Author Topic: Bruteforce  (Read 16063 times)

0 Members and 1 Guest are viewing this topic.

Offline 4ahobbs

  • Newbie
  • *
  • Posts: 12
Re: Bruteforce
« Reply #15 on: November 14, 2020, 11:30:55 PM »
Hi Jakob,

Thanks for the tools, but I am not proficient in packet analysis.  I did download my logs and I have hundreds, maybe a thousand, of SMB entries, with the status [SMB:BruteForce] going back to October 26, 2020.  The entries run 10 or so a minute.  All the blocked entries have a link-local IPv6 address. All of the allowed entries also have a link-local IPv6 address.

I have eight PC's on my network, and all of them, including the one detecting the Brute Force attack were set to not allow remote connections to this computer. I also have Malwarebytes Premium and that software did not detect any attack.

This leads me to believe that AVAST is giving me false positives from my internal network.  Should I send the Avast Remote Access logs to Avast to take a look?  Should I disable IPv6 on all the computers in the network?  I'm not sure if that will affect anything since I only use IPv4 addresses to my knowledge.  Thanks.

Offline Jakub Dubovic

  • Avast team
  • Jr. Member
  • *
  • Posts: 50
Re: Bruteforce
« Reply #16 on: November 17, 2020, 09:21:12 PM »
Hi Jakob,

Thanks for the tools, but I am not proficient in packet analysis.  I did download my logs and I have hundreds, maybe a thousand, of SMB entries, with the status [SMB:BruteForce] going back to October 26, 2020.  The entries run 10 or so a minute.  All the blocked entries have a link-local IPv6 address. All of the allowed entries also have a link-local IPv6 address.

I have eight PC's on my network, and all of them, including the one detecting the Brute Force attack were set to not allow remote connections to this computer. I also have Malwarebytes Premium and that software did not detect any attack.

This leads me to believe that AVAST is giving me false positives from my internal network.  Should I send the Avast Remote Access logs to Avast to take a look?  Should I disable IPv6 on all the computers in the network?  I'm not sure if that will affect anything since I only use IPv4 addresses to my knowledge.  Thanks.

Hello 4ahobbs,

It is of course possible that the detections are false positives. It might be different devices than PCs - for example a music/video player that automatically tries to connect to your shared folders using SMB and then lets you play music or videos from your PC.

I'm afraid we won't be able to tell any more from the logs than you. As I wrote, you can try to find the device from which the connections originate using Avast WiFi Inspector. Then it should be easier to figure out what is going on. You just click WiFi Inspector -> Network Scan. When the scan is finished, click a discovered device and it will show you its address.

In case the detections are false positives, we are working on a GUI feature you'll be able to use. It lets you hide detections from a specified address, as this is a common issue.

Offline 4ahobbs

  • Newbie
  • *
  • Posts: 12
Re: Bruteforce
« Reply #17 on: November 28, 2020, 05:15:07 PM »
Hi Jakub,

I SOLVED the issue, and yes, AVAST is at fault for providing false positives with its latest update.  This is for AVAST Program Version 20.9.2437 (build 20.9.5758.615). Here's a short recap of what we were discussing. Just after an October AVAST update, I started getting second by second notifications from the Remote Access Shield feature that a BruteForce attack was being made.  The notifications appeared to be in waves with some being blocked and others allowed, but always a connection attempt going in bursts of seconds, then ceasing after a while, then resuming again.  All the IP Addresses were in IPv6 and not IPv4.  I've never dealt with IPv6 addresses so I could not identify the origin and tell you whether the IP addresses were internal in my network or from the outside. I did tell you that it was unlikely that I was receiving an attack from the outside since all the PC's on the network had Remote Desktop turned off.  What I did to understand what was going on was to download a demo copy of Net Scan Tools Pro and look at the Network Neighbors table.  The Network Neighbors table is like an IPv4 ARP cache but for IPv.6.  I never knew that.  From the Network Neighbors table, I was able to identify the MAC addresses of the IPv6 addresses recorded by AVAST.  I then used Angry IP Scanner to identify  and correlate the MAC addresses with IPv.4 addresses, which allowed me to identify the sources of the "attacks".  The so-called "attacks" were merely the 5 PC's on my network coming on and off of the network at different times of the day.  This flaw is more annoying than debilitating, but is should be corrected by AVAST.   Thanks.

Offline Richard16

  • Newbie
  • *
  • Posts: 1
Re: Bruteforce
« Reply #18 on: December 09, 2020, 03:24:12 AM »
I've had the Omni Hub for over a year now and during the past few months I've started getting alerts on my desktop about RDP Brute Force threats.

It lists the "URL" as rdp://192.168.0.69/BruteForce. This is the local IP address of the Omni Hub.
 

Why am I getting this message on my Windows 10 laptop with the IP address of my Omni Hub?  I have the Avast Omni application installed on all the machines on my network.
Is this a problem that needs to be fixed?  If so, then how do I fix it.
Thanks, Richard

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Bruteforce
« Reply #19 on: December 09, 2020, 11:41:50 AM »
Hi Richard16,

Question here: Is Remote Desktop Service allowed?
The alert could then be because of some form of penetration hacking being performed.
This could be by a botnet, compromised Polycom device or illegal use of a penetration test tool

Students for instance may use this for illegal purposes yes also on Omni Hub:
also read: https://github.com/AzizKpln/Bruter19

So not all detections can be explained away as false positives.

polonus



Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Jakub Dubovic

  • Avast team
  • Jr. Member
  • *
  • Posts: 50
Re: Bruteforce
« Reply #20 on: December 14, 2020, 12:41:49 AM »
I've had the Omni Hub for over a year now and during the past few months I've started getting alerts on my desktop about RDP Brute Force threats.

