itman
-
Posts
12,197 -
Joined
-
Last visited
-
Days Won
321
Posts posted by itman
-
-
Att.com is not blocked now. I just checked.
-
Next time it happens, click on "computer" in the Eset alert and post the IP address shown. Also post a screen shot of your Eset Network log showing the IP address/es associated with the TCP flood alerts.
-
Business Email Compromise Attacks See Almost 500% Increase
QuoteProofpoint Quarterly Threat Report's key findings:
EMAIL:
• Banking Trojans remain the top email-borne threat in Q4, making up 56% of all malicious payloads in Q4; Emotet comprised 76% of all banking Trojan payloads.
• Remote access Trojans accounted for 8.4% of all malicious payloads in Q4 and 5.2% for the year, marking a significant change from previous years in which they were rarely used by crimeware actors.
• Ransomware dropped even further in Q4 to just one tenth of 1% of overall malicious message volume.
• Malicious messages bearing credential stealers or downloaders collectively jumped more than 230% year over year
• Email fraud, also known as BEC, continued its dramatic growth. The number of email fraud attacks against targeted companies increased 226% QoQ and 476% vs. Q4 2017.WEB-BASED ATTACKS:
• Coinhive activity spiked to 23 times the average for the year for two weeks in December; overall, Coinhive activity continued to grow slowly aside from this spike.
• In Q4, we still observed a 150% increase in social engineering detections on our worldwide network of IDS sensors; while this is a slower growth rate than observed in previous quarters, it continues to demonstrate a trend towards social engineering even as EK activity has remained low.SOCIAL MEDIA:
• Fraudulent social media support account phishing, or ”angler phishing,” has increased 442% year-over-year
• Phishing links on social channels continue to drop as platforms address this issue algorithmically -
58 minutes ago, bbenz said:
@itman - just to confirm, do I want to actually disable port scan and dos protection?
No. Leave that setting as is.
-
Are IMAP/S ports properly configured?
QuoteIn Windows Vista and later, IMAP and POP3 protocols are automatically detected and scanned on all ports. In Windows XP, only the configured Ports used by the IMAP/POP3 protocol are scanned for all applications, and all ports are scanned for applications marked as Web and email clients.
ESET Endpoint Antivirus also supports the scanning of IMAPS and POP3S protocols, which use an encrypted channel to transfer information between server and client. ESET Endpoint Antivirus checks communication utilizing the SSL (Secure Socket Layer), and TLS (Transport Layer Security) protocols. The program will only scan traffic on ports defined in Ports used by IMAPS/POP3S protocol, regardless of operating system version.
https://help.eset.com/eea/7/en-US/idh_config_emon_protocols.html?zoom_highlightsub=imap
-
Also check your router settings and ensure your WAN settings are properly setup to prevent DoS attacks. This activity should have been blocked by the router. Also, check your router logs for DoS log entries:
QuoteManage the WAN Security Settings
The WAN security settings include port scan protection and denial of service (DoS) protection, which can protect your LAN against attacks such as Syn flood, Smurf Attack, Ping of Death, and many others. By default, DoS protection is enabled and a port scan is rejected.
You can also enable the router to respond to a ping to its WAN (Internet) port. This feature allows your router to be discovered. Enable this feature only as a diagnostic tool or if a specific reason exists.
To change the default WAN security settings:
1. Launch a web browser from a computer or mobile device that is connected to the network.
2. Enter http://www.routerlogin.net.
A login window opens.
3. Enter the router user name and password.
The user name is admin. The default password is password. The user name and password are case-sensitive.
The BASIC Home page displays.
4. Select ADVANCED > Setup > WAN Setup.
The WAN Setup page displays.
