Jump to content
mandrix

ESET I.S. Agressively blocking URL, can't find app

Recommended Posts

Internet Security is blocking a URL at the rate of at least 20 times/minute. Is there any provision for finding out which app is reaching out?

All the message lists is the URL address and that it has been blocked. I would like to know what is being blocked, exactly.

Thanks for any help. It's getting really annoying watching this box pop up constantly.

Share this post


Link to post
Share on other sites
Posted (edited)

If the blocks are occurring when your browser is open, check for like entries in Eset's Filtered websites log. Otherwise, check for entries in the Detections log.

Edited by itman

Share this post


Link to post
Share on other sites
49 minutes ago, itman said:

If the blocks are occurring when your browser is open, check for like entries in Eset's Filtered websites log. Otherwise, check for entries in the Detections log.

Thanks. Why I didn't think of logs, I dunno. It's been a day.

But any way, there is an application under attack and I'm not sure why as it's nothing too special.

Anyway, Thanks itman,

mandrix

Share this post


Link to post
Share on other sites

I see someone else is having a problem with hxxp://api.backend-app.com:8880

I have made an entry in the firewall rules, listed the port, listed the remote URL, no good. Must be missing something. I'll have to think about it...I haven't had to do this in a long time, but I'll figure it out.

Mainly wanted to say others aren't alone in this attack.

Share this post


Link to post
Share on other sites

Do you have a surveillance DVR attached to your network?

Share this post


Link to post
Share on other sites
Posted (edited)

Also it appears the poster in the other thread fixed the issue by installing Internet Security. So you might want to take a look at your existing user created firewall rules as a possible source for this activity.

Edited by itman

Share this post


Link to post
Share on other sites
2 hours ago, mandrix said:

I have made an entry in the firewall rules, listed the port,

If this is the port 8880 block rule I recommended, did you move it to the top of the firewall rule set? If this activity stops after doing so, its safe to assume it must be related to a previous firewall rule you created.

Share this post


Link to post
Share on other sites
1 hour ago, itman said:

Do you have a surveillance DVR attached to your network?

no.

Share this post


Link to post
Share on other sites

I will try moving the new rule to the top. These attacks are coming really fast.

Share this post


Link to post
Share on other sites

Please provide logs collected with ESET Log Collector for perusal.

Share this post


Link to post
Share on other sites
Posted (edited)

Anyone figure out what this is I've gotten 40 blocked messages and just a couple minutes. I'll provide logs in a sec but not sure if something is under attack or what. All I see is http api.backend-app.com.8880. An it's now blocked it 100s of times

 

Edited by Donedidit

Share this post


Link to post
Share on other sites
Posted (edited)

Anyone figure out what this is I've gotten 40 blocked messages and just a couple minutes. I'll provide logs in a sec but not sure if something is under attack or what. Well I did figure it out that it's a wscript remote port trying to my local post 50117 an up. Idk if this helps anyone. I'm not well versed in tracking this kinda thing down

Edited by Donedidit

Share this post


Link to post
Share on other sites

First, what is a backend API app: https://www.quora.com/What-is-an-API-backend-process

Next there is a high likelihood that this activity is related to some mobile app/device on the local network: https://devblogs.microsoft.com/xamarin/add-a-backend-to-your-app-in-10-minutes/

Additional ref. here: https://hackernoon.com/mobile-api-security-techniques-682a5da4fe10

Finally, if Eset URL blocking alerts are originating from wscript.exe, this is highly suspicious unless one created a script to perform like activity. Assuming one is not using wscript.exe, I would create a HIPS rule to block anything from starting C:\Windows\System32\wscript.exe and C:\Windows\SysWOW64\wscript.exe. Make sure logging is enabled on the rule and its level is set to Warning. Your Eset HIPS log entries will inform you as to what process is attempting to start wscript.exe. You can then work backwards in diagnostics from this point. Ensure you disable logging for this rule afterwards so your HIPS log doesn't fill up with related block entries.

Share this post


Link to post
Share on other sites
13 minutes ago, itman said:

First, what is a backend API app: https://www.quora.com/What-is-an-API-backend-process

Next there is a high likelihood that this activity is related to some mobile app/device on the local network: https://devblogs.microsoft.com/xamarin/add-a-backend-to-your-app-in-10-minutes/

Additional ref. here: https://hackernoon.com/mobile-api-security-techniques-682a5da4fe10

Finally, if Eset URL blocking alerts are originating from wscript.exe, this is highly suspicious unless one created a script to perform like activity. Assuming one is not using wscript.exe, I would create a HIPS rule to block anything from starting C:\Windows\System32\wscript.exe and C:\Windows\SysWOW64\wscript.exe. Make sure logging is enabled on the rule and its level is set to Warning. Your Eset HIPS log entries will inform you as to what process is attempting to start wscript.exe. You can then work backwards in diagnostics from this point. Ensure you disable logging for this rule afterwards so your HIPS log doesn't fill up with related block entries.

