Jump to content

Possible Viruses


Juan

Recommended Posts

Hi Team, could you plesase help me with this topic. My firewall provider "fortinet" says that I have a virus in my network, when I perform a deep scan on one of the computers, no virus is registered.
At the moment I have the ESMC console installed and the ESET Endpoint Security version 7.1 on the computers. and the possible viruses registered in the fortinet are:
- tcp.split.handskshaked.pakets
- php.malicious.shell
- smb.login.brute.force
These elements announced. Questions: Are updates or patches of windows, some application or are false postives. Thanks for your help

Link to comment
Share on other sites

These are all Fortinet IPS detections:

https://fortiguard.com/encyclopedia/ips/26339

https://fortiguard.com/encyclopedia/ips/44580

https://fortiguard.com/encyclopedia/ips/12090

The possible malware is php.malicious.shell. Per the Fortinet description indicates a malicious php script running on a php server. Do you have a php/web server installed?

Edited by itman
Link to comment
Share on other sites

  • Administrators

The best would be to get a pcap log with such detections and provide it also to the maker of the firewall who should be able to confirm or deny if it was false positives.

Link to comment
Share on other sites

  • Most Valued Members
1 hour ago, Juan said:

Hi Team, could you plesase help me with this topic. My firewall provider "fortinet" says that I have a virus in my network, when I perform a deep scan on one of the computers, no virus is registered.
At the moment I have the ESMC console installed and the ESET Endpoint Security version 7.1 on the computers. and the possible viruses registered in the fortinet are:
- tcp.split.handskshaked.pakets
- php.malicious.shell
- smb.login.brute.force
These elements announced. Questions: Are updates or patches of windows, some application or are false postives. Thanks for your help

The Brute Force means that someone is trying to bruteforce your SMB folders , make sure you don't use SMB v1 ,as per ITmans' link Fortinet says that it will be logged once there is 500 failed attempts.

TCP Split Hand shakes it happens sometimes as false positive but you could double check it

And about the malicious you should double check the code, even if ESET finds nothing or atleast try to know in which file it's originating.

Link to comment
Share on other sites

A few comments about php server use. It was designed for internal development usage and definitely should not be allowed access to the external network:

Quote

Built-in web server

Warning

This web server was designed to aid application development. It may also be useful for testing purposes or for application demonstrations that are run in controlled environments. It is not intended to be a full-featured web server. It should not be used on a public network.

Edited by itman
Link to comment
Share on other sites

@itman

thats only for the webserver built into PHP (that is designed for app dev, and shouldn't be forwarded to the net), not PHP it's self, right?

 

 

Link to comment
Share on other sites

18 minutes ago, jdashn said:

@itman

thats only for the webserver built into PHP (that is designed for app dev, and shouldn't be forwarded to the net), not PHP it's self, right?

I believe that is correct.

But in this case, it appears the php server was not locked down; was hacked to deploy a malicious script; and that script is now attacking the internal network. 

Link to comment
Share on other sites

  • Administrators

Ideally pcap logs should be analyzed by the firewall maker Fortinet, otherwise it's more just speculations as to what happened and if there was a malicious activity or if the detection was a result of some non-standard communication that was detected by the firewall, maybe correctly or incorrectly as a false positive.

Link to comment
Share on other sites

On 7/9/2019 at 3:16 PM, Juan said:

Hi Team, could you plesase help me with this topic. My firewall provider "fortinet" says that I have a virus in my network, when I perform a deep scan on one of the computers, no virus is registered.
At the moment I have the
Nox Vidmate VLC console installed and the ESET Endpoint Security version 7.1 on the computers. and the possible viruses registered in the fortinet are:
- tcp.split.handskshaked.pakets
- php.malicious.shell
- smb.login.brute.force
These elements announced. Questions: Are updates or patches of windows, some application or are false postives. Thanks for your help

shouldn't be forwarded to the net), not PHP it's self, right?

Edited by zafirkalvin
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...