Jump to content

Archived

This topic is now archived and is closed to further replies.

jetsantos

Firewall Exploitation

Recommended Posts

Hi Eset Team!

 

 May I ask if there is any logs that can be generated in ESMC? There were several attack attempts on one of our PC in office.  We would like to investigate the attempted attack

 

Untitled.png.ce36e560d7dec715e997578ca4c94d9c.png

 

 

Share this post


Link to post
Share on other sites

Unfortunately the target port values are not visible. Make sure that you have RDP secured, keep UltraVNC as well as Windows and other applications always up to date and use a strong password by users with remote access permissions. To prevent ESET from detecting the attacks you can block communication from the blocked IP addresses on your gateway firewall.

Share this post


Link to post
Share on other sites

The source process involved is related to UltraVNC. Assuming you have legitimately installed this app, its storage location looks suspicious. Normally, winvnc.exe runs from this directory, C:\Program Files\UltraVNC\winvnc.exe:

Quote

Server component which listens for incoming connections for the UltraVnc application. This application allows you to take over your computer from a remote location.

https://www.bleepingcomputer.com/startups/winvnc.exe-17948.html

Note that in your posted screen shot, winvnc.exe is running from this directory, C:\Program Files\uvncbvba\UltraVNC\. This looks suspicious to me.

Share this post


Link to post
Share on other sites

All VNC stuff is a nightmare , it's more recommended to be used on LAN only if there is a possibility or limit it's access from WAN to specific IP Addresses , or by making connection available only through your own VPN.

For now , it's better to firewall your VNC ports to only specific IP Addresses that should connect , and you better update it because they are trying to exploit it

Share this post


Link to post
Share on other sites

I do not believe the process path of VNC is a problem, its likely that you utilized a custom path for the install.  However, if you have not installed VNC or do not allow it, remove it.

The root of the problem is that the computer triggering these detections is exposed to the the internet (directly or via port forwarding).  I highly recommend you perform an audit of your public IP addresses.  If needed, contact your ISP to get a list of IPs you own/use from them or use google to search for "whats my IP address" on different segments of your network.

Next, from a computer which is not on your network, perform an NMAP scan of your public IP addresses to see which ports are open to the internet and to attempt to identify what services are on those ports.  Here is one example command you could use (the command is case sensitive):

nmap -sV -F -Pn ipaddress

Replace "ipaddress" with your public IP Address.

Nmap results where ports are seen as "OPEN" or "Filtered" are exposed to the internet.  Filtered simply means the port was seen but NMAP could connect to it.  This could be due to the IP you are scanning from being blocked.

Close any open ports that are not needed to be exposed to the internet.  If you have ports you must have open, consider restricting which IP Addresses are allowed to connect to these port (only specific trusted IPs or maybe only IPs in specific regions).  Also consider moving ports to only being accessible via a VPN.  And consider applying 2FA to any ports which require users to enter their usernames and passwords (ESET does have a 2FA product, but it does not work with VNC by default).

 

If you are wanting more logging on this, you can do 1 of 2 things (or both):

  • Use Wireshark to capture network traffic on the computer in question
    • Use port mirroring if needed
  • Create a policy in ESET Security Management Center to enable Diagnostic logging to create a PCAP of network traffic
  1. In ESMC, create a New Policy and select your product (Likely "ESET Endpoint for Windows").
  2. In Settings, navigate to "Tools (on left) > Diagnostics (on left) > expand "Advanced Logging" on right
  3. Turn on "Enable Network Protection Advanced Logging"
    1. You can turn on all diagnostics if you want, but you wont need every diagnostic log for this
  4. Apply the policy to the computer you want the diagnostic logs from.
    1. Do not forget to remove the policy from the computer after you have gathered logs while the attack was logged.  Otherwise you will fill the Hard Drive rather quickly.
  5. The diagnostic logs will be saved locally to the computer that generated them in "C:\ProgramData\ESET\ESET Security\Diagnostics".  The pcap files can be opened and examined in Wireshark.
  6. Once done gathering logs, ensure you turn diagnostic logging off.  Diagnostic logging should only be used when needed, and not left on indefinitely.

 

Share this post


Link to post
Share on other sites

Thank you all for your inputs. Whats weird with this is ultraVNC is installed in all workstations but this specific client that is having warnings is my mirror server for the Antivirus. 

Share this post


Link to post
Share on other sites
On 6/13/2020 at 6:51 AM, jetsantos said:

Thank you all for your inputs. Whats weird with this is ultraVNC is installed in all workstations but this specific client that is having warnings is my mirror server for the Antivirus. 

But looks like this workstation has it's VNC ports open to WAN.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...