Avast WEBforum

Other => Viruses and worms => Topic started by: carloshax on October 17, 2020, 12:44:04 PM

Title: Bruteforce
Post by: carloshax on October 17, 2020, 12:44:04 PM
I keep getting smb://41.242.56.55/BruteForce connection block messages, anyone know how i can stop this from happening

Thank You Carl
Title: Re: Bruteforce
Post by: Asyn on October 17, 2020, 12:45:38 PM
Hi Carl, post a screenshot.
Title: Re: Bruteforce
Post by: polonus on October 17, 2020, 02:14:56 PM
Also read: https://www.abuseipdb.com/check/41.242.56.55
and here: https://phoenixnap.com/kb/prevent-brute-force-attacks

polonus
Title: Re: Bruteforce
Post by: carloshax on October 17, 2020, 03:05:14 PM
https://ibb.co/txhQP4c
Title: Re: Bruteforce
Post by: rocksteady on October 17, 2020, 03:54:04 PM
@carloshax
Use "Attachments and other options" link under the text box to add screenshot to your message.
Some people do not wish to click on unknown web links to view them as external content.
Title: Re: Bruteforce
Post by: polonus on October 17, 2020, 04:10:17 PM
Hi carloshax,

rocksteady is right here, some folks may frown on the use of url shortener-links for obvious reasons.
Especially as they are given as "live" links.

polonus
Title: Re: Bruteforce
Post by: carloshax on October 17, 2020, 05:31:48 PM
Thank you attachment added
Title: Re: Bruteforce
Post by: Asyn on October 18, 2020, 09:49:52 AM
Hi Carl, that's the new Remote Access Shield. Read here: https://forum.avast.com/index.php?topic=235069.0
Title: Re: Bruteforce
Post by: Jakub Dubovic on October 20, 2020, 12:49:55 AM
I keep getting smb://41.242.56.55/BruteForce connection block messages, anyone know how i can stop this from happening

Thank You Carl

Hello Carl,

Thanks for the report.

The new version of the Remote Access Shield scans not only incoming RDP connections, but also incoming SMB connections. SMB protocol is another common attack vector.

As polonus posted:
Also read: https://www.abuseipdb.com/check/41.242.56.55
and here: https://phoenixnap.com/kb/prevent-brute-force-attacks

polonus

The IP address appears to belong to an attacker that tried to use the open SMB port on your computer (used by Windows to read and write files and perform other service requests to network devices) to gain access to it using a brute force attack - multiple consecutive connections with commonly used login credentials. When Avast detects multiple unsuccessful SMB connections over a period of time, it triggers the brute force attack detection and blocks the IP from future attempts.
Title: Re: Bruteforce
Post by: 4ahobbs on November 10, 2020, 11:09:28 PM
Hi All,

I am also getting repeated notices of AVAST blocking a connection from a Samba connection which it identifies as an internal (I think) IPv6 address.  For example, in the attached screen shot, the attacks were coming once every second, hundreds of times.  This goes on for hours each day.  You will see in the snippit that all the attacks were blocked by AVAST, but then at 2:47:39 AVAST "Allowed" a SMB connection from another IPv6 address and the log stops at that time (it is now 5:04 PM).  You will also see in the upper right hand corner that the "All" tab lists 4832 attacks, but only 4561 blocked attacks.

Could someone tell me is this some kind of an attack, or is the AVAST Remote Access Shield just recording as a false positive some routine network activity.  Thanks.
Title: Re: Bruteforce
Post by: polonus on November 11, 2020, 01:57:46 PM
Read here for instance: https://tsplus.me/ip-addresses/  which local-link addresses should be whitelisted.
But what we want to hear here is an answer from avast team.

polonus
Title: Re: Bruteforce
Post by: 4ahobbs on November 11, 2020, 05:09:18 PM
Thanks polonus.

But why would my PC network be using IPv6 local link addresses to communicate with each node in the network?  Wouldn't it be a IPv4 169.254 address?  And why would AVAST detect the internal address as a brute force attack and block it?  And then permit it?  Avast definitely needs to answer because it appears this is an AVAST only issue and doesn't involve my network.
Title: Re: Bruteforce
Post by: Jakub Dubovic on November 12, 2020, 02:19:15 PM
Thanks polonus.

But why would my PC network be using IPv6 local link addresses to communicate with each node in the network?  Wouldn't it be a IPv4 169.254 address?  And why would AVAST detect the internal address as a brute force attack and block it?  And then permit it?  Avast definitely needs to answer because it appears this is an AVAST only issue and doesn't involve my network.

