874 EsetIPBlacklist.A on Users Work From Home Computer

[mtellefson 0]

One of our users normally works in the office but has a computer to work from home.  In the last 5 days, there have been 874 EsetIPBlacklist.A warnings from several different IP address trying to hit several different ports.  Outside of scanning the computer for viruses and vulnerabilities, what can I do to kill these attacks?

[itman 1,630]

Based on prior forum postings on this topic, one possibility is vulnerable software exists on the device and these detection's are attempts to exploit those vulnerabilities.

Review of the Eset logs on the device should yield details on the source of these detection's.

Edited October 13 by itman

[Marcos 4,935]

Please provide the appropriate record from the Network protection log.

[mtellefson 0]

Time;Application;Operation;Target;Action;Rule;Additional information
10/13/2023 8:47:06 AM;C:\Windows\System32\csrss.exe;Get access to another application;C:\Program Files\ESET\ESET Security\egui.exe;Blocked;Self-Defense: Protect ekrn and egui processes;Unknown operation

Time;Application;Operation;Target;Action;Rule;Additional information
10/13/2023 8:46:29 AM;C:\Program Files\Huntress\HuntressAgent.exe;Get access to another application;C:\Program Files\ESET\ESET Security\eguiProxy.exe;Blocked;Self-Defense: Protect ekrn and egui processes;Unknown operation,Unknown operation,Unknown operation,Unknown operation,Unknown operation

Time;Application;Operation;Target;Action;Rule;Additional information
10/13/2023 8:42:10 AM;C:\Windows\System32\svchost.exe;Attempt to lock the file;C:\Program Files\ESET\ESET Security\SecurityProductInformation.ini;Blocked;Self-Defense: Protect ESET files;

[Marcos 4,935]

Those are records from the HIPS log. Make sure to turn off this setting which serves only for troubleshooting HIPS-related issues:

Please provide the appropriate records pertaining to the EsetIPBlacklist.A block from the Network protection log.

[itman 1,630]

Is Huntress EDR software installed on this device?

[mtellefson 0]

Yes Huntress is installed as part of a detection package through our MSP

I will check with our ESET provider about turning off the HIPS setting.  It is locked in the policy.

Where can I get the Network Protection Log?  Or do you just want a copy of the information from the Detections screen?

[Marcos 4,935]

[mtellefson 0]

Time;Event;Action;Source;Target;Protocol;Rule/worm name;Application path;Application;Hash;User;Signer;Package name;Service
10/13/2023 9:46:00 AM;Security vulnerability exploitation attempt;Blocked;107.170.254.8:42639;140.186.96.15:2096;TCP;EsetIpBlacklist.A;;;;;;;

Time;Event;Action;Source;Target;Protocol;Rule/worm name;Application path;Application;Hash;User;Signer;Package name;Service
10/13/2023 9:08:41 AM;Security vulnerability exploitation attempt;Blocked;58.65.153.246:53410;140.186.96.15:445;TCP;EsetIpBlacklist.A;System;System;;;;;
 

[Marcos 4,935]

Those IP addresses are indeed known sources of attacks:

https://www.abuseipdb.com/check/107.170.254.8

https://www.abuseipdb.com/check/58.65.153.246

 

[mtellefson 0]

Obviously ESET is doing it's job.  Should I do anything else to the computer or possibly have the ISP kick it to a new IP address?

[mtellefson 0]

They did just get a new modem from the ISP which may have given them a new IP address.

[Marcos 4,935]

I'd recommend using a router with NAT or firewall which would filter the inbound traffic before it reaches the computer.

[mtellefson 0]

Thanks for you assistance.

[itman 1,630]

23 hours ago, mtellefson said:

They did just get a new modem from the ISP which may have given them a new IP address.

Have them check if the ISP router has a firewall and its enabled.

Most ISP provided routers these days have a NAT firewall. Also, they are stateful. This means they won't allow unsolicited inbound TCP traffic; i.e. inbound traffic not in response to a prior outbound request, . If all the above apply, I would stand by my previous statement that un-patched  vulnerable OS or app software exits on the device and an external hacker is trying to exploit it.

Also per Eset posted log entries, the target IP address is 140.186.96.15 which is associated with Midcontinent Communications in Fargo, ND. That is a public IP address and not a private IP address which should be associated with the device. As such, something is definitely not right here.

-EDIT-

Let's say Midcontinent Communications; i.e. Midco, is the user's ISP. He requested and received a static IP address from them; i.e.140.186.96.15. Note the security issue with static IP assignment;

Quote

Security

Static IP addresses are seen as less secure. Because static IP addresses don't change, data may be easier to locate and to gain access to by a hacker; the static IP addresses' unchanging nature also leaves them more likely to be hit by follow-up attacks. Static IP addresses are also easier to track.

https://www.techtarget.com/whatis/definition/static-IP-address

Edited October 14 by itman

[mtellefson 0]

Found out when he hooked up the new modem, he plugged his computer directly into the modem instead of the router.  He is also buying a new router since his is about 8 years old.

[itman 1,630]

On 10/14/2023 at 11:51 AM, mtellefson said:

Found out when he hooked up the new modem, he plugged his computer directly into the modem instead of the router.

That explains why ISP address was being displayed in Eset log entries. Also, he must be using a cable-based ISP since they usually only issue modems versus modem/router combo units issued by DSL/fiber providers.