Jump to content


Most Valued Members
  • Content Count

  • Joined

  • Last visited

  • Days Won


Posts posted by itman

  1. Quote

    Microsoft has released a PowerShell script that admins can use to check whether the recently disclosed ProxyLogon vulnerabilities have hacked a Microsoft Exchange server.

    Microsoft releases script to check for ProxyLogin hacks

    When disclosing these vulnerabilities, Microsoft provided a list of commands that Exchange administrators could use to check if a server was hacked.

    These commands would need to be executed manually to check for indicators of compromise (IOC) in Exchange HttpProxy logs, Exchange log files, and Windows Application event logs.

    Yesterday, Microsoft released a PowerShell script on the Microsoft Exchange support engineer's GitHub repository named Test-ProxyLogon.ps1 to automate these tasks for the administrator.


  2. I just accessed the web site again. Eset is still showing the same threat detection.

    Using the URL from the Eset detection log entry, I submitted it to VT for a scan. Since Quttera is detecting it, I would say the web site is hacked. You might want to inform the web site owner of this status:


  3. Also of note:


    At least 30,000 organizations across the United States — including a significant number of small businesses, towns, cities and local governments — have over the past few days been hacked by an unusually aggressive Chinese cyber espionage unit that’s focused on stealing email from victim organizations, multiple sources tell KrebsOnSecurity.


    But Adair said that over the past few days the hacking group has shifted into high gear, moving quickly to scan the Internet for Exchange servers that weren’t yet protected by those security updates.

    “We’ve worked on dozens of cases so far where web shells were put on the victim system back on Feb. 28 [before Microsoft announced its patches], all the way up to today,” Adair said. “Even if you patched the same day Microsoft published its patches, there’s still a high chance there is a web shell on your server. The truth is, if you’re running Exchange and you haven’t patched this yet, there’s a very high chance that your organization is already compromised.


  4. As far as NDIS Virtual Network Adapter Enumerator, it would be installed when Hyper-V was installed:


    Virtual network adapters typically accompany VMMs such as VMWare Workstation, Virtualbox, and Microsoft Hyper-V. If you installed one of those during the release preview it may have not been uninstalled properly. You can probably safely remove the device.


    I really don't see anything wrong with what is shown in your device manager screen shot.

    Are you connect to a public wi-fi network or to a wi-fi connection on your router?

  5. 3 hours ago, cyberhash said:


    I duplicated the Eset detection when I selected the same lens you did. Appears to be malicious re-direct activity:


    -EDIT- Of note is no one at VT is detecting the hash, DDD0318AB432F659AFB556A62B98BF950A3E7512, Eset shows in the Detection log entry.



  6. To begin, you didn't state you have an Eset security product installed? Remember this is a forum to support Eset software issues.

    Interesting in the TechNet posting linked, no one in a Microsoft capacity denied this type of activity occuring.

    All I will state is persistent external intrusions into a local network is a clear sign that perimeter devices; router, gateway, etc.. have been compromised. This can happen for a number of reasons with mis- configuration being at the top of the list. Another reason is one network device was infected with a worm which allowed the rest of the network to be infected.

  7. Eset is well aware of this situation as noted by their blog posting on it: https://www.welivesecurity.com/2021/03/04/microsoft-fixes-four-exchange-server-zero-day-vulnerabilities/ .

    The problem here is the Hafnium APT group whose exploiting is detailed in the Microsoft article you linked is only one of multiple ATP actors exploiting this vulnerability. You need to patch your Exchange servers ASAP.

    Ref.: https://www.bleepingcomputer.com/news/security/dhs-orders-agencies-to-urgently-patch-or-disconnect-exchange-servers/

    -EDIT- Also of note is:


    Active exploitation of these Microsoft Exchange zero-days began "as early as January 6, 2021," as incident response firm Volexity revealed.

    The Volexity article has a number of Indicators of Compromise methods that can be utilized.

  8. I forgot to mention this.

    Referring to the anyrun.com detailed analysis of Remcos RAT sample, the first process spawned from winword.exe is eqnedt32.exe. This would indicate the attacker is exploiting a known vulnerability detailed here: https://www.bleepingcomputer.com/news/security/office-equation-editor-security-bug-runs-malicious-code-without-user-interaction/ .

