Jump to content

False Positive?


Recommended Posts

This just started.

I open Firefox and immediately get two blocked URL detections for the same URL;

Time;URL;Status;Detection;Application;User;IP address;Hash
5/22/2024 3:56:32 PM;http://x2.c.lencr.org;Blocked;Internal blacklist;C:\Windows\System32\svchost.exe;NT AUTHORITY\NETWORK SERVICE;2600:1407:7400:d86::21cc;E4E3F6BBAD17B41A42687B3D75ADE4A10B0870EC

Time;URL;Status;Detection;Application;User;IP address;Hash
5/22/2024 4:02:34 PM;http://x2.c.lencr.org;Blocked;Internal blacklist;C:\Windows\System32\svchost.exe;NT AUTHORITY\NETWORK SERVICE;23.44.77.91;E4E3F6BBAD17B41A42687B3D75ADE4A10B0870EC

Later got another alert for the IPv6 address detection.

I cleared Firefox cache and history and so far no more alerts.

The IP address resolves to Akamai.

Link to comment
Share on other sites

Posted (edited)

Getting the same thing and is 99% a false positive. The domain is owned by Let's Encrypt and ESET seems to be the only provider reporting this as malicious as per VirusTotal

EDIT: Already gone from VirusTotal, probably fixed?

Edited by matte
Link to comment
Share on other sites

Posted (edited)

I just started getting those alerts as well. I wasn't connected to anything out of the ordinary. I looked it up, from what I've seen, the lencr.org domain belongs to 'Let's Encrypt'. Apparently they are a legitimate website that routinely distributes software certificates. I'm guessing it's just a false postive?

Edited by BlargBurger
Link to comment
Share on other sites

Similar issue with 2 users after the modules updated today.

 

Time;URL;Status;Detection;Application;User;IP address;Hash
5/22/2024 1:20:07 PM;hxxp://x2.c.lencr.org;Blocked;Internal blacklist;C:\Windows\System32\svchost.exe;NT AUTHORITY\NETWORK SERVICE;104.71.213.90;E4E3F6BBAD17B41A42687B3D75ADE4A10B0870EC
 

Link to comment
Share on other sites

Hey guys, just created an account just to check if anyone else was also getting this. Glad to hear it's a false positive, quick Google search said the same but I wanted to be sure. This just started happening maybe 15-20 mins ago. 

Link to comment
Share on other sites

Yep, same here. I've been shitting my pants wondering how did I get infected, because it's coming from svchost. Glad to see I'm not alone 🥺

Link to comment
Share on other sites

  • Administrators

Well, the block was based on an actual malicious redirector on http://x2.c.lencr.org (it's not there any more) but we're investigating why this url was blacklisted as it shouldn't have been despite the malware detection.

Link to comment
Share on other sites

8 minutes ago, rawalanche said:

Yep, same here. I've been shitting my pants wondering how did I get infected, because it's coming from svchost. Glad to see I'm not alone 🥺

lol, I got the same thing and it warned me at the exact moment I clicked on a UPS tracking link in a legit email from ATT. Got a total of 3 warnings, one of which happened after I closed the browser. People have been coming to me asking what the warning was about.

I also need fresh pants. 

Link to comment
Share on other sites

Posted (edited)

What I am wondering is if there is a hacked Win Update backbone server out there?

Edited by itman
Link to comment
Share on other sites

  • Administrators

Hard to say what happened on their server and if it was intentional or not but they had a loader there that loaded a JS from a site blacklisted also by some other vendors (we block only specific urls): https://www.virustotal.com/gui/url/f86c70c97124114df3e40736c366af117537cfbab490e81fe7e7c68ee08574ad

Link to comment
Share on other sites

Posted (edited)

Just got the same thing and was really worried. It appeared without me even opening a new page in the browser so it was very strange.

Checked the eset report and saw it wasn't coming from browser but from svchost, I removed svchost's online access via tinywall but since it's a windows process I think it needs to remain online and bypasses firewall block?

What is the cause of this anyway? Why is svchost pinging this sort of address anyway, instead of a Microsoft addresses? Telemetry?

Is this something that just happened to all windows users or? Why is it the first time eset flags it?

Can Admins confirm it's safe? Or should we remain offline until more info

Edited by jfksdt45245
Link to comment
Share on other sites

  • Administrators

You don't need to be concerned. C.lencr.org domain is used by Let's Encrypt certification authority that provides certificate revocation lists.

Link to comment
Share on other sites

Posted (edited)
6 minutes ago, Marcos said:

Hard to say what happened on their server and if it was intentional or not but they had a loader there that loaded a JS from a site blacklisted also by some other vendors (we block only specific urls): https://www.virustotal.com/gui/url/f86c70c97124114df3e40736c366af117537cfbab490e81fe7e7c68ee08574ad

The first warning I got, I had chrome opened with Ublock Origin loaded. I have JavaScript disabled by default. The third time the warning appeared, I had no browser open. The logs show svchost for me as well.