Thank you. That was very informative....and I can confirm I created no scripts.

Curiously enough, two days ago Windows 10 would not boot, saying there was a missing file. But even booting up my Macrium USB stick and accessing the DOS like environment (sorry, having a senior moment) I ran SFC and it returned negative. Another curious thing is my most recent 2 C drive backups were corrupt, something I've never experienced before since using Macrium for years now.

So I ended up just installing Windows from scratch. Since I had no reliable backups I've been working through installing the many programs I use for music, etc., and so far no more messages. However I'm now getting evidence of possible corruption on yet another HDD though I've yet to pin it down since I just stumbled on it a few minutes ago. (I have all SATA data slots filled and an add-in board with 4 more SATA ports for 30+ TB)

For now I'm golden and although I want to understand the root of the problem, I'm so worn down with these recent problems I just want to forget about them for a bit.

I thank you for your help and very informative replies, and should the problem reappear I will attempt to set proper rules to point the way to the guilty parties.

mandrix

Share this post


Link to post
Share on other sites
Posted (edited)

Believe I found the culprit: https://any.run/report/8d33d5c74a877dc2030ec36b79db8630e20dc476e3374d24b65dee6222d7d498/934cb24f-6b03-4d87-9f32-a038caa1790b . And its using Cloudflare servers nontheless! 

Eset didn't initially have a sig. for this one: https://www.virustotal.com/gui/file /8d33d5c74a877dc2030ec36b79db8630e20dc476e3374d24b65dee6222d7d498/detection  , but does now. I would run a full Eset scan as Admin and see if Eset detects anything.

Appears the startup mechanism is a .lnk file dropped in the Win startup directory. On Win 10, .lnk files are not supposed to run from the Win 10 startup directory. Ahh ......... it's not really a .lnk file but a JavaScript one;  update-win.js.lnk. -EDIT- also a great example of why Win Explorer View settings should be configured to always show hidden files.

 

Edited by itman

Share this post


Link to post
Share on other sites

Referring to the above linked AnyRun analysis of this malware, the interesting entries are:

  • C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\update-win.js.lnk
  • C:\Users\admin\AppData\Roaming\update-win.js
  • C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\*

Modifications made in the CustomDestinations registry key allowed for running update-win.js via wscript.exe at system startup time via .lnk reference bypassing initial AV detection.

Share this post


Link to post
Share on other sites
Posted (edited)

Somewhat related is it appears NODE.js has an API that will create a .lnk reference to an .exe in Startup directory which will bypass Win 10's capability to prevent such activity: https://github.com/j201/windows-shortcuts

Edited by itman

Share this post


Link to post
Share on other sites

Ok, I've got the same issue!

Getting this message multiple times per minute, counter goes already to 1000.

I've read the earlier posts, but not quite sure what to do (I'm not that much of an IT guy).

Should I find and delete all instances of update-win.js?

A full scan by ESET didn't find anything suspicious.

Share this post


Link to post
Share on other sites

When are you getting the alerts? After launching a browser? Or even when no browser process is running?

Share this post


Link to post
Share on other sites
Posted (edited)

Good question, browser launches automatically when I startup my pc.

Will check if the messages continue to pop-up if I close my browser fully.

 

*update*

closed browser fully but messages kept popping up.

checked but didn't have any other browser open

*update*

Edited by Namoh

Share this post


Link to post
Share on other sites
Posted (edited)
2 hours ago, Namoh said:

Should I find and delete all instances of update-win.js?

Open Window Explorer. Then mouse click on the View tab and check mark the settings shown in the below screen shot:

Win_Exporer.thumb.png.c4f85040bd0249421ba9d8bbc0c6c866.png

Next in Windows Explore, navigate to this folder;

C:\Users\xxxxxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Note that "xxxxxx" above corresponds to the Win account you are currently using. By default that would be the default local admin account.

Next open the folder and take a screen shot of what files are shown. Post that screen shot in your forum reply.

Edited by itman

Share this post


Link to post
Share on other sites

Well I'm on the Dutch version, but as shown that folder is empty.

In the bottom right corner you see, I'm at 1500+ messages atm and counting…..

api.backend-app_01.png

Share this post


Link to post
Share on other sites
23 minutes ago, Namoh said:

Well I'm on the Dutch version, but as shown that folder is empty.

Then the JavaScript is running from somewhere else.

Check your Eset Filtered website log for entries related to this activity; there should be many entries there. Open a few of them  and under the Application column, post what process is shown.

 

Share this post


Link to post
Share on other sites
Posted (edited)
41 minutes ago, Namoh said:

Well I'm on the Dutch version, but as shown that folder is empty.

Then the JavaScript is running from somewhere else.

Check your Eset Filtered website log for entries related to this activity; there should be many entries there. Open a few of them  and under the Application column, post what process is shown.

Also open this folder and see if a like entry exists;

C:\Users\xxxxxx\AppData\Roaming\update-win.js

Edited by itman

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...