kamiran.asia 5 Posted January 3, 2022 Share Posted January 3, 2022 Hi Dears, We have find these logs from one of our customers ESET PROTECT Console. Both target and source device is protected with ESET Endpoint Security V9.0 without any infection. How can we find the source of these attacks at source device ? Exported CSV is attached : Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 202 Posted January 3, 2022 Most Valued Members Share Posted January 3, 2022 (edited) 3 hours ago, kamiran.asia said: Hi Dears, We have find these logs from one of our customers ESET PROTECT Console. Both target and source device is protected with ESET Endpoint Security V9.0 without any infection. How can we find the source of these attacks at source device ? Exported CSV is attached : ESET staff will request logs from those computers to understand more for sure, But have you scanned those computers? Deep Scan? I believe those sources PC are infected somehow , some attempts are at port 139 which is before Windows 2000 I am not mistaken according to Google, after that Microsoft switched to 445 And 2 attempts are being tried as IPV6 , that's not usual for a human to do so , should be bot attempts. Each have around 5-7 minutes of waiting time before the next try (unless ESET is dropping the attempts or blacklisting the IP for a bit of time) Quote The most dangerous open ports are wormable ports, like the one that the SMB protocol uses, which are open by default in some operating systems. Early versions of the SMB protocol were exploited during the WannaCry ransomware attack through a zero-day exploit called EternalBlue. WannaCry exploited legacy versions of Windows computers that used an outdated version of the SMB protocol. WannaCry is a network worm with a transport mechanism designed to automatically spread itself. The transport code scans for systems vulnerable to the EternalBlue exploit and then installs DoublePulsar, a backdoor tool, and executes a copy of itself. An infected computer will search its Windows network for devices accepting traffic on TCP ports 135-139 or 445 indicating the system is configured to run SMB. Sounds like what you are having , but it can be something else , not specifically WannaCry But your computers are acting like Infected ones. Edited January 3, 2022 by Nightowl Link to comment Share on other sites More sharing options...
itman 1,659 Posted January 3, 2022 Share Posted January 3, 2022 I not so sure this is a SMB brute force versus a mis-configured Eset firewall issue. The "giveaway" is the showing of fe80::/64 addresses in the log screen shot. Those addresses are IPv6 local link ones. I also agree that providing Eset Log Collector produced logs should allow Eset support to determine whether this is indeed a brute force attack. Link to comment Share on other sites More sharing options...
Recommended Posts