Edited by denzilla
Link to comment
Share on other sites

7 minutes ago, Marcos said:

Hard to say what happened on their server and if it was intentional or not but they had a loader there that loaded a JS from a site blacklisted also by some other vendors (we block only specific urls): https://www.virustotal.com/gui/url/f86c70c97124114df3e40736c366af117537cfbab490e81fe7e7c68ee08574ad

Good evening. I have the same problem, but I didn't even open Firefox, I just started the computer, I opened Telegram desktop and... voilà! Two messages saying that process C :\Windows\System32\svchost.exe; and the user NT AUTHORITY\Network service were attempting to access hxxp://x2.c.lencr.org and had been blocked. I closed everything, restarted the computer, without opening any program a new warning that ESET had blocked the process C :\Windows\System32\svchost.exe; and user NT AUTHORITY\Network service attempt and the  user from accessing http ://x2.c.lencr.org. I don't know whether to worry or not. Why is my computer trying to connect to that web site? Is infected by any malware? According to virustotal.com this web site is used to load StealC and Lumma Infostealers.

Link to comment
Share on other sites

1 minute ago, Marcos said:

C.lencr.org domain is used by Let's Encrypt certification authority that provides certificate revocation lists.

If a CA server is hacked, is that not a big deal? I say Let's Encrypt needs to take that server off-line.

Link to comment
Share on other sites

  • Administrators
5 minutes ago, itman said:

If a CA server is hacked, is that not a big deal? I say Let's Encrypt needs to take that server off-line.

I don't know the exact purpose of the redirector that was there and pointing to a domain blocked by several other AV vendors. Unfortunately the url doesn't work any more so it's not possible to find out what was there in the past.

Link to comment
Share on other sites

Re-enabled internet and it seems it is still happening, 2 new notification pop-ups. Why is svchost still pinging this address? Concerning.

Link to comment
Share on other sites

12 minutes ago, Marcos said:

I don't know the exact purpose of the redirector that was there and pointing to a domain blocked by several other AV vendors. Unfortunately the url doesn't work any more so it's not possible to find out what was there in the past.

Interesting what happened to me. I tried to edit my previous post so that the url was not visible as a link and, accidentally, I clicked on it. ESET didn't detect anything, but Firefox did, blocked the attempt to download a file from that link and gave me two options, complete the download or delete the file without ending the download (in the folder "My downloads" a 0-bit file had appeared). How is that possible? Did it really download something to my computer from that link?

Link to comment
Share on other sites

1 hour ago, jfksdt45245 said:

Re-enabled internet and it seems it is still happening, 2 new notification pop-ups. Why is svchost still pinging this address? Concerning.

You shouldn't still be receiving Eset alerts. As @Marcos posted, the malicious URL redirect link has been removed from the offending CA web site. Post your most recent Eset Filtered web sites log entry related to the alert.

Link to comment
Share on other sites

1 hour ago, AlSky said:

"My downloads" a 0-bit file had appeared). How is that possible? Did it really download something to my computer from that link?

Firefox starts most downloads in a temp file to speed up downloading. The temp file is auto deleted when the actual download completes. If you cancel the download in progress, you might see a 0-byte temp file in you downloads folder.

Link to comment
Share on other sites

21 minutes ago, itman said:

You shouldn't still be receiving Eset alerts. As @Marcos posted, the malicious URL redirect link has been removed from the offending CA web site. Post your most recent Eset Filtered web sites log entry related to the alert.

It was the same URL 3 times, there are 3 instances in the log with the same URL as reported here

The first was 2 hours 40 minutes ago, I think same time as everyone here got it too, I disconnected when it appeared

I re-enabled connection a bit after checking that thread and Marcos saying it was safe

It occurred again second and third time (one minute interval between the two) 1 hour 40 minutes ago when I made that post. Log shows different IP from the first time, but also point to Akamai

Other users in this thread have reported seeing it 3 times as well so perhaps me disconnecting/reconnecting caused a delay but didn't prevent the two other times from happening anyway, I don't know but it still happened one hour later

Link to comment
Share on other sites

Posted (edited)
8 hours ago, itman said:

You shouldn't still be receiving Eset alerts. As @Marcos posted, the malicious URL redirect link has been removed from the offending CA web site. Post your most recent Eset Filtered web sites log entry related to the alert.

Error, it wasn't the message I wanted to quote.
 

Edited by AlSky
Link to comment
Share on other sites

7 hours ago, itman said:

Firefox starts most downloads in a temp file to speed up downloading. The temp file is auto deleted when the actual download completes. If you cancel the download in progress, you might see a 0-byte temp file in you downloads folder.

Thank you so much for answering, @itman. I clicked on "delete the file without ending the download" since Firefox had warned me that it was a malicious file. The 0-bit file in the "My downloads" folder disappeared. Does that mean it couldn't download anything to my computer?

In any case, how can a url that supposedly no longer works attempt to download something to the computer? And how is it possible that yesterday our computers tried to connect to that url without our active participation and we received ESET alert messages blocking the connection? This is how some malware works.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...