Hello 4ahobbs,

I don't know why your PC network uses IPv6 local link addresses to communicate with each node in the network.

Our brute force detection blocks IP addresses that attempt multiple connections unsuccessfully in a short time. Therefore Avast blocked connections from one address (it tried to connect unsuccessfully multiple times - meaning it's possible it was a brute force attack trying different passwords for example), but didn't block connections from the other (its connection was successful).

As for why an internal address would be doing this - either this could be a misconfigured device trying to connect with wrong credentials (but in that case it's strange that it tries so many connections), or it could be infected with malware and trying to gain access to other devices.

It's likely not an Avast issue - as far as I know, none of the Avast versions attempt multiple SMB connections for any reason. To find out the reason why this is happening, you would need to investigate the device that initiates the connections. And either fix its configuration, ask the device's manufacturer why this is happening, or, in case it is infected with malware, remove the malware.

If you have any more questions, please feel free to ask them here.
Title: Re: Bruteforce
Post by: 4ahobbs on November 13, 2020, 01:54:24 AM
Hi Jakub and Anyone else in the Forum,

In response to your reply--I have two questions:

1) Is there a way for me to print a log file of these blocked and allowed attacks in the Remote Access Shield?  They come every second and from the same IPv6 source and AVAST blocks them.  Then a few from come from a different IPv6 source and AVAST allows them. so viewing them as the 12 lines that AVAST displays is not helpful to see a pattern.

2) I am not familiar with IPv6 addresses.  How can I possibly determine which device is initiating these attacks and eliminate it?  Are there specialized AV programs which would permit me to determine that (like freefixer etc.).

Thanks.
Title: Re: Bruteforce
Post by: Jakub Dubovic on November 13, 2020, 11:17:04 AM
Hi Jakub and Anyone else in the Forum,

In response to your reply--I have two questions:

1) Is there a way for me to print a log file of these blocked and allowed attacks in the Remote Access Shield?  They come every second and from the same IPv6 source and AVAST blocks them.  Then a few from come from a different IPv6 source and AVAST allows them. so viewing them as the 12 lines that AVAST displays is not helpful to see a pattern.

2) I am not familiar with IPv6 addresses.  How can I possibly determine which device is initiating these attacks and eliminate it?  Are there specialized AV programs which would permit me to determine that (like freefixer etc.).

Thanks.

Hello 4ahobbs,

1) You can turn on debug logging in Avast -> Menu -> Settings -> Troubleshooting -> Enable debug logging. The log will be generated in C:\ProgramData\AVAST Software\Avast\log\StreamFilter.log.

Inside the log, just search for "SMB". The individual entries will look like this:

[2020-10-09 10:25:13.779] [info   ] [nsf_rdp_mim] [ 4564: 8640] RdpFilterCtx.NewConnection [proto:SMB,ip:[10.187.43.140],port:51041,conn_id:164107]
[2020-10-09 10:25:13.909] [info   ] [nsf_rdp_mim] [ 4564: 8640] RdpFilterCtx.ConnectionBlocked [proto:SMB,ip:[10.187.43.140],port:51041,status:[SMB:BruteForce],conn_id:164107]

Here you can find the time, protocol, source IP address and port, connection ID (used to follow the logs related to a single connection), status (reason for blocking the connection).

2) Avast allows you to do this using the WiFi Inspector feature: https://antivirus-protection.co/avast-wifi-inspector


Another program I'd recommend if you are proficient with packet analysis is Wireshark. It can be set to scan all communication on your port 445 (the SMB port) and you can inspect the packets in its UI. As the username is sent in plaintext during the SMB authentication, you can view it and it might give you some insight into what is causing this. Screenshots of setting up Wireshark and of a captured failed authentication attempt are included.

The provided examples/screenshot use IPv4, but it should be similar when IPv6 is used.
Title: Re: Bruteforce
Post by: 4ahobbs on November 14, 2020, 11:30:55 PM
Hi Jakob,

Thanks for the tools, but I am not proficient in packet analysis.  I did download my logs and I have hundreds, maybe a thousand, of SMB entries, with the status [SMB:BruteForce] going back to October 26, 2020.  The entries run 10 or so a minute.  All the blocked entries have a link-local IPv6 address. All of the allowed entries also have a link-local IPv6 address.

I have eight PC's on my network, and all of them, including the one detecting the Brute Force attack were set to not allow remote connections to this computer. I also have Malwarebytes Premium and that software did not detect any attack.

