Guillermo Mariel 0 Posted April 8 Share Posted April 8 Good day, I hope you are well, I take this opportunity to inform you that we recently received a notification from our ESET console with the following message: We also ran a scan on the endpoint and no virus was found, as can be seen in the following image. Finally, we confirmed that the IP address 80.66.88.215 is on the blacklist, so we suspect that the equipment is contaminated by some malware. Given the above, I ask you if there is any action that we should take to ensure that the computer is not compromised and free of viruses?. I thank you in advance for your support, we remain attentive for your valuable comments. Kind regards Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted April 9 Most Valued Members Share Posted April 9 (edited) Hello brother May I ask you if there is an open RDP/SMB/HTTP port enabled to the WAN ? As for port 135 it's related to RDP , is it open to the internet? I ask because in VirusTotal analysis it shows that this IP tries to brute force SMB RDP , DDOS HTTP. https://www.virustotal.com/gui/url/d8612bf4479489b5c1b23a2194531469ac8673a0cb359dc0be69d3464a8c48e5/detection Edited April 9 by Nightowl Link to comment Share on other sites More sharing options...
Administrators Marcos 5,238 Posted April 10 Administrators Share Posted April 10 The whole range is indeed suspicious but it doesn't mean you have malware on the machine. Please provide logs collected with ESET Log Collector from that machine. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted April 10 Most Valued Members Share Posted April 10 (edited) More info about the IP : https://app.crowdsec.net/cti/80.66.88.215 I think what is ESET blocking is the brute force attempts or scanning , I believe you have ports opened on the internet , 135 is one of them , svchost.exe answers on that port. Edited April 10 by Nightowl Link to comment Share on other sites More sharing options...
itman 1,743 Posted April 10 Share Posted April 10 Here's an article on RPC port 135 attacks: https://cqr.company/web-vulnerabilities/unsecured-remote-procedure-calls-rpc/ . Nightowl 1 Link to comment Share on other sites More sharing options...
Guillermo Mariel 0 Posted April 11 Author Share Posted April 11 On 4/8/2024 at 11:40 PM, Nightowl said: Hello brother May I ask you if there is an open RDP/SMB/HTTP port enabled to the WAN ? As for port 135 it's related to RDP , is it open to the internet? I ask because in VirusTotal analysis it shows that this IP tries to brute force SMB RDP , DDOS HTTP. https://www.virustotal.com/gui/url/d8612bf4479489b5c1b23a2194531469ac8673a0cb359dc0be69d3464a8c48e5/detection Thanks for the information and prompt response, the server does not have port 135 open to the Internet, however, when executing the netstat command, it is observed that it is trying to connect to different public IPs (Several classified as malicious or malware according to Virustotal) , and the connection status is SYN_SENT. Given the above, I have also reviewed that the Microsoft Safety Scanner tool could help us with this issue of a possible botnet. If you have any additional recommendations I would greatly appreciate it. Link to comment Share on other sites More sharing options...
Guillermo Mariel 0 Posted April 11 Author Share Posted April 11 1 hour ago, itman said: Here's an article on RPC port 135 attacks: https://cqr.company/web-vulnerabilities/unsecured-remote-procedure-calls-rpc/ . Thanks for the information, I'll check it out. Link to comment Share on other sites More sharing options...
Guillermo Mariel 0 Posted April 11 Author Share Posted April 11 2 hours ago, Nightowl said: Más información sobre la IP: https://app.crowdsec.net/cti/80.66.88.215 Creo que lo que bloquea ESET son los intentos de fuerza bruta o el escaneo, creo que tiene puertos abiertos en Internet, 135 es uno de ellos, svchost.exe responde en ese puerto. Thanks for the prompt response, something important to add is that it is a Windows Server and domain controller role. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted April 14 Most Valued Members Share Posted April 14 (edited) On 4/11/2024 at 4:15 AM, Guillermo Mariel said: Thanks for the prompt response, something important to add is that it is a Windows Server and domain controller role. Better to keep it behind a Firewall protected and allow only specific IP addresses to be able to connect to the domain controller , this is more secure approach. On 4/11/2024 at 3:59 AM, Guillermo Mariel said: the server does not have port 135 open to the Internet, however, when executing the netstat command, it is observed that it is trying to connect to different public IPs (Several classified as malicious or malware according to Virustotal) , and the connection status is SYN_SENT. I am also almost sure that the port is open Otherwise the said IP won't be able to reach , or in another scenario there has to be a reverse shell for it to be open a way for bad guys to get in , but I still believe in the first scenario , port is enabled. Edited April 14 by Nightowl Link to comment Share on other sites More sharing options...
Recommended Posts