ESET I.S. Agressively blocking URL, can't find app

[mandrix 0]

Internet Security is blocking a URL at the rate of at least 20 times/minute. Is there any provision for finding out which app is reaching out?

All the message lists is the URL address and that it has been blocked. I would like to know what is being blocked, exactly.

Thanks for any help. It's getting really annoying watching this box pop up constantly.

[itman 1,659]

If the blocks are occurring when your browser is open, check for like entries in Eset's Filtered websites log. Otherwise, check for entries in the Detections log.

Edited May 12, 2020 by itman

[mandrix 0]

49 minutes ago, itman said:

If the blocks are occurring when your browser is open, check for like entries in Eset's Filtered websites log. Otherwise, check for entries in the Detections log.

Thanks. Why I didn't think of logs, I dunno. It's been a day.

But any way, there is an application under attack and I'm not sure why as it's nothing too special.

Anyway, Thanks itman,

mandrix

[mandrix 0]

I see someone else is having a problem with hxxp://api.backend-app.com:8880

I have made an entry in the firewall rules, listed the port, listed the remote URL, no good. Must be missing something. I'll have to think about it...I haven't had to do this in a long time, but I'll figure it out.

Mainly wanted to say others aren't alone in this attack.

[itman 1,659]

Do you have a surveillance DVR attached to your network?

[itman 1,659]

Also it appears the poster in the other thread fixed the issue by installing Internet Security. So you might want to take a look at your existing user created firewall rules as a possible source for this activity.

Edited May 12, 2020 by itman

[itman 1,659]

2 hours ago, mandrix said:

I have made an entry in the firewall rules, listed the port,

If this is the port 8880 block rule I recommended, did you move it to the top of the firewall rule set? If this activity stops after doing so, its safe to assume it must be related to a previous firewall rule you created.

[mandrix 0]

1 hour ago, itman said:

Do you have a surveillance DVR attached to your network?

no.

[mandrix 0]

I will try moving the new rule to the top. These attacks are coming really fast.

[Marcos 5,070]

Please provide logs collected with ESET Log Collector for perusal.

[Donedidit 0]

Anyone figure out what this is I've gotten 40 blocked messages and just a couple minutes. I'll provide logs in a sec but not sure if something is under attack or what. All I see is http api.backend-app.com.8880. An it's now blocked it 100s of times

 

Edited May 27, 2020 by Donedidit

[Donedidit 0]

Anyone figure out what this is I've gotten 40 blocked messages and just a couple minutes. I'll provide logs in a sec but not sure if something is under attack or what. Well I did figure it out that it's a wscript remote port trying to my local post 50117 an up. Idk if this helps anyone. I'm not well versed in tracking this kinda thing down

Edited May 27, 2020 by Donedidit

[itman 1,659]

First, what is a backend API app: https://www.quora.com/What-is-an-API-backend-process

Next there is a high likelihood that this activity is related to some mobile app/device on the local network: https://devblogs.microsoft.com/xamarin/add-a-backend-to-your-app-in-10-minutes/

Additional ref. here: https://hackernoon.com/mobile-api-security-techniques-682a5da4fe10

Finally, if Eset URL blocking alerts are originating from wscript.exe, this is highly suspicious unless one created a script to perform like activity. Assuming one is not using wscript.exe, I would create a HIPS rule to block anything from starting C:\Windows\System32\wscript.exe and C:\Windows\SysWOW64\wscript.exe. Make sure logging is enabled on the rule and its level is set to Warning. Your Eset HIPS log entries will inform you as to what process is attempting to start wscript.exe. You can then work backwards in diagnostics from this point. Ensure you disable logging for this rule afterwards so your HIPS log doesn't fill up with related block entries.

[mandrix 0]

13 minutes ago, itman said:

First, what is a backend API app: https://www.quora.com/What-is-an-API-backend-process

Next there is a high likelihood that this activity is related to some mobile app/device on the local network: https://devblogs.microsoft.com/xamarin/add-a-backend-to-your-app-in-10-minutes/

Additional ref. here: https://hackernoon.com/mobile-api-security-techniques-682a5da4fe10

Finally, if Eset URL blocking alerts are originating from wscript.exe, this is highly suspicious unless one created a script to perform like activity. Assuming one is not using wscript.exe, I would create a HIPS rule to block anything from starting C:\Windows\System32\wscript.exe and C:\Windows\SysWOW64\wscript.exe. Make sure logging is enabled on the rule and its level is set to Warning. Your Eset HIPS log entries will inform you as to what process is attempting to start wscript.exe. You can then work backwards in diagnostics from this point. Ensure you disable logging for this rule afterwards so your HIPS log doesn't fill up with related block entries.