This leads me to believe that AVAST is giving me false positives from my internal network.  Should I send the Avast Remote Access logs to Avast to take a look?  Should I disable IPv6 on all the computers in the network?  I'm not sure if that will affect anything since I only use IPv4 addresses to my knowledge.  Thanks.
Title: Re: Bruteforce
Post by: Jakub Dubovic on November 17, 2020, 09:21:12 PM
Hi Jakob,

Thanks for the tools, but I am not proficient in packet analysis.  I did download my logs and I have hundreds, maybe a thousand, of SMB entries, with the status [SMB:BruteForce] going back to October 26, 2020.  The entries run 10 or so a minute.  All the blocked entries have a link-local IPv6 address. All of the allowed entries also have a link-local IPv6 address.

I have eight PC's on my network, and all of them, including the one detecting the Brute Force attack were set to not allow remote connections to this computer. I also have Malwarebytes Premium and that software did not detect any attack.

This leads me to believe that AVAST is giving me false positives from my internal network.  Should I send the Avast Remote Access logs to Avast to take a look?  Should I disable IPv6 on all the computers in the network?  I'm not sure if that will affect anything since I only use IPv4 addresses to my knowledge.  Thanks.

Hello 4ahobbs,

It is of course possible that the detections are false positives. It might be different devices than PCs - for example a music/video player that automatically tries to connect to your shared folders using SMB and then lets you play music or videos from your PC.

I'm afraid we won't be able to tell any more from the logs than you. As I wrote, you can try to find the device from which the connections originate using Avast WiFi Inspector. Then it should be easier to figure out what is going on. You just click WiFi Inspector -> Network Scan. When the scan is finished, click a discovered device and it will show you its address.

In case the detections are false positives, we are working on a GUI feature you'll be able to use. It lets you hide detections from a specified address, as this is a common issue.
Title: Re: Bruteforce
Post by: 4ahobbs on November 28, 2020, 05:15:07 PM
Hi Jakub,

I SOLVED the issue, and yes, AVAST is at fault for providing false positives with its latest update.  This is for AVAST Program Version 20.9.2437 (build 20.9.5758.615). Here's a short recap of what we were discussing. Just after an October AVAST update, I started getting second by second notifications from the Remote Access Shield feature that a BruteForce attack was being made.  The notifications appeared to be in waves with some being blocked and others allowed, but always a connection attempt going in bursts of seconds, then ceasing after a while, then resuming again.  All the IP Addresses were in IPv6 and not IPv4.  I've never dealt with IPv6 addresses so I could not identify the origin and tell you whether the IP addresses were internal in my network or from the outside. I did tell you that it was unlikely that I was receiving an attack from the outside since all the PC's on the network had Remote Desktop turned off.  What I did to understand what was going on was to download a demo copy of Net Scan Tools Pro and look at the Network Neighbors table.  The Network Neighbors table is like an IPv4 ARP cache but for IPv.6.  I never knew that.  From the Network Neighbors table, I was able to identify the MAC addresses of the IPv6 addresses recorded by AVAST.  I then used Angry IP Scanner to identify  and correlate the MAC addresses with IPv.4 addresses, which allowed me to identify the sources of the "attacks".  The so-called "attacks" were merely the 5 PC's on my network coming on and off of the network at different times of the day.  This flaw is more annoying than debilitating, but is should be corrected by AVAST.   Thanks.
Title: Re: Bruteforce
Post by: Richard16 on December 09, 2020, 03:24:12 AM
I've had the Omni Hub for over a year now and during the past few months I've started getting alerts on my desktop about RDP Brute Force threats.

It lists the "URL" as rdp://192.168.0.69/BruteForce. This is the local IP address of the Omni Hub.
 

Why am I getting this message on my Windows 10 laptop with the IP address of my Omni Hub?  I have the Avast Omni application installed on all the machines on my network.
Is this a problem that needs to be fixed?  If so, then how do I fix it.
Thanks, Richard
Title: Re: Bruteforce
Post by: polonus on December 09, 2020, 11:41:50 AM
Hi Richard16,

Question here: Is Remote Desktop Service allowed?
The alert could then be because of some form of penetration hacking being performed.
This could be by a botnet, compromised Polycom device or illegal use of a penetration test tool

Students for instance may use this for illegal purposes yes also on Omni Hub:
also read: https://github.com/AzizKpln/Bruter19

So not all detections can be explained away as false positives.

polonus



Title: Re: Bruteforce
Post by: Jakub Dubovic on December 14, 2020, 12:41:49 AM
I've had the Omni Hub for over a year now and during the past few months I've started getting alerts on my desktop about RDP Brute Force threats.

