mandrix 0 Posted May 12, 2020 Posted May 12, 2020 Internet Security is blocking a URL at the rate of at least 20 times/minute. Is there any provision for finding out which app is reaching out? All the message lists is the URL address and that it has been blocked. I would like to know what is being blocked, exactly. Thanks for any help. It's getting really annoying watching this box pop up constantly.
itman 1,799 Posted May 12, 2020 Posted May 12, 2020 (edited) If the blocks are occurring when your browser is open, check for like entries in Eset's Filtered websites log. Otherwise, check for entries in the Detections log. Edited May 12, 2020 by itman
mandrix 0 Posted May 12, 2020 Author Posted May 12, 2020 49 minutes ago, itman said: If the blocks are occurring when your browser is open, check for like entries in Eset's Filtered websites log. Otherwise, check for entries in the Detections log. Thanks. Why I didn't think of logs, I dunno. It's been a day. But any way, there is an application under attack and I'm not sure why as it's nothing too special. Anyway, Thanks itman, mandrix
mandrix 0 Posted May 12, 2020 Author Posted May 12, 2020 I see someone else is having a problem with hxxp://api.backend-app.com:8880 I have made an entry in the firewall rules, listed the port, listed the remote URL, no good. Must be missing something. I'll have to think about it...I haven't had to do this in a long time, but I'll figure it out. Mainly wanted to say others aren't alone in this attack.
itman 1,799 Posted May 12, 2020 Posted May 12, 2020 Do you have a surveillance DVR attached to your network?
itman 1,799 Posted May 12, 2020 Posted May 12, 2020 (edited) Also it appears the poster in the other thread fixed the issue by installing Internet Security. So you might want to take a look at your existing user created firewall rules as a possible source for this activity. Edited May 12, 2020 by itman
itman 1,799 Posted May 12, 2020 Posted May 12, 2020 2 hours ago, mandrix said: I have made an entry in the firewall rules, listed the port, If this is the port 8880 block rule I recommended, did you move it to the top of the firewall rule set? If this activity stops after doing so, its safe to assume it must be related to a previous firewall rule you created.
mandrix 0 Posted May 13, 2020 Author Posted May 13, 2020 1 hour ago, itman said: Do you have a surveillance DVR attached to your network? no.
mandrix 0 Posted May 13, 2020 Author Posted May 13, 2020 I will try moving the new rule to the top. These attacks are coming really fast.
Administrators Marcos 5,441 Posted May 13, 2020 Administrators Posted May 13, 2020 Please provide logs collected with ESET Log Collector for perusal.
Donedidit 0 Posted May 27, 2020 Posted May 27, 2020 (edited) Anyone figure out what this is I've gotten 40 blocked messages and just a couple minutes. I'll provide logs in a sec but not sure if something is under attack or what. All I see is http api.backend-app.com.8880. An it's now blocked it 100s of times Edited May 27, 2020 by Donedidit
Donedidit 0 Posted May 27, 2020 Posted May 27, 2020 (edited) Anyone figure out what this is I've gotten 40 blocked messages and just a couple minutes. I'll provide logs in a sec but not sure if something is under attack or what. Well I did figure it out that it's a wscript remote port trying to my local post 50117 an up. Idk if this helps anyone. I'm not well versed in tracking this kinda thing down Edited May 27, 2020 by Donedidit
itman 1,799 Posted May 27, 2020 Posted May 27, 2020 First, what is a backend API app: https://www.quora.com/What-is-an-API-backend-process Next there is a high likelihood that this activity is related to some mobile app/device on the local network: https://devblogs.microsoft.com/xamarin/add-a-backend-to-your-app-in-10-minutes/ Additional ref. here: https://hackernoon.com/mobile-api-security-techniques-682a5da4fe10 Finally, if Eset URL blocking alerts are originating from wscript.exe, this is highly suspicious unless one created a script to perform like activity. Assuming one is not using wscript.exe, I would create a HIPS rule to block anything from starting C:\Windows\System32\wscript.exe and C:\Windows\SysWOW64\wscript.exe. Make sure logging is enabled on the rule and its level is set to Warning. Your Eset HIPS log entries will inform you as to what process is attempting to start wscript.exe. You can then work backwards in diagnostics from this point. Ensure you disable logging for this rule afterwards so your HIPS log doesn't fill up with related block entries.
