.141 239.255.255.250 64900 1900 202 - - - - - - - RECEIVE 2021-07-14 10:20:47 DROP UDP 152.228.149.242 239.255.255.250 55633 1900 202 - - - - - - - RECEIVE 2021-07-14 10:20:47 DROP UDP 152.228.149.252 239.255.255.250 61878 1900 202 - - - - - - - RECEIVE 2021-07-14 10:20:48 DROP UDP 51.255.115.141 239.255.255.250 64900 1900 202 - - - - - - - RECEIVE 2021-07-14 10:20:48 DROP UDP 152.228.149.242 239.255.255.250 55633 1900 202 - - - - - - - RECEIVE 2021-07-14 10:20:49 DROP UDP 51.255.115.141 239.255.255.250 64900 1900 202 - - - - - - - RECEIVE 2021-07-14 10:20:49 DROP UDP 152.228.149.242 239.255.255.250 55633 1900 202 - - - - - - - RECEIVE 2021-07-14 10:21:05 DROP UDP 152.228.149.250 239.255.255.250 53798 1900 202 - - - - - - - RECEIVE 2021-07-14 10:21:06 DROP UDP 152.228.149.250 239.255.255.250 53798 1900 202 - - - - - - - RECEIVE 2021-07-14 10:21:07 DROP UDP 152.228.149.250 239.255.255.250 53798 1900 202 - - - - - - - RECEIVE 2021-07-14 10:21:08 DROP UDP 152.228.149.250 239.255.255.250 53798 1900 202 - - - - - - - RECEIVE 2021-07-14 10:21:24 DROP UDP 54.38.229.19 239.255.255.250 60066 1900 202 - - - - - - - RECEIVE 2021-07-14 10:21:24 DROP TCP 134.209.122.227 152.228.149.230 52399 80 40 S 4236672370 0 65535 - - - RECEIVE 2021-07-14 10:21:25 DROP UDP 54.38.229.19 239.255.255.250 60066 1900 202 - - - - - - - RECEIVE 2021-07-14 10:21:26 DROP UDP 54.38.229.19 239.255.255.250 60066 1900 202 - - - - - - - RECEIVE 2021-07-14 10:21:27 DROP UDP 54.38.229.19 239.255.255.250 60066 1900 202 - - - - - - - RECEIVE 2021-07-14 10:21:27 DROP UDP 152.228.149.226 239.255.255.250 52031 1900 202 - - - - - - - RECEIVE 2021-07-14 10:21:27 DROP UDP 152.228.149.231 239.255.255.250 50707 1900 202 - - - - - - - RECEIVE 2021-07-14 10:21:28 DROP UDP 152.228.149.226 239.255.255.250 52031 1900 202 - - - - - - - RECEIVE 2021-07-14 10:21:28 DROP UDP 152.228.149.231 239.255.255.250 50707 1900 202 - - - - - - - RECEIVE 2021-07-14 10:21:29 DROP UDP 152.228.149.226 239.255.255.250 52031 1900 202 - - - - - - - RECEIVE 2021-07-14 10:21:29 DROP UDP 152.228.149.231 239.255.255.250 50707 1900 202 - - - - - - - RECEIVE 2021-07-14 10:21:30 DROP UDP 152.228.149.234 239.255.255.250 50665 1900 202 - - - - - - - RECEIVE 2021-07-14 10:21:30 DROP UDP 152.228.149.226 239.255.255.250 52031 1900 202 - - - - - - - RECEIVE 2021-07-14 10:21:30 DROP UDP 152.228.149.231 239.255.255.250 50707 1900 202 - - - - - - - RECEIVE 2021-07-14 10:21:31 DROP UDP 51.255.115.138 239.255.255.250 57943 1900 201 - - - - - - - RECEIVE 2021-07-14 10:21:31 DROP UDP 152.228.149.234 239.255.255.250 50665 1900 202 - - - - - - - RECEIVE 2021-07-14 10:21:32 DROP UDP 51.255.115.138 239.255.255.250 57943 1900 201 - - - - - - - RECEIVE 2021-07-14 10:21:32 DROP UDP 152.228.149.234 239.255.255.250 50665 1900 202 - - - - - - - RECEIVE 2021-07-14 10:21:33 DROP UDP 51.255.115.138 239.255.255.250 57943 1900 201 - - - - - - - RECEIVE 2021-07-14 10:21:33 DROP UDP 152.228.149.234 239.255.255.250 50665 1900 202 - - - - - - - RECEIVE 2021-07-14 10:21:34 DROP UDP 51.255.115.138 239.255.255.250 57943 1900 201 - - - - - - - RECEIVE 2021-07-14 10:21:55 DROP UDP 51.255.115.140 239.255.255.250 53107 1900 201 - - - - - - - RECEIVE 2021-07-14 10:21:56 DROP UDP 51.255.115.140 239.255.255.250 53107 1900 201 - - - - - - - RECEIVE 2021-07-14 10:21:57 DROP UDP 51.255.115.140 239.255.255.250 53107 1900 201 - - - - - - - RECEIVE 2021-07-14 10:21:58 DROP UDP 51.255.115.140 239.255.255.250 53107 1900 201 - - - - - - - RECEIVE 2021-07-14 10:22:07 DROP UDP 54.38.229.21 239.255.255.250 55630 1900 202 - - - - - - - RECEIVE 2021-07-14 10:22:08 DROP UDP 54.38.229.21 239.255.255.250 55630 1900 202 - - - - - - - RECEIVE 2021-07-14 10:22:09 DROP UDP 54.38.229.21 239.255.255.250 55630 1900 202 - - - - - - - RECEIVE 2021-07-14 10:22:10 DROP UDP 54.38.229.21 239.255.255.250 55630 1900 202 - - - - - - - RECEIVE 2021-07-14 10:22:12 DROP UDP 51.255.115.139 239.255.255.250 56678 1900 202 - - - - - - - RECEIVE 2021-07-14 10:22:13 DROP UDP 51.255.115.139 239.255.255.250 56678 1900 202 - - - - - - - RECEIVE 2021-07-14 10:22:14 DROP UDP 51.255.115.139 239.255.255.250 56678 1900 202 - - - - - - - RECEIVE 2021-07-14 10:22:14 DROP UDP 152.228.149.239 239.255.255.250 52485 1900 202 - - - - - - - RECEIVE 2021-07-14 10:22:15 DROP UDP 51.255.115.139 239.255.255.250 56678 1900 202 - - - - - - - RECEIVE 2021-07-14 10:22:15 DROP UDP 152.228.149.239 239.255.255.250 52485 1900 202 - - - - - - - RECEIVE 2021-07-14 10:22:16 DROP UDP 152.228.149.239 239.255.255.250 52485 1900 202 - - - - - - - RECEIVE 2021-07-14 10:22:17 DROP UDP 152.228.149.239 239.255.255.250 52485 1900 202 - - - - - - - RECEIVE Find many UDP Dropped logs. All from OVH SAS , As this server is a vps in OVH. But these udp ports are blocked. We can not find why ESET IDS is involved with CPU usage of 70% yet. pfirewall.log
  9. We are confused that If ports are dropped , Why ESET IDS will involved ?! ESET Network driver are working before Windows firewall ? We will check Windows firewall dropped log.
  10. No , As you can see in screenshots Destination Port and any other info is N/A ! All inbount TCP and UDP are block by windows firewall but still ESET IDS is involved with attacks.
  11. Thank you dear @Marcos for rapid reply as always, The Man Number1 of ESET Forum Administrators 😍 ESET Log Collector : https://we.tl/t-gEPyQZyBeK
  12. Hi dear ESET Admins, In These 2-3 days we have a problem in many VPS that FS V7.3 or 8.0 are installed. Over 70-90 % of Cpu use by Ekrn, When IDS and Botnet Protection is disable there is no problem (Ekrn cpu usage will be less that 1%). our support team disable all firewall policy , Block All inbound UDP and all TCP inbount in Windows Firewall (and Limit RDP with IP Whiltelist in Windows FireWall). Still we see many Attacks in IDS log and many Blocked IP ! Ekrn dump and EpfwLog.pcapng are uploaded here : https://we.tl/t-raMXXS0y2n What is the cause of this attack while all tcp and udp port are closed by Windows firewall !?
  13. Dear ESET Admins, Did you check the problem ? Our Customers have problem to use v8.1 in offline environment.
  14. In Our tests ESET will detect attack with any DLL file , Even with an empty file ! it does not depend on detection of Dll file. We will also check that.
  15. Thank u dear , Do you have that exploite code to test ?
×
×
  • Create New...