Jump to content

Multiple reports of security vulnerability exploitations targeting a local IP from a remote source IP


Recommended Posts

Hi!

I've been using ESET Internet Security on all of the computers in my home network for years now and never really had any major security issues. However for the past month or so I've noticed a worryingly large number of "Security vulnerability exploitation attempt" reports in the "Network protection" of the logs section - I've included a screenshot of them below.

I'm getting these reports intermittently at all computers on my local network and what worries me is that in each case ESET reports their local IP as the target despite the fact that they are behind a router and to my knowledge I don't have any kind of port forwarding enabled anywhere.

To add a few more details regarding my network setup:

All of the computers on my network are behind a Connect Box router provided by my ISP (UPS Poland) which uses IPv6 that changes dynamically from time to time, has it's own firewall enabled (though sadly it's not really configurable), has port scanning detection enabled and to my knowledge has no port forwarding of any kind enabled on it.

Aside from two PCs and a laptop (all with the latest Windows 10 and ESET Internet Security updates) my local network consists of a few Android phones, a Brother printer with WiFi access, two Yeelight smart lamps and one Gosund smart plug - all of which have been on my network for over a year, so no new hardware has been added recently.

Now regarding the attacker:

From what I can tell all of those IPs belong to DigitalOcean and when viewing the blacklist troubleshooter in ESET the device in question comes up as "unknown" at first, but then changes to something called "strechoid" as per the second included screenshot. As far as I can tell that name has been connected to reports of illicit activities such as port scanning over the past few months if not years.

The port scanning detection on my router does report some port scan attempts, but their timestamps do not correspond with the aforementioned ESET reports. Also, the report timestamp on various PCs on my network do vary quite a bit - sometimes only appearing on some and not all PCs that are on at the time.

I've already scanned all of my devices with a complete ESET scan as well as a Malwarebytes one just in case. I've also tried adding a rule to the ESET Firewall blocking any and all communications from the 192.241.200.0-192.241.230.255 IP range and moved it to the very top of the rule list (even above the predefined rules), but unfortunately this didn't really do anything as I have received yet another exploitation attempt warning the next day.

These attacks happen at very random times (sometimes even days apart) and I have no idea what triggers them so I can't really replicate or predict them. Due to this I'm afraid catching any of them with the ESET Log Collector might be very problematic.

Is there any way to determine what's causing these attacks and how to prevent them? Is this a known issue? How come they report my local IP as the target? Is it possible that something on my network (malware?) is enabling those attacks even though it didn't come up in any of the scans?

eset_log_files.jpg

eset_log_report.jpg

Link to comment
Share on other sites

  • Administrators

Probably the router firewall let's all communication through given that it's subsequently detected on the machine.

Link to comment
Share on other sites

1 hour ago, Marcos said:

Probably the router firewall let's all communication through given that it's subsequently detected on the machine.

Thank You for a quick reply. I'm really glad it sounds like it's not some hidden malware inviting those attacks into my local network after all.

If I may ask just to check - is normal that I was still getting those  "Security vulnerability exploitation attempt" reports after setting up an ESET firewall rule blocking all possible connections (any protocol, both directions, highest priority I could set, warning notifications enabled - not one of them showed up) which included the addresses from those reports? Does ESET log those attempts before applying the firewall rules or did I mess something up?

Also, sorry if it's a dumb question, but if the firewall on my router lets everything through then is it not something that could/should be detected via the "Scan your network" option in the ESET "Network Inspector"? Or is it not covered by that scan? Unfortunately for me the complete ESET network scan didn't return any security issues with the router or the network in general, so I (likely incorrectly) figured it was working fine.

Either way, based on your suggestion that it could be a router issue I've managed to get my ISP to switch me back from IPv6 to IPv4 which somehow enabled manual IPv4 range blocking on my router, so with a bit of luck that will sort that out.

Link to comment
Share on other sites

The key to understanding what's going on here is the Eset detection, "Security vulnerability exploitation attempt."

It appears that you have software installed that contains one or more vulnerabilities. What hackers do is perform initial recognizance on a device to determine if vulnerable software exists that they can exploit remotely. This also explains the randomness of this Eset alert appearing. It most likely is due to different hackers discovering the same vulnerability.

You need to verify that all software installed on your device contain the latest software updates available. The most important being Windows updates.

Edited by itman
Link to comment
Share on other sites

4 hours ago, itman said:

The key to understanding what's going on here is the Eset detection, "Security vulnerability exploitation attempt."