mandrix 0 Posted May 27, 2020 Author Posted May 27, 2020 13 minutes ago, itman said: First, what is a backend API app: https://www.quora.com/What-is-an-API-backend-process Next there is a high likelihood that this activity is related to some mobile app/device on the local network: https://devblogs.microsoft.com/xamarin/add-a-backend-to-your-app-in-10-minutes/ Additional ref. here: https://hackernoon.com/mobile-api-security-techniques-682a5da4fe10 Finally, if Eset URL blocking alerts are originating from wscript.exe, this is highly suspicious unless one created a script to perform like activity. Assuming one is not using wscript.exe, I would create a HIPS rule to block anything from starting C:\Windows\System32\wscript.exe and C:\Windows\SysWOW64\wscript.exe. Make sure logging is enabled on the rule and its level is set to Warning. Your Eset HIPS log entries will inform you as to what process is attempting to start wscript.exe. You can then work backwards in diagnostics from this point. Ensure you disable logging for this rule afterwards so your HIPS log doesn't fill up with related block entries. Thank you. That was very informative....and I can confirm I created no scripts. Curiously enough, two days ago Windows 10 would not boot, saying there was a missing file. But even booting up my Macrium USB stick and accessing the DOS like environment (sorry, having a senior moment) I ran SFC and it returned negative. Another curious thing is my most recent 2 C drive backups were corrupt, something I've never experienced before since using Macrium for years now. So I ended up just installing Windows from scratch. Since I had no reliable backups I've been working through installing the many programs I use for music, etc., and so far no more messages. However I'm now getting evidence of possible corruption on yet another HDD though I've yet to pin it down since I just stumbled on it a few minutes ago. (I have all SATA data slots filled and an add-in board with 4 more SATA ports for 30+ TB) For now I'm golden and although I want to understand the root of the problem, I'm so worn down with these recent problems I just want to forget about them for a bit. I thank you for your help and very informative replies, and should the problem reappear I will attempt to set proper rules to point the way to the guilty parties. mandrix
itman 1,799 Posted May 27, 2020 Posted May 27, 2020 (edited) Believe I found the culprit: https://any.run/report/8d33d5c74a877dc2030ec36b79db8630e20dc476e3374d24b65dee6222d7d498/934cb24f-6b03-4d87-9f32-a038caa1790b . And its using Cloudflare servers nontheless! Eset didn't initially have a sig. for this one: https://www.virustotal.com/gui/file /8d33d5c74a877dc2030ec36b79db8630e20dc476e3374d24b65dee6222d7d498/detection , but does now. I would run a full Eset scan as Admin and see if Eset detects anything. Appears the startup mechanism is a .lnk file dropped in the Win startup directory. On Win 10, .lnk files are not supposed to run from the Win 10 startup directory. Ahh ......... it's not really a .lnk file but a JavaScript one; update-win.js.lnk. -EDIT- also a great example of why Win Explorer View settings should be configured to always show hidden files. Edited May 27, 2020 by itman
itman 1,799 Posted May 28, 2020 Posted May 28, 2020 Referring to the above linked AnyRun analysis of this malware, the interesting entries are: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\update-win.js.lnk C:\Users\admin\AppData\Roaming\update-win.js C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\* Modifications made in the CustomDestinations registry key allowed for running update-win.js via wscript.exe at system startup time via .lnk reference bypassing initial AV detection.
itman 1,799 Posted May 28, 2020 Posted May 28, 2020 (edited) Somewhat related is it appears NODE.js has an API that will create a .lnk reference to an .exe in Startup directory which will bypass Win 10's capability to prevent such activity: https://github.com/j201/windows-shortcuts Edited May 28, 2020 by itman
Namoh 0 Posted June 2, 2020 Posted June 2, 2020 Ok, I've got the same issue! Getting this message multiple times per minute, counter goes already to 1000. I've read the earlier posts, but not quite sure what to do (I'm not that much of an IT guy). Should I find and delete all instances of update-win.js? A full scan by ESET didn't find anything suspicious.
Administrators Marcos 5,441 Posted June 2, 2020 Administrators Posted June 2, 2020 When are you getting the alerts? After launching a browser? Or even when no browser process is running?
Namoh 0 Posted June 2, 2020 Posted June 2, 2020 (edited) Good question, browser launches automatically when I startup my pc. Will check if the messages continue to pop-up if I close my browser fully. *update* closed browser fully but messages kept popping up. checked but didn't have any other browser open *update* Edited June 2, 2020 by Namoh
itman 1,799 Posted June 2, 2020 Posted June 2, 2020 (edited) 2 hours ago, Namoh said: Should I find and delete all instances of update-win.js? Open Window Explorer. Then mouse click on the View tab and check mark the settings shown in the below screen shot: Next in Windows Explore, navigate to this folder; C:\Users\xxxxxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Note that "xxxxxx" above corresponds to the Win account you are currently using. By default that would be the default local admin account. Next open the folder and take a screen shot of what files are shown. Post that screen shot in your forum reply. Edited June 2, 2020 by itman
Namoh 0 Posted June 2, 2020 Posted June 2, 2020 Well I'm on the Dutch version, but as shown that folder is empty. In the bottom right corner you see, I'm at 1500+ messages atm and counting…..
itman 1,799 Posted June 2, 2020 Posted June 2, 2020 23 minutes ago, Namoh said: Well I'm on the Dutch version, but as shown that folder is empty. Then the JavaScript is running from somewhere else. Check your Eset Filtered website log for entries related to this activity; there should be many entries there. Open a few of them and under the Application column, post what process is shown.
itman 1,799 Posted June 2, 2020 Posted June 2, 2020 (edited) 41 minutes ago, Namoh said: Well I'm on the Dutch version, but as shown that folder is empty. Then the JavaScript is running from somewhere else. Check your Eset Filtered website log for entries related to this activity; there should be many entries there. Open a few of them and under the Application column, post what process is shown. Also open this folder and see if a like entry exists; C:\Users\xxxxxx\AppData\Roaming\update-win.js Edited June 2, 2020 by itman
Recommended Posts