5. To enable a port scan and disable DoS protection, select the Disable Port Scan and DoS Protection check box.
6. To enable the router to respond to a ping, select the Respond to Ping on Internet Port check box.
7. Click the Apply button.
Your settings are saved.
http://www.downloads.netgear.com/files/GDC/R6700v2/R6700v2_UM_EN.pdf
-EDIT- To ensure your router hasn't been hacked, make sure you change the default password of "password" to a strong password. If it appears your router settings have been changed by other than yourself, reset the router to default settings and reapply any previous custom settings you made. Finally, make sure your Netgear router firmware is up to date since there have been numerous past security vulnerabilities: https://www.cvedetails.com/vulnerability-list/vendor_id-834/Netgear.html .
-
One other thing that should be checked out in regards to APIPA network addresses :
Quote"Autoconfiguration" IP Addresses:
169.254.0.0 - 169.254.255.255Addresses in the range 169.254.0.0 to 169.254.255.255 are used automatically by most network devices when they are configured to use IP, do not have a static IP Address assigned and are unable to obtain an IP address using DHCP.
This traffic is intended to be confined to the local network, so the administrator of the local network should look for misconfigured hosts. Some ISPs inadvertently also permit this traffic, so you may also want to contact your ISP. This is documented in RFC 6890.
https://www.iana.org/help/abuse-answers
As noted by IANA, APIPA addresses should never be allowed external network access. ISPs should never accept like IP addresses. If the client's ISP is doing so or a Internet server is forwarding these addresses to the Internet, it might account for Eset's IDS alert activity.
-
3 hours ago, Samoréen said:
I'm wondering what could cause this strange behavior for a few days.
I attribute behavior like this to "hiccups" that can periodically appear in Windows. One such reason among others is:
QuoteMy suspicion is that Windows is doing a kind of hybrid shutdown, trying to preserve the state of certain open apps at the time of closing. Hence they don't appear in Startup nor Autoruns but in some mysterious Windows state saving place..
And:
QuoteTo check on this bug, we can try shutting down the computer without the Hybrid Shutdown behavior and see how it goes from there. to do this, check out this link for steps (See Workaround section.)
Hybrid sleep modes such as Win 10 Fast Startup option can also be the source at given times. I really wouldn't be concerned unless it happens on a regular basis.
-
Need further justification on why you shouldn't be using RDP?
QuoteRemote Desktop Protocol Clients Rife with Remote Code-Execution Flaws
Several flaws in both open-source RDP clients and in Microsoft’s own proprietary client make it possible for a malicious RDP server to infect a client computer – which could then allow for an intrusion into the IT network as a whole.
UPDATE
LAS VEGAS — Multiple critical vulnerabilities in the commonly used Remote Desktop Protocol (RDP) would allow a malicious actor to achieve remote code-execution over a client’s computer.
According to Check Point research released Tuesday at the CPX360 event in Las Vegas, both open-source and Microsoft proprietary RDP clients are at risk from an attacker who has either set up a malicious RDP server within a network, or who has compromised a legitimate one using other vulnerabilities.
It turns out that the vulnerabilities make it possible to do just that, essentially reversing the usual direction of communication and infecting the client computer – that in turn could then allow for an intrusion into the IT network as a whole.
According to Check Point, 16 major vulnerabilities and a total of 25 security vulnerabilities were found overall across the clients it examined; these include mstsc.exe (Microsoft’s built-in RDP client); FreeRDP (the most popular and mature open-source RDP client on Github, Check Point said); and rdesktop (an older open-source RDP client that comes by default in Kali-linux distros, often used by security research red teams for penetration testing).
-
The following posting might also be informative:
QuoteReal World Issue - Broadcast storm from 169.254/16 causes CPU DoS on 6500's
We have been having an issue at one of our sites with collapsed core/distribution in 2 6500's doing layer3 switching. Occasionally a "misconfigured" windows machine will come online on the network with a "auto self assigned" IP address - IPv4 link local - 169.254.x.x/16. It will then begin sending 100s' of thousands of packets per second broadcasts to 169.254.255.255. We don't have packet captures, but I suspect its netbios udp 137 traffic. This causes both 6500's in our core to go to 100% CPU - and the network performance goes down the tubes - and we cannot manage the switches via SSH when this happens. Usually someone finds the culprit and unplugs them. Today, I didn't have anyone on site. I had a severely degraded network for about 2 1/2 hours before it went away by itself.
https://learningnetwork.cisco.com/thread/35755?start=0&tstart=0
-
Well, I didn't read the entire bleepingcomputer.com article as I should have. The real issue is HSTS which I believe has surfaced in Eset's BP&P.
