Author Topic: Bruteforce  (Read 6524 times)

0 Members and 1 Guest are viewing this topic.

Offline carloshax

  • Newbie
  • *
  • Posts: 3
Bruteforce
« on: October 17, 2020, 12:44:04 PM »
I keep getting smb://41.242.56.55/BruteForce connection block messages, anyone know how i can stop this from happening

Thank You Carl

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 70217
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Bruteforce
« Reply #1 on: October 17, 2020, 12:45:38 PM »
Hi Carl, post a screenshot.
W 8.1 [x64] - Avast PremSec 21.4.2462.B3 [UI.616] - EEK - Firefox ESR 78.10.1 [NS/uBO/PB] - TB 78.10.1
Avast-Tools: Secure Browser 90.0 - Cleanup 21.1 - SecureLine 5.11 - Driver Updater 21.1 - CCleaner 5.78
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33123
  • malware fighter
Re: Bruteforce
« Reply #2 on: October 17, 2020, 02:14:56 PM »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline carloshax

  • Newbie
  • *
  • Posts: 3
Re: Bruteforce
« Reply #3 on: October 17, 2020, 03:05:14 PM »

Offline rocksteady

  • Advanced Poster
  • **
  • Posts: 1083
Re: Bruteforce
« Reply #4 on: October 17, 2020, 03:54:04 PM »
@carloshax
Use "Attachments and other options" link under the text box to add screenshot to your message.
Some people do not wish to click on unknown web links to view them as external content.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33123
  • malware fighter
Re: Bruteforce
« Reply #5 on: October 17, 2020, 04:10:17 PM »
Hi carloshax,

rocksteady is right here, some folks may frown on the use of url shortener-links for obvious reasons.
Especially as they are given as "live" links.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline carloshax

  • Newbie
  • *
  • Posts: 3
Re: Bruteforce
« Reply #6 on: October 17, 2020, 05:31:48 PM »
Thank you attachment added

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 70217
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Bruteforce
« Reply #7 on: October 18, 2020, 09:49:52 AM »
Hi Carl, that's the new Remote Access Shield. Read here: https://forum.avast.com/index.php?topic=235069.0
W 8.1 [x64] - Avast PremSec 21.4.2462.B3 [UI.616] - EEK - Firefox ESR 78.10.1 [NS/uBO/PB] - TB 78.10.1
Avast-Tools: Secure Browser 90.0 - Cleanup 21.1 - SecureLine 5.11 - Driver Updater 21.1 - CCleaner 5.78
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline Jakub Dubovic

  • Avast team
  • Jr. Member
  • *
  • Posts: 45
Re: Bruteforce
« Reply #8 on: October 20, 2020, 12:49:55 AM »
I keep getting smb://41.242.56.55/BruteForce connection block messages, anyone know how i can stop this from happening

Thank You Carl

Hello Carl,

Thanks for the report.

The new version of the Remote Access Shield scans not only incoming RDP connections, but also incoming SMB connections. SMB protocol is another common attack vector.

As polonus posted:
Also read: https://www.abuseipdb.com/check/41.242.56.55
and here: https://phoenixnap.com/kb/prevent-brute-force-attacks

polonus

The IP address appears to belong to an attacker that tried to use the open SMB port on your computer (used by Windows to read and write files and perform other service requests to network devices) to gain access to it using a brute force attack - multiple consecutive connections with commonly used login credentials. When Avast detects multiple unsuccessful SMB connections over a period of time, it triggers the brute force attack detection and blocks the IP from future attempts.

Offline 4ahobbs

  • Newbie
  • *
  • Posts: 12
Re: Bruteforce
« Reply #9 on: November 10, 2020, 11:09:28 PM »
Hi All,

I am also getting repeated notices of AVAST blocking a connection from a Samba connection which it identifies as an internal (I think) IPv6 address.  For example, in the attached screen shot, the attacks were coming once every second, hundreds of times.  This goes on for hours each day.  You will see in the snippit that all the attacks were blocked by AVAST, but then at 2:47:39 AVAST "Allowed" a SMB connection from another IPv6 address and the log stops at that time (it is now 5:04 PM).  You will also see in the upper right hand corner that the "All" tab lists 4832 attacks, but only 4561 blocked attacks.

Could someone tell me is this some kind of an attack, or is the AVAST Remote Access Shield just recording as a false positive some routine network activity.  Thanks.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33123
  • malware fighter
Re: Bruteforce
« Reply #10 on: November 11, 2020, 01:57:46 PM »
Read here for instance: https://tsplus.me/ip-addresses/  which local-link addresses should be whitelisted.
But what we want to hear here is an answer from avast team.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline 4ahobbs

  • Newbie
  • *
  • Posts: 12
Re: Bruteforce
« Reply #11 on: November 11, 2020, 05:09:18 PM »
Thanks polonus.