It lists the "URL" as rdp://192.168.0.69/BruteForce. This is the local IP address of the Omni Hub.
 

Why am I getting this message on my Windows 10 laptop with the IP address of my Omni Hub?  I have the Avast Omni application installed on all the machines on my network.
Is this a problem that needs to be fixed?  If so, then how do I fix it.
Thanks, Richard

Hello Richard,

thanks for sharing the issue! We are working to correct it - it's a problem on our side.
Title: Re: Bruteforce
Post by: usalabs14 on December 14, 2020, 05:21:20 AM
Hi All,

I am also getting repeated notices of AVAST blocking a connection from a Samba connection which it identifies as an internal (I think) IPv6 address.  For example, in the attached screen shot, the attacks were coming once every second, hundreds of times.  This goes on for hours each day.  You will see in the snippit that all the attacks were blocked by AVAST, but then at 2:47:39 AVAST "Allowed" a SMB connection from another IPv6 address and the log stops at that time (it is now 5:04 PM).  You will also see in the upper right hand corner that the "All" tab lists 4832 attacks, but only 4561 blocked attacks.

Could someone tell me is this some kind of an attack, or is the AVAST Remote Access Shield just recording as a false positive some routine network activity.  Thanks.

A quick question, do you have SMB open to the WAN?  If so, it shouldn't be, SMB is mainly for file sharing from within the LAN such as using Samba protocol for network file sharing, which tells me if Avast is blocking connections inside the LAN, then someone on your network is trying to hack your system, they don't have to be on a wired network, they can still hack using your WiFi, if it's not protected.

I have never in the the years that I have been using Avast had any SMB blocking and I have a NAS server running for sharing files internally across the network, and I make sure the SMB ports are blocked in the firewall, on the router, but open on the NAS's firewall.

Any SMB data that tries to come in on those ports is immediately dropped.  So my advice is to remove any entries in the router port forwarding for SMB, and also disable IPV6, using IPV4, is much better for tracing where the attacks are coming from.
Title: Re: Bruteforce
Post by: Mark657 on January 16, 2021, 07:18:30 PM
Hi Jakub,

I SOLVED the issue, and yes, AVAST is at fault for providing false positives with its latest update.  This is for AVAST Program Version 20.9.2437 (build 20.9.5758.615). Here's a short recap of what we were discussing. Just after an October AVAST update, I started getting second by second notifications from the Remote Access Shield feature that a BruteForce attack was being made.  The notifications appeared to be in waves with some being blocked and others allowed, but always a connection attempt going in bursts of seconds, then ceasing after a while, then resuming again.  All the IP Addresses were in IPv6 and not IPv4.  I've never dealt with IPv6 addresses so I could not identify the origin and tell you whether the IP addresses were internal in my network or from the outside. I did tell you that it was unlikely that I was receiving an attack from the outside since all the PC's on the network had Remote Desktop turned off.  What I did to understand what was going on was to download a demo copy of Net Scan Tools Pro and look at the Network Neighbors table.  The Network Neighbors table is like an IPv4 ARP cache but for IPv.6.  I never knew that.  From the Network Neighbors table, I was able to identify the MAC addresses of the IPv6 addresses recorded by AVAST.  I then used Angry IP Scanner to identify  and correlate the MAC addresses with IPv.4 addresses, which allowed me to identify the sources of the "attacks".  The so-called "attacks" were merely the 5 PC's on my network coming on and off of the network at different times of the day.  This flaw is more annoying than debilitating, but is should be corrected by AVAST.   Thanks.

4ahobbs, what did you do to fix it? Were you able to add the IP addresses as an exception or did you turn something off?

I have four PCs on my network, my main workhorse is my laptop. Two of the other three PCs can access my shared laptop folders just fine. The fourth one was hit and miss. Mainly miss. Occasionally it could connect to the laptop, but mostly was blocked.

