Jump to content

Archived

This topic is now archived and is closed to further replies.

winstonsmith84

Threat log question

Recommended Posts

We recently upgraded to Eset File Security 7.0.12016 and now have a few entries in the threat log that I'm uncertain what to do about. All say Firewall Security Vulnerability exploitation. One is SMB/Exploit.MS17-10.B and the other three are CVE-2017-5638.Struts2. Does this alert mean that these servers were actively attacked or just that a potential vulnerability exists with these servers?

Share this post


Link to post
Share on other sites

The remote computers are most likely unpatched and infected.

Share this post


Link to post
Share on other sites

The struts exploit is for Apache but the server listed in the threat log doesn't have Apache installed on it. So why would this be listed as a threat alert on this server?

Share this post


Link to post
Share on other sites
17 minutes ago, winstonsmith84 said:

The struts exploit is for Apache but the server listed in the threat log doesn't have Apache installed on it. So why would this be listed as a threat alert on this server?

I am wondering if Eset is detecting an old unused Apache app on the server?

Quote

Unfortunately, fixing this critical flaw isn't always as easy as applying a single update and rebooting. That's because in many cases, Web apps must be rebuilt using a patched version of Apache Struts. For older apps, developers may need to exhume long-forgotten source code and test the finished binary to make sure it doesn't break the rest of the website it's hosted on. Apache Struts is a framework for developing Web apps based on Oracle's larger Java framework. Struts has slowly been phased out in favor of newer developer tools, but it remains used by a significant number of banks, government agencies, and Internet companies.

https://arstechnica.com/information-technology/2017/03/in-the-wild-exploits-ramp-up-against-high-impact-sites-using-apache-struts/

Share this post


Link to post
Share on other sites

I'm seeing the same log entries for CVE-2017-5638.Struts2. The Solarwinds product called Web Help Desk is the only program that runs on a new Server 2016 install. I do believe it uses java and maybe Apache but their development team said "...the Struts framework is not used in WHD nor is it shipped with the application." What is the likelihood that this is a false positive? More importantly is EFS just detecting, or is it blocking or quarantining?

Share this post


Link to post
Share on other sites

It is also possible what Eset is detecting is the vulnerable Java version/s. Is Java fully patched and up to data?

Share this post


Link to post
Share on other sites

Have you ruled out the possibility that the remote machine is infected? If so, please enable network protection advanced logging in the advanced setup -> tools -> diagnostics, reproduce the detection, disable logging and provide me with logs gathered by ESET Log Collector.

As for the action, "detected" actually means detected and blocked. If I remember correctly, there were plans to change the wording to make it clear to users.

Share this post


Link to post
Share on other sites

The last time it was detected was Christmas Day but I'll do what you asked when it happens again. Glad to hear the terminology change may happen. Thank you Marcos.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...