    Again your primary security mechanism against crud like this is to ensure your OS and application software has all available security patches applied.


  9. update.PNG

    The two Win 7 updates that need to be installed for Eset to continue to function w/o issue are KB4474419 and KB4490628. It appears you have already installed these updates based on your screen shot. As such, nothing more is needed on your part.

    Is this the Eset LiveGrid alert you are receiving?


    If not, post a screen shot of the Eset alert message you are receiving in regards to LiveGrid.

    Also post your Eset license Public ID to allow @Marcos to check its status.

  10. Since the linked youtube video is about the Remcos RAT, anyrun.com has an excellent animated analysis of one sample of it here: https://any.run/malware-trends/remcos

    Remcos is usually associated with a phishing e-mail; for example, one containing a MS Word attachment. The easiest way to stop crud like this is to block process startup from any MS Office executable's. In this case, any process startup from winword.exe. Or better yet, permanently disable macro use in winword.exe:


    Once downloaded, the files would prompt the users to activate macros which are required for the execution of Ramcos to start.


  11. 3 hours ago, Marcos said:

    Try sending a plain text email to yourself and see if a tag message is appended.

    I have two e-mail providers setup up in Thunderbird. One is AOL and the other is my ISP provided e-mail.

    AOL e-mail which is IMAPS port 993 never has Eset generated message appended. ISP e-mail which is POPS port 995 does have Eset generated message appended. Now the AOL e-mail uses OAuth2, so maybe that's a factor. Or, there is an issue with this feature for IMAPS e-mail. It does make one wonder if Eset is actually scanning IMAPS e-mail.

  12. You also need to employ a bit of "deductive logic" in situations like this.

    You are using cracked high valued software normally used in commercial environments. Malware development these days is  monetary based. Therefore, malware developers will target software sources used by commercial environments where the possibility of monetary gain is greatest. Bottom line - cracked commercially used software fulfills this objective.

  13. 1 minute ago, Duhan Orhan said:

    Sorry, my main question is, even if the crack we downloaded is clean, is there a possibility that the Trojan will settle here when the computer gets infected

    It's impossible to determine that.

    For example, the cracked download can contain a unknown backdoor. The backdoor can lie dormant for days, weeks, and months and then activated by an attacker. They have been backdoors that have been discovered that have laid dormant on devices for years.

    When Eset detects cracker software as a PUA it is warning you there is a chance that something else malicious may exist in the download although it presently has not detected anything. Also, refer to my posting here: https://forum.eset.com/topic/24825-if-you-use-licensing-cracking-software-you-need-to-read-this/ . The gist of the current situation in regards to cracked software is it is actively being deployed by malware developers as a stealth method to infect devices.

  14. 16 minutes ago, Duhan Orhan said:

    s there a possibility that this will cause problems in the future, and when I run a comprehensive scan with Eset, it only detects this now. Can I be sure that I deleted the Trojan?

    You keep asking the same question over and over again.

    The answer again and again is that Eset is detecting the crack software being used in SolidWorks download; i.e. .iso file as a PUA; i.e. potentially unwanted application. If you don't want Eset to detect as such, you will have to manually create a PUA exclusion for whatever Eset is detecting.

    As to if Eset sometime in the future might decide that this detection is no longer a PUA but actually malware, that obviously is unknown.

  15. 3 hours ago, Duhan Orhan said:

    I don't know if Solidworks is crack because my brother downloaded it, is there any way to tell if it's cracked, and if it's not crack I don't have to worry, right?

    Since Eset is detecting a hack tool associated with license cracking, it can be assumed that this Solidworks Premium version is a cracked version.

    Additionally unless your family is wealthy, it can be assumed this version is a cracked one. I came across a web posting that noted in 2016, a SolidWorks Premium one year license in the U.S. costs $8,000 with a one year maintenance cost of $2,000 for that license. I will also note that in the U.S. software theft in this value range would be considered a felony punishable by a sizable fine and possible jail time.

    My understanding is SolidWorks does have arrangements with universities in the U.S. at least, where student version licenses can be purchased at considerable discount price.

  • Create New...