But why would my PC network be using IPv6 local link addresses to communicate with each node in the network?  Wouldn't it be a IPv4 169.254 address?  And why would AVAST detect the internal address as a brute force attack and block it?  And then permit it?  Avast definitely needs to answer because it appears this is an AVAST only issue and doesn't involve my network.

Offline Jakub Dubovic

  • Avast team
  • Jr. Member
  • *
  • Posts: 45
Re: Bruteforce
« Reply #12 on: November 12, 2020, 02:19:15 PM »
Thanks polonus.

But why would my PC network be using IPv6 local link addresses to communicate with each node in the network?  Wouldn't it be a IPv4 169.254 address?  And why would AVAST detect the internal address as a brute force attack and block it?  And then permit it?  Avast definitely needs to answer because it appears this is an AVAST only issue and doesn't involve my network.

Hello 4ahobbs,

I don't know why your PC network uses IPv6 local link addresses to communicate with each node in the network.

Our brute force detection blocks IP addresses that attempt multiple connections unsuccessfully in a short time. Therefore Avast blocked connections from one address (it tried to connect unsuccessfully multiple times - meaning it's possible it was a brute force attack trying different passwords for example), but didn't block connections from the other (its connection was successful).

As for why an internal address would be doing this - either this could be a misconfigured device trying to connect with wrong credentials (but in that case it's strange that it tries so many connections), or it could be infected with malware and trying to gain access to other devices.

It's likely not an Avast issue - as far as I know, none of the Avast versions attempt multiple SMB connections for any reason. To find out the reason why this is happening, you would need to investigate the device that initiates the connections. And either fix its configuration, ask the device's manufacturer why this is happening, or, in case it is infected with malware, remove the malware.

If you have any more questions, please feel free to ask them here.

Offline 4ahobbs

  • Newbie
  • *
  • Posts: 12
Re: Bruteforce
« Reply #13 on: November 13, 2020, 01:54:24 AM »
Hi Jakub and Anyone else in the Forum,

In response to your reply--I have two questions:

1) Is there a way for me to print a log file of these blocked and allowed attacks in the Remote Access Shield?  They come every second and from the same IPv6 source and AVAST blocks them.  Then a few from come from a different IPv6 source and AVAST allows them. so viewing them as the 12 lines that AVAST displays is not helpful to see a pattern.

2) I am not familiar with IPv6 addresses.  How can I possibly determine which device is initiating these attacks and eliminate it?  Are there specialized AV programs which would permit me to determine that (like freefixer etc.).

Thanks.

Offline Jakub Dubovic

  • Avast team
  • Jr. Member
  • *
  • Posts: 45
Re: Bruteforce
« Reply #14 on: November 13, 2020, 11:17:04 AM »
Hi Jakub and Anyone else in the Forum,

In response to your reply--I have two questions:

1) Is there a way for me to print a log file of these blocked and allowed attacks in the Remote Access Shield?  They come every second and from the same IPv6 source and AVAST blocks them.  Then a few from come from a different IPv6 source and AVAST allows them. so viewing them as the 12 lines that AVAST displays is not helpful to see a pattern.

2) I am not familiar with IPv6 addresses.  How can I possibly determine which device is initiating these attacks and eliminate it?  Are there specialized AV programs which would permit me to determine that (like freefixer etc.).

Thanks.

Hello 4ahobbs,

1) You can turn on debug logging in Avast -> Menu -> Settings -> Troubleshooting -> Enable debug logging. The log will be generated in C:\ProgramData\AVAST Software\Avast\log\StreamFilter.log.

Inside the log, just search for "SMB". The individual entries will look like this:

[2020-10-09 10:25:13.779] [info   ] [nsf_rdp_mim] [ 4564: 8640] RdpFilterCtx.NewConnection [proto:SMB,ip:[10.187.43.140],port:51041,conn_id:164107]
[2020-10-09 10:25:13.909] [info   ] [nsf_rdp_mim] [ 4564: 8640] RdpFilterCtx.ConnectionBlocked [proto:SMB,ip:[10.187.43.140],port:51041,status:[SMB:BruteForce],conn_id:164107]

Here you can find the time, protocol, source IP address and port, connection ID (used to follow the logs related to a single connection), status (reason for blocking the connection).

2) Avast allows you to do this using the WiFi Inspector feature: https://antivirus-protection.co/avast-wifi-inspector


Another program I'd recommend if you are proficient with packet analysis is Wireshark. It can be set to scan all communication on your port 445 (the SMB port) and you can inspect the packets in its UI. As the username is sent in plaintext during the SMB authentication, you can view it and it might give you some insight into what is causing this. Screenshots of setting up Wireshark and of a captured failed authentication attempt are included.

The provided examples/screenshot use IPv4, but it should be similar when IPv6 is used.