Jump to content

SMB Attack BruteForce


Recommended Posts

Hi Dears,

We have find these logs from one of our customers ESET PROTECT Console.

Both target and source device is protected with ESET Endpoint Security V9.0 without any infection.

How can we find the source of these attacks at source device ?

Exported CSV is attached :

3N.jpg

Link to comment
Share on other sites

  • Most Valued Members
3 hours ago, kamiran.asia said:

Hi Dears,

We have find these logs from one of our customers ESET PROTECT Console.

Both target and source device is protected with ESET Endpoint Security V9.0 without any infection.

How can we find the source of these attacks at source device ?

Exported CSV is attached :

3N.jpg

ESET staff will request logs from those computers to understand more for sure,

But have you scanned those computers? Deep Scan?

I believe those sources PC are infected somehow , some attempts are at port 139 which is before Windows 2000 I am not mistaken according to Google, after that Microsoft switched to 445

And 2 attempts are being tried as IPV6 , that's not usual for a human to do so , should be bot attempts.

Each have around 5-7 minutes of waiting time before the next try (unless ESET is dropping the attempts or blacklisting the IP for a bit of time)


 

Quote

 

The most dangerous open ports are wormable ports, like the one that the SMB protocol uses, which are open by default in some operating systems.

Early versions of the SMB protocol were exploited during the WannaCry ransomware attack through a zero-day exploit called EternalBlue.

WannaCry exploited legacy versions of Windows computers that used an outdated version of the SMB protocol. WannaCry is a network worm with a transport mechanism designed to automatically spread itself. The transport code scans for systems vulnerable to the EternalBlue exploit and then installs DoublePulsar, a backdoor tool, and executes a copy of itself.

An infected computer will search its Windows network for devices accepting traffic on TCP ports 135-139 or 445 indicating the system is configured to run SMB.

 

Sounds like what you are having , but it can be something else , not specifically WannaCry

But your computers are acting like Infected ones.

Edited by Nightowl
Link to comment
Share on other sites

I not so sure this is a SMB brute force versus a mis-configured Eset firewall issue. The "giveaway" is the showing of fe80::/64 addresses in the log screen shot. Those addresses are IPv6 local link ones.

I also agree that providing Eset Log Collector produced logs should allow Eset support to determine whether this is indeed a brute force attack.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...