Jump to content
Juan

Possible Viruses

Recommended Posts

Hi Team, could you plesase help me with this topic. My firewall provider "fortinet" says that I have a virus in my network, when I perform a deep scan on one of the computers, no virus is registered.
At the moment I have the ESMC console installed and the ESET Endpoint Security version 7.1 on the computers. and the possible viruses registered in the fortinet are:
- tcp.split.handskshaked.pakets
- php.malicious.shell
- smb.login.brute.force
These elements announced. Questions: Are updates or patches of windows, some application or are false postives. Thanks for your help

Share this post


Link to post
Share on other sites
Posted (edited)

These are all Fortinet IPS detections:

https://fortiguard.com/encyclopedia/ips/26339

https://fortiguard.com/encyclopedia/ips/44580

https://fortiguard.com/encyclopedia/ips/12090

The possible malware is php.malicious.shell. Per the Fortinet description indicates a malicious php script running on a php server. Do you have a php/web server installed?

Edited by itman

Share this post


Link to post
Share on other sites

The best would be to get a pcap log with such detections and provide it also to the maker of the firewall who should be able to confirm or deny if it was false positives.

Share this post


Link to post
Share on other sites
1 hour ago, Juan said:

Hi Team, could you plesase help me with this topic. My firewall provider "fortinet" says that I have a virus in my network, when I perform a deep scan on one of the computers, no virus is registered.
At the moment I have the ESMC console installed and the ESET Endpoint Security version 7.1 on the computers. and the possible viruses registered in the fortinet are:
- tcp.split.handskshaked.pakets
- php.malicious.shell
- smb.login.brute.force
These elements announced. Questions: Are updates or patches of windows, some application or are false postives. Thanks for your help

The Brute Force means that someone is trying to bruteforce your SMB folders , make sure you don't use SMB v1 ,as per ITmans' link Fortinet says that it will be logged once there is 500 failed attempts.

TCP Split Hand shakes it happens sometimes as false positive but you could double check it

And about the malicious you should double check the code, even if ESET finds nothing or atleast try to know in which file it's originating.

Share this post


Link to post
Share on other sites
Posted (edited)

A few comments about php server use. It was designed for internal development usage and definitely should not be allowed access to the external network:

Quote

Built-in web server

Warning

This web server was designed to aid application development. It may also be useful for testing purposes or for application demonstrations that are run in controlled environments. It is not intended to be a full-featured web server. It should not be used on a public network.

Edited by itman

Share this post


Link to post
Share on other sites

@itman

thats only for the webserver built into PHP (that is designed for app dev, and shouldn't be forwarded to the net), not PHP it's self, right?

 

 

Share this post


Link to post
Share on other sites
18 minutes ago, jdashn said:

@itman

thats only for the webserver built into PHP (that is designed for app dev, and shouldn't be forwarded to the net), not PHP it's self, right?

I believe that is correct.

But in this case, it appears the php server was not locked down; was hacked to deploy a malicious script; and that script is now attacking the internal network. 

Share this post


Link to post
Share on other sites

Ideally pcap logs should be analyzed by the firewall maker Fortinet, otherwise it's more just speculations as to what happened and if there was a malicious activity or if the detection was a result of some non-standard communication that was detected by the firewall, maybe correctly or incorrectly as a false positive.

Share this post


Link to post
Share on other sites
Posted (edited)
On 7/9/2019 at 3:16 PM, Juan said:

Hi Team, could you plesase help me with this topic. My firewall provider "fortinet" says that I have a virus in my network, when I perform a deep scan on one of the computers, no virus is registered.
At the moment I have the
Nox Vidmate VLC console installed and the ESET Endpoint Security version 7.1 on the computers. and the possible viruses registered in the fortinet are:
- tcp.split.handskshaked.pakets
- php.malicious.shell
- smb.login.brute.force
These elements announced. Questions: Are updates or patches of windows, some application or are false postives. Thanks for your help

shouldn't be forwarded to the net), not PHP it's self, right?

Edited by zafirkalvin

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...