There is however a workaround for the issue it appears if the issue does manifest for Firefox users :
QuoteOptions 2: Allows Firefox to use certificates from Windows certificate store
By default, Firefox 65 will use only use the certificates in their built in browser certificate store. It is possible, though, to enable the ability to also use the antivirus engine's certificate that are created in the Windows certificate store to validate other web sites certificates.
To enable Firefox to use the certificates installed as a Windows Trusted Certificate Authority, you can enable to the security.enterprise_roots.enabled option. To do this, please follow these steps:
- Type about:config in the Firefox address bar and then press enter. When Firefox asks, click on the button stating that you accept the risks.
- In the search field enter security.enterprise_roots.enabled and press enter.
- Double-click on security.enterprise_roots.enabled so that it toggles to true as shown below.
- You can now close the about:config page.
-
This apply to Eset also?
QuoteLast week Mozilla halted the rollout of Firefox 65 for Windows after users started reporting insecure certificate errors due to antivirus software conflicts. Now that antivirus programs have disabled HTTPS scanning for Firefox, Mozilla has enabled the automatic update of Firefox 65 again.
When Firefox 65 was released, users started complaining that they were unable to browse the web because Firefox kept displaying insecure certificate errors for legitimate sites such as Google, Facebook, Twitter, etc. According to a Mozilla bug report, this problem was being caused by antivirus programs that performed SSL or HTTPS scanning.
-
I also believe we are referring to a Level 3 switch in this network: https://searchnetworking.techtarget.com/tip/Layer-3-switches-explained . As the article explains, a Level 3 switch works identical to a router except it has no WAN connectivity. In other words, it can't connect to the Internet. A Level 3 switch would use local IP addresses, e.g. 192.168.xxx.xxx, just like a router does. Level 2 switches on the other hand, use MAC addresses as discussed previously.
What I think is happening is all these device assigned APIPA IP addresses are hitting the Level 3 switch and it is attempting to build routing data for them. This is overloading the switch causing it to crash. Bottom line - it definitely appears to me there is a DHCP server problem with the router/gateway in this network.
-
I don't know how to read those Eset logs. So I will pass on that.
As far as IP addresses starting with 169.254:
QuoteDefinition of: APIPA. APIPA. (Automatic Private IP Addressing) The Windows function that provides DHCP autoconfiguration addressing. APIPA assigns a class B IP address from 169.254.0.0 to 169.254.255.255 to the client when a DHCP server is either permanently or temporarily unavailable.
https://www.pcmag.com/encyclopedia/term/37858/apipa
If a device cannot establish a connection to its designated DHCP server(usually within the router) which results in IP address lease assignment(dynamically assigned), it will temporarily assign a local non-routable IP address in the above APIPA address range. The device will keep trying to acquire a valid DHCP connection/lease periodically. Appears to me a malfunctioning/misconfigured router/gateway is the source of the Eset alerts. Or more likely, they are relying on APIPA addressing for the switch perhaps? Also appears Eset doesn't exclude APIPA assigned addresses from its ARP poisoning detection.
-
Is this the reg. key you checked?
-
Only Eset mods have access to forum posting attachments. You will have to post screen shots, one or two from each device, of the logs from the two devices if you want help from anyone on the forum.
-
As far as the eelam.sys driver goes, it is Eset's version of the Win 10 early launch anti-malware driver. It loads very early in the boot process; right after all kernel mode device drivers have been loaded. The sole purpose of the early launch anti-malware driver is to load the anti-malware kernel process; i.e. ekrn.exe, prior to the loading of any app based drivers. Once the anti-malware kernel process is loaded, the early launch anti-malware driver terminates and unloads itself from memory. Once the desktop appears indicating that Windows has successfully started, there should be no trace of eelam.sys in the allocated memory for ntoskrnl.exe.