I did narrow it down to Avast on the laptop treating it as a Brute-force attack much like yourself.  I tried to set Avast to allow the specific problematic IP through but no luck, so I turned off "Block Brute-Force Attacks". That worked. But I'd like to know if you took a different/better approach than me. Did you do something different?
Thanks.
Title: Re: Bruteforce
Post by: bob3160 on January 16, 2021, 11:32:38 PM
Reported to Avast let's see if that helps.
Title: Re: Bruteforce
Post by: 4ahobbs on January 17, 2021, 12:40:24 AM
Hi Mark 657,

I didn't do anything.  The high volume of "attacks" stopped a week or so after my last posting, so I just assumed that Avast fixed it in an update.  I do get notifications of an "attack" from time to time, but nothing like the high volume I was getting several months ago. Maybe one notice once a week or so from PC's behind my firewall.  Sorry I could not be of more help.
Title: Re: Bruteforce
Post by: gkinrade on January 23, 2021, 10:39:51 AM
I'm suddenly getting this exact same issue.  I cannot access my home server, which runs Windows 10 and Avast Premium, from any PC any more using its name ("Server" - original I know) and can only access the server using its IP address.  Logging into the server using Remote Desktop I can see the Avast popups saying
 
Incoming connection blocked
Threat name SMB:BruteForce
URL smb://blahblahblah

The URL matches the link-local IPv6 Address of my main desktop PC found using ipconfig /all.  Avast claims it's fully up to date with the following versions installed:

Virus definitions - Release Date 23rd January 2021 09:34 (ver: 210122-10)
Application - Release Date 9th December 2020 08:25 (ver. 20.10.2442 - build 20.10.5824.624)

Any help greatly appreciated!

Edit:  Disabling Samba protection withing the Remote Access Shield settings seems to 'fix' it although I wouldn't really count disabling part of the protection offered an actual fix...
Title: Re: Bruteforce
Post by: Jakub Dubovic on March 02, 2021, 01:42:39 AM
Hello gkinrade,

Thanks for reporting the issue. As with similar issues, the detections are caused by multiple unsuccessful connections from the blahblahblah address to your PC. Without more information it's impossible to decide whether the connections are a malicious attempt to guess your credentials, or just a legitimate application that has, for example, wrong configuration and thus fails to connect.

We have published an FAQ article with answers to some of your questions: https://support.avast.com/en-sg/article/95/
There is a way to disable notifications ("What can I do if Remote Access Shield shows too many notifications?" in the FAQ) if they bother you. But the computer attempting the unsuccessful connections will still be blocked from Samba connections to your PC by Avast, unless you disable the Samba protection. But, as you said, it could compromise your security.

A more secure way to solve this would be to find out why the connections are sent - if an application is misbehaving (common offenders are for example music/video sharing applications attempting automatically to access shared folders in the local network), or whether actual malware is involved.
Title: Re: Bruteforce
Post by: 4ahobbs on March 24, 2021, 08:08:33 PM
Hi All and @Jakub Dubovic,

I'm not the OP, but I did join this thread a long time ago, November 2020, complaining about this ongoing problem with Avast Premium blocking PC's on my internal network.  I read your responses and the the FAQ you suggested.  I just added a new PC on my network, and previously had followed all the steps gkinrade described earlier to diagnose the issue.  This time, however, I set up a dual monitor and remote accessed into my server running Avast Premium, while operating File Manager on my new PC and viewing it on the other monitor.  Using both monitors, I can see the actual block as it happens, and Avast logs the block as an IPv6 address instead of IPv4 (I never got an explanation about that, although I've asked it in this thread a few times).  This time, as I had done previously, I entered IP addresses under Settings to exclude the block.  It never worked completely before.  I've entered an IPv4 range AND I've entered both the specific IPv4 and IPv6 addresses of the blocked new PC.  Avast still blocked the specific PC.  What DID work, surprisingly--and I did this on impulse just see what will happen, was I turned the "Enable SAMBA Protection" OFF on the Avast running on the server, tried to access the server through File Manager on the new PC (it worked) and THEN I turned "Enable SAMBA Protection" ON  again on the server.  Thereafter, the new PC was able to access my server.  Go figure, right?  We will see if this solves the problem.
Title: Re: Bruteforce
Post by: 4ahobbs on April 04, 2021, 11:37:18 PM
Just an update.  My adjustment (described earlier) worked for a while, and then Avast on my Windows 10 server started to regard one of my five PC's on the network as hostile and blocked it from accessing files and folders again, even though I had its IPv4 and IPv6 addresses in the BLOCK ALL CONNECTIONS EXCEPT THE FOLLOWING section.  I even unchecked the box next to BLOCK ALL CONNECTIONS EXCEPT . . .. It still blocked that one PC.  The others are not blocked, but I don't see any rationale for that action.

I've given up and submitted a ticket.  The ONLY way I can work with AVAST is if I completely and indefinitely TURN OFF Remote Access Shield.  It shouldn't be this way