Threat log question

[winstonsmith84 2]

We recently upgraded to Eset File Security 7.0.12016 and now have a few entries in the threat log that I'm uncertain what to do about. All say Firewall Security Vulnerability exploitation. One is SMB/Exploit.MS17-10.B and the other three are CVE-2017-5638.Struts2. Does this alert mean that these servers were actively attacked or just that a potential vulnerability exists with these servers?

Edited January 22, 2019 by winstonsmith84

[Marcos 5,070]

The remote computers are most likely unpatched and infected.

[itman 1,659]

30 minutes ago, winstonsmith84 said:

One is SMB/Exploit.MS17-10.B

As far as this one goes which is related to the NSA exploits; i.e. EternalBlue, etc., refer to this: https://support.microsoft.com/en-us/help/4023262/how-to-verify-that-ms17-010-is-installed

[winstonsmith84 2]

The struts exploit is for Apache but the server listed in the threat log doesn't have Apache installed on it. So why would this be listed as a threat alert on this server?

[itman 1,659]

17 minutes ago, winstonsmith84 said:

The struts exploit is for Apache but the server listed in the threat log doesn't have Apache installed on it. So why would this be listed as a threat alert on this server?

I am wondering if Eset is detecting an old unused Apache app on the server?

Quote

Unfortunately, fixing this critical flaw isn't always as easy as applying a single update and rebooting. That's because in many cases, Web apps must be rebuilt using a patched version of Apache Struts. For older apps, developers may need to exhume long-forgotten source code and test the finished binary to make sure it doesn't break the rest of the website it's hosted on. Apache Struts is a framework for developing Web apps based on Oracle's larger Java framework. Struts has slowly been phased out in favor of newer developer tools, but it remains used by a significant number of banks, government agencies, and Internet companies.

https://arstechnica.com/information-technology/2017/03/in-the-wild-exploits-ramp-up-against-high-impact-sites-using-apache-struts/

[JoTho 0]

I'm seeing the same log entries for CVE-2017-5638.Struts2. The Solarwinds product called Web Help Desk is the only program that runs on a new Server 2016 install. I do believe it uses java and maybe Apache but their development team said "...the Struts framework is not used in WHD nor is it shipped with the application." What is the likelihood that this is a false positive? More importantly is EFS just detecting, or is it blocking or quarantining?

[itman 1,659]

It is also possible what Eset is detecting is the vulnerable Java version/s. Is Java fully patched and up to data?

[Marcos 5,070]

Have you ruled out the possibility that the remote machine is infected? If so, please enable network protection advanced logging in the advanced setup -> tools -> diagnostics, reproduce the detection, disable logging and provide me with logs gathered by ESET Log Collector.

As for the action, "detected" actually means detected and blocked. If I remember correctly, there were plans to change the wording to make it clear to users.

[JoTho 0]

The last time it was detected was Christmas Day but I'll do what you asked when it happens again. Glad to hear the terminology change may happen. Thank you Marcos.