Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: jeannie16 on December 27, 2020, 02:08:16 AM

Title: SMB:BruteForce attacks.
Post by: jeannie16 on December 27, 2020, 02:08:16 AM

Hi,
With Avast Premium, I keep receiving messages that Avast has stopped another SMB BruteForce attack. I do the computer work for a small non-profit (volunteer) with only about 5 desktop computers, but with many wireless devices using the WiFi. We house residents for a low rent. The problems started a few months ago when a resident with VERY good skills (much more than I) left unhappily. Maybe it was just a coincidence? Anyway, the attacks were coming every few minutes and have slowly lessened over time, but it still concerns me. I will show a very small part of the log from a few days ago:
[2020-12-22 16:55:32.292] [info   ] [nsf_rdp_mim] [ 3012: 1068] RdpFilterCtx.Connection [proto:SMB,ip:[fe80::1c97:80f5:aa6f:6580],port:52953,status:[control_granted],in_packet_nr:3,conn_id:30540]
[2020-12-22 16:56:35.526] [debug  ] [nsf        ] [ 3012: 2728] CDOHPlugin::onRequestHeaders - NOT preferred browser [C:\windows\system32\svchost.exe]
[2020-12-22 17:00:10.229] [info   ] [nsf_rdp_mim] [ 3012: 2728] RdpFilterCtx.NewConnection [proto:SMB,ip:[fe80::1c97:80f5:aa6f:6580],port:52963,conn_id:30559]
[2020-12-22 17:00:10.229] [debug  ] [nsf_rdp_mim] [ 3012: 2728] RdpFilterCtx.handleDetectionNotification [url:smb://fe80::1c97:80f5:aa6f:6580:52963]
[2020-12-22 17:00:10.276] [info   ] [nsf_rdp_mim] [ 3012: 2728] RdpFilterCtx.Connection [proto:SMB,ip:[fe80::1c97:80f5:aa6f:6580],port:52963,status:[control_granted],in_packet_nr:3,conn_id:30559]
[2020-12-22 17:14:26.745] [debug  ] [nsf        ] [ 3012: 1068] CDOHPlugin::onRequestHeaders - NOT preferred browser [C:\program files\ccleaner\ccleaner64.exe]

Thanks, any help is appreciated.

Title: Re: SMB:BruteForce attacks.
Post by: Asyn on December 27, 2020, 09:52:40 AM

Hi, see: https://forum.avast.com/index.php?topic=235069.0

Title: Re: SMB:BruteForce attacks.
Post by: jeannie16 on December 28, 2020, 01:04:45 AM

Thanks,
what confused me was it came through on port:52953 and that control 'was granted' (shown in the first line). I forgot to mention that I am using TeamViewer to control this computer remotely (Covid), but that app uses ports 80443 and 5353. I read through all the forum links. I am not network savvy.
Thanks

Title: Re: SMB:BruteForce attacks.
Post by: Asyn on December 28, 2020, 06:30:54 AM

You're welcome. (https://support.avast.com/article/Antivirus-Remote-Access-Shield-FAQ)