Thank you. That was very informative....and I can confirm I created no scripts.

Curiously enough, two days ago Windows 10 would not boot, saying there was a missing file. But even booting up my Macrium USB stick and accessing the DOS like environment (sorry, having a senior moment) I ran SFC and it returned negative. Another curious thing is my most recent 2 C drive backups were corrupt, something I've never experienced before since using Macrium for years now.

So I ended up just installing Windows from scratch. Since I had no reliable backups I've been working through installing the many programs I use for music, etc., and so far no more messages. However I'm now getting evidence of possible corruption on yet another HDD though I've yet to pin it down since I just stumbled on it a few minutes ago. (I have all SATA data slots filled and an add-in board with 4 more SATA ports for 30+ TB)

For now I'm golden and although I want to understand the root of the problem, I'm so worn down with these recent problems I just want to forget about them for a bit.

I thank you for your help and very informative replies, and should the problem reappear I will attempt to set proper rules to point the way to the guilty parties.

mandrix

[itman 1,659]

Believe I found the culprit: https://any.run/report/8d33d5c74a877dc2030ec36b79db8630e20dc476e3374d24b65dee6222d7d498/934cb24f-6b03-4d87-9f32-a038caa1790b . And its using Cloudflare servers nontheless! 

Eset didn't initially have a sig. for this one: https://www.virustotal.com/gui/file /8d33d5c74a877dc2030ec36b79db8630e20dc476e3374d24b65dee6222d7d498/detection  , but does now. I would run a full Eset scan as Admin and see if Eset detects anything.

Appears the startup mechanism is a .lnk file dropped in the Win startup directory. On Win 10, .lnk files are not supposed to run from the Win 10 startup directory. Ahh ......... it's not really a .lnk file but a JavaScript one;  update-win.js.lnk. -EDIT- also a great example of why Win Explorer View settings should be configured to always show hidden files.

 

Edited May 27, 2020 by itman

[mandrix 0]

Good find!

[itman 1,659]

Referring to the above linked AnyRun analysis of this malware, the interesting entries are:

• C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\update-win.js.lnk
• C:\Users\admin\AppData\Roaming\update-win.js
• C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\*

Modifications made in the CustomDestinations registry key allowed for running update-win.js via wscript.exe at system startup time via .lnk reference bypassing initial AV detection.

[itman 1,659]

Somewhat related is it appears NODE.js has an API that will create a .lnk reference to an .exe in Startup directory which will bypass Win 10's capability to prevent such activity: https://github.com/j201/windows-shortcuts

Edited May 28, 2020 by itman

[Namoh 0]

Ok, I've got the same issue!

Getting this message multiple times per minute, counter goes already to 1000.

I've read the earlier posts, but not quite sure what to do (I'm not that much of an IT guy).

Should I find and delete all instances of update-win.js?

A full scan by ESET didn't find anything suspicious.

[Marcos 5,070]

When are you getting the alerts? After launching a browser? Or even when no browser process is running?

[Namoh 0]

Good question, browser launches automatically when I startup my pc.

Will check if the messages continue to pop-up if I close my browser fully.

 

*update*

closed browser fully but messages kept popping up.

checked but didn't have any other browser open

*update*

Edited June 2, 2020 by Namoh

[itman 1,659]

2 hours ago, Namoh said:

Should I find and delete all instances of update-win.js?

Open Window Explorer. Then mouse click on the View tab and check mark the settings shown in the below screen shot:

Next in Windows Explore, navigate to this folder;

C:\Users\xxxxxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Note that "xxxxxx" above corresponds to the Win account you are currently using. By default that would be the default local admin account.

Next open the folder and take a screen shot of what files are shown. Post that screen shot in your forum reply.

Edited June 2, 2020 by itman

[Namoh 0]

Well I'm on the Dutch version, but as shown that folder is empty.

In the bottom right corner you see, I'm at 1500+ messages atm and counting…..

[itman 1,659]

23 minutes ago, Namoh said:

Well I'm on the Dutch version, but as shown that folder is empty.

Then the JavaScript is running from somewhere else.

Check your Eset Filtered website log for entries related to this activity; there should be many entries there. Open a few of them  and under the Application column, post what process is shown.

 

[itman 1,659]

41 minutes ago, Namoh said:

Well I'm on the Dutch version, but as shown that folder is empty.

Then the JavaScript is running from somewhere else.

Check your Eset Filtered website log for entries related to this activity; there should be many entries there. Open a few of them  and under the Application column, post what process is shown.

Also open this folder and see if a like entry exists;

C:\Users\xxxxxx\AppData\Roaming\update-win.js

Edited June 2, 2020 by itman