-
As far as I am aware of, you can't perform any scan remedial activity until the scan completes.
-
2 hours ago, Rami said:
Disabling fast boot in your BIOS has fixed the issue? , that's weird If I do remember correctly I have Fast Boot enabled and I don't have this problem.
The OP is using a VPN as his rules obviously indicate. This might be a factor with Win 10 Fast Boot enabled.
I likewise have used Eset with and without Fast Boot enabled. What I have observed is it appears Eset's firewall initializes faster under Fast Boot which would be expected.
-
In regards to recent ransomware attacks:
QuoteRansomware victims who opt to pay their attackes for the promise of a decryption key forked over, on average, $6,733 during the fourth quarter of 2018,
"The Q4 data set is derived from 226 unique ransomware attacks that were reported to, and triaged by, Coveware," CEO Bill Siegel tells Information Security Media Group. He says his firm handled negotiations for all ransoms that its customers - both individuals and organizations - chose to pay. But he cautions that not all payments resulted in victims receiving a decryption key or successfully decrypting all crypto-locked data.
For victims who were able to identify the source of their ransomware infection, Coveware says 85 percent traced to RDP, 14 percent to phishing and 2 percent to another form of social engineering.
https://www.databreachtoday.com/ransomware-victims-who-pay-cough-up-6733-on-average-a-11994
So again, more proof that the overwhelming source of ransomware attacks is via RDP usage.
-
As far as determining what is attacking the switch, you will have to examine your Eset log for what source IP address is shown. If only one internal network address is shown, that is the culprit. If multiple internal IP addresses are shown, it would point to the router/gateway being compromised/malfunctioning. It is also possible that there is some type of network device malfunction that is overloading the switch.
-
MAC Address Flooding attack which in turn leads to a Denial of Service attack. Ref.: http://www.insecure.in/arp_attack.asp
QuoteOnce the switch's MAC address table is full and it can not save any more MAC address, its enters into a fail-open mode and start behaving like a network Hub. Frames are flooded to all ports, similar to broadcast type of communicaton.
Now, what is the benefit of the attacker? The attacker's machine will be delivered with all the frames between the victim and another machines. The attacker will be able to capture sensitive data from network.
How to prevent MAC flooding attacks
Cisco switches are packed with in-built security feature against MAC flooding attacks, called as Port Security. Port Security is a feature of Cisco Switches, which give protection against MAC flooding attacks.
-
3 hours ago, tmuster2k said:
However, the HIPS rules are missing the same up and down arrows that are present on the firewall UI.
Eset HIPS rules are not positionally sensitive. All allow rules are executed prior to ask and block rules. Therefore, rule ordering is immaterial. It does however prevent ordering of rules in a user desired order such as grouping related rules together for easy discovery purposes.
-
2 hours ago, Kate978 said:
These are NetBIOS, mDNS, SSDP, UDP. It seems to be ekrn.exe file. So it is a component of ESET Internet Security.
Ekrn.exe performs internal proxying activities using UDP and the ports associated with the protocols you referenced. You need to allow all ekrn.exe traffic both inbound and outbound; not just outbound traffic.
As far as NetBIOS goes, I have it disabled for my IPv4 network adapter connection. I have disabled the SSDP Win service thereby eliminating all that traffic. As far as mDNS, that one is a slippery bugger. Windows has a way of using it despite your best efforts. I don't worry about it anymore. If you want stop all mDNS traffic, just disable all default firewall rules associated with it per the below screen shot. Or disable LLMNR under Allowed Services section which will create a rule to not use sent outbound traffic to 224.0.0.252, ff02::, etc..:
TCP SYN Flood Attack - Router IP
in ESET Internet Security & ESET Smart Security Premium
Posted · Edited by itman
I assume 192.168.1.1 is your router's IP address.
Check your router's log to see if DoS log entries exist there. The NetGear .pdf link I provided previously will show how to access the router's log if you don't know how to do so. If no DoS log entries exist there, it appears that the router might be malfunctioning.