Jump to content

Suspected botnet detected in Endpoint


Recommended Posts

Good day,

I hope you are well, I take this opportunity to inform you that we recently received a notification from our ESET console with the following message:

 

ESET_Endpoint.thumb.jpg.aa84884fe8d6b9ff8f426f010e010fea.jpg

 

We also ran a scan on the endpoint and no virus was found, as can be seen in the following image.

 

image.png.c722446147e606ad435d5f8a5163e3e6.png

 

Finally, we confirmed that the IP address 80.66.88.215 is on the blacklist, so we suspect that the equipment is contaminated by some malware. Given the above, I ask you if there is any action that we should take to ensure that the computer is not compromised and free of viruses?.

I thank you in advance for your support, we remain attentive for your valuable comments.

Kind regards

 

Link to comment
Share on other sites

  • Most Valued Members
Posted (edited)

Hello brother

May I ask you if there is an open RDP/SMB/HTTP port enabled to the WAN ?

As for port 135 it's related to RDP , is it open to the internet?

I ask because in VirusTotal analysis it shows that this IP tries to brute force SMB RDP , DDOS HTTP.

https://www.virustotal.com/gui/url/d8612bf4479489b5c1b23a2194531469ac8673a0cb359dc0be69d3464a8c48e5/detection

Edited by Nightowl
Link to comment
Share on other sites

  • Most Valued Members
Posted (edited)

More info about the IP : https://app.crowdsec.net/cti/80.66.88.215

image.thumb.png.eb64fad13ebee42d13f0219900312cf3.png

I think what is ESET blocking is the brute force attempts or scanning , I believe you have ports opened on the internet , 135 is one of them , svchost.exe answers on that port.

Edited by Nightowl
Link to comment
Share on other sites

On 4/8/2024 at 11:40 PM, Nightowl said:

Hello brother

May I ask you if there is an open RDP/SMB/HTTP port enabled to the WAN ?

As for port 135 it's related to RDP , is it open to the internet?

I ask because in VirusTotal analysis it shows that this IP tries to brute force SMB RDP , DDOS HTTP.

https://www.virustotal.com/gui/url/d8612bf4479489b5c1b23a2194531469ac8673a0cb359dc0be69d3464a8c48e5/detection

Thanks for the information and prompt response, the server does not have port 135 open to the Internet, however, when executing the netstat command, it is observed that it is trying to connect to different public IPs (Several classified as malicious or malware according to Virustotal) , and the connection status is SYN_SENT.

Given the above, I have also reviewed that the Microsoft Safety Scanner tool could help us with this issue of a possible botnet. If you have any additional recommendations I would greatly appreciate it.

Link to comment
Share on other sites

2 hours ago, Nightowl said:

Más información sobre la IP: https://app.crowdsec.net/cti/80.66.88.215

imagen.thumb.png.eb64fad13ebee42d13f0219900312cf3.png

Creo que lo que bloquea ESET son los intentos de fuerza bruta o el escaneo, creo que tiene puertos abiertos en Internet, 135 es uno de ellos, svchost.exe responde en ese puerto.

Thanks for the prompt response, something important to add is that it is a Windows Server and domain controller role.

Link to comment
Share on other sites

  • Most Valued Members
Posted (edited)
On 4/11/2024 at 4:15 AM, Guillermo Mariel said:

Thanks for the prompt response, something important to add is that it is a Windows Server and domain controller role.

Better to keep it behind a Firewall protected and allow only specific IP addresses to be able to connect to the domain controller , this is more secure approach.

  

On 4/11/2024 at 3:59 AM, Guillermo Mariel said:

the server does not have port 135 open to the Internet, however, when executing the netstat command, it is observed that it is trying to connect to different public IPs (Several classified as malicious or malware according to Virustotal) , and the connection status is SYN_SENT.

I am also almost sure that the port is open

 

Otherwise the said IP won't be able to reach , or in another scenario there has to be a reverse shell for it to be open a way for bad guys to get in , but I still believe in the first scenario , port is enabled.

Edited by Nightowl
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...