It appears that you have software installed that contains one or more vulnerabilities. What hackers do is perform initial recognizance on a device to determine if vulnerable software exists that they can exploit remotely. This also explains the randomness of this Eset alert appearing. It most likely is due to different hackers discovering the same vulnerability.

You need to verify that all software installed on your device contain the latest software updates available. The most important being Windows updates.

Thanks. I'm somewhat compulsive about updating everything (systems, applications, drivers, firmware, etc.) so I check for new versions every other day and update everything possible ASAP. As such to my knowledge everything on my devices is up to date.

Also, while all PCs run Windows 10 the sets of installed apps vary quite a bit between all 3 and yet all of them reported the exact same exploitation attempts. Updates aside, I also haven't installed any new, unusual software on any of those devices within the last month since those attacks started.

If it is some software on my device that's exposing these vulnerabilities and if ESET is aware of them, how can I get it (ESET) to point me in the direction of which software exactly is responsible for them or at least provide any kind of details to let me narrow down their cause?

Unfortunately as per my screenshot both the main log and the temporary blacklist/troubleshooting reports contain next to no information aside from the IP and ports and while I'd very much like to get rid of whatever is exposing those vulnerabilities unfortunately I have no idea how to track it down.

For the record, I've spent quite some time monitoring the network tab of the system's Resource Monitor and none of the apps or services on my main system use any of the ports or IPs featured in the ESET reports or anything even remotely close to those.

By the way, for issues like this, does the fact that all 3 computers generate the same reports mean that each of them is exposing the same vulnerability on it's own (so it's the same software on all 3 I guess?) or is it enough for it to be present on just one of them or perhaps even a different device on the same network?

Link to comment
Share on other sites

10 hours ago, Jahman said:

I've also tried adding a rule to the ESET Firewall blocking any and all communications from the 192.241.200.0-192.241.230.255 IP range and moved it to the very top of the rule list (even above the predefined rules), but unfortunately this didn't really do anything as I have received yet another exploitation attempt warning the next day.

First, verify that the rule you created has its Action specified as Deny.

Next, rule Direction setting should specify Both.

Next, rule Protocol setting should specify Any.

Finally, Logging severity setting should specify Warning. This will result in all blocked connections being logged in the Eset Network Connections log.

Finally, nothing should be specified for Local or Remote tab settings.

-EDIT- Also, I believe Eset exploit protection works at the Network level which means the network traffic is being blocked prior to the Eset firewall processing it.

Edited by itman
Link to comment
Share on other sites

2 minutes ago, itman said:

First, verify that the rule you created has its Action specified as Deny.

Next, rule Direction setting should specify Both.

Next, rule Protocol setting should specify Any.

Finally, Logging severity setting should specify Warning. This will result in all blocked connection being logged in the Eset Network Connections log.

Finally, nothing should be specified for Local or Remote tab settings. 

Thanks. I did all that except for the last part as I did specify the actual IP range I wanted to block in the IP section of the Remote tab. If the Remote tab should be empty then where else should I delcare that IP range?

Just in case, here are the screenshots of my ESET firewall rule:

eset_rule_1.jpg

eset_rule_2.jpg

eset_rule_3.jpg

Link to comment
Share on other sites

Just now, Jahman said:

I did all that except for the last part as I did specify the actual IP range I wanted to block in the IP section of the Remote tab. If the Remote tab should be empty then where else should I delcare that IP range?

Oops! You're correct. IP address range needs to be specified in Remote tab IP setting.

Link to comment
Share on other sites

I will also note that if Eset keeps creating exploit detection log entries and no log entries are being generated as a result of the firewall you created, it confirms what I posted previously - " I believe Eset exploit protection works at the Network level which means the network traffic is being blocked prior to the Eset firewall processing it."

The only way to get the firewall rule to work would be to temporarily disable Eset's exploit protection which is a risk.

You might want to look into using WireShark or Fiddler which is easier to use to monitor your network traffic.

Edited by itman
Link to comment
Share on other sites

I see. The firewall rule hasn't generated a single log so that would explain why it does nothing. At least hopefully that means that ESET is able to block that threat and all it's related risks completely even before they even reach the firewall. Given that I still have no idea what's the source of the vulnerability I'd rather not disable the exploit protection (or any protection at all in general) to double-check that.

Ever since changing to IPv4 on my router and unlocking the it's firewall settings in the process earlier today I haven't had any new reports so I really hope it stays that way. If it doesn't I'll make sure to try out WireShark and Fiddler to try and find the culprit software. Thanks for the suggestion! If I do, is there anything I should keep an eye out when monitoring the traffic aside from the communication matching the addresses and ports from the reports?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...