It lists the "URL" as rdp://192.168.0.69/BruteForce. This is the local IP address of the Omni Hub.
 

Why am I getting this message on my Windows 10 laptop with the IP address of my Omni Hub?  I have the Avast Omni application installed on all the machines on my network.
Is this a problem that needs to be fixed?  If so, then how do I fix it.
Thanks, Richard

Hello Richard,

thanks for sharing the issue! We are working to correct it - it's a problem on our side.

Offline usalabs14

  • Jr. Member
  • **
  • Posts: 28
Re: Bruteforce
« Reply #21 on: December 14, 2020, 05:21:20 AM »
Hi All,

I am also getting repeated notices of AVAST blocking a connection from a Samba connection which it identifies as an internal (I think) IPv6 address.  For example, in the attached screen shot, the attacks were coming once every second, hundreds of times.  This goes on for hours each day.  You will see in the snippit that all the attacks were blocked by AVAST, but then at 2:47:39 AVAST "Allowed" a SMB connection from another IPv6 address and the log stops at that time (it is now 5:04 PM).  You will also see in the upper right hand corner that the "All" tab lists 4832 attacks, but only 4561 blocked attacks.

Could someone tell me is this some kind of an attack, or is the AVAST Remote Access Shield just recording as a false positive some routine network activity.  Thanks.

A quick question, do you have SMB open to the WAN?  If so, it shouldn't be, SMB is mainly for file sharing from within the LAN such as using Samba protocol for network file sharing, which tells me if Avast is blocking connections inside the LAN, then someone on your network is trying to hack your system, they don't have to be on a wired network, they can still hack using your WiFi, if it's not protected.

I have never in the the years that I have been using Avast had any SMB blocking and I have a NAS server running for sharing files internally across the network, and I make sure the SMB ports are blocked in the firewall, on the router, but open on the NAS's firewall.

Any SMB data that tries to come in on those ports is immediately dropped.  So my advice is to remove any entries in the router port forwarding for SMB, and also disable IPV6, using IPV4, is much better for tracing where the attacks are coming from.
« Last Edit: December 14, 2020, 05:26:49 AM by usalabs14 »

Offline Mark657

  • Newbie
  • *
  • Posts: 9
Re: Bruteforce
« Reply #22 on: January 16, 2021, 07:18:30 PM »
Hi Jakub,

I SOLVED the issue, and yes, AVAST is at fault for providing false positives with its latest update.  This is for AVAST Program Version 20.9.2437 (build 20.9.5758.615). Here's a short recap of what we were discussing. Just after an October AVAST update, I started getting second by second notifications from the Remote Access Shield feature that a BruteForce attack was being made.  The notifications appeared to be in waves with some being blocked and others allowed, but always a connection attempt going in bursts of seconds, then ceasing after a while, then resuming again.  All the IP Addresses were in IPv6 and not IPv4.  I've never dealt with IPv6 addresses so I could not identify the origin and tell you whether the IP addresses were internal in my network or from the outside. I did tell you that it was unlikely that I was receiving an attack from the outside since all the PC's on the network had Remote Desktop turned off.  What I did to understand what was going on was to download a demo copy of Net Scan Tools Pro and look at the Network Neighbors table.  The Network Neighbors table is like an IPv4 ARP cache but for IPv.6.  I never knew that.  From the Network Neighbors table, I was able to identify the MAC addresses of the IPv6 addresses recorded by AVAST.  I then used Angry IP Scanner to identify  and correlate the MAC addresses with IPv.4 addresses, which allowed me to identify the sources of the "attacks".  The so-called "attacks" were merely the 5 PC's on my network coming on and off of the network at different times of the day.  This flaw is more annoying than debilitating, but is should be corrected by AVAST.   Thanks.

4ahobbs, what did you do to fix it? Were you able to add the IP addresses as an exception or did you turn something off?

I have four PCs on my network, my main workhorse is my laptop. Two of the other three PCs can access my shared laptop folders just fine. The fourth one was hit and miss. Mainly miss. Occasionally it could connect to the laptop, but mostly was blocked.

I did narrow it down to Avast on the laptop treating it as a Brute-force attack much like yourself.  I tried to set Avast to allow the specific problematic IP through but no luck, so I turned off "Block Brute-Force Attacks". That worked. But I'd like to know if you took a different/better approach than me. Did you do something different?
Thanks.
« Last Edit: January 16, 2021, 09:57:26 PM by Mark657 »

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48523
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: Bruteforce
« Reply #23 on: January 16, 2021, 11:32:38 PM »
Reported to Avast let's see if that helps.
Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v22H2 64bit, 16 Gig Ram, 1TB SSD, Avast Free 23.5.6066, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet

Offline 4ahobbs

  • Newbie
  • *
  • Posts: 12
Re: Bruteforce
« Reply #24 on: January 17, 2021, 12:40:24 AM »
Hi Mark 657,

I didn't do anything.  The high volume of "attacks" stopped a week or so after my last posting, so I just assumed that Avast fixed it in an update.  I do get notifications of an "attack" from time to time, but nothing like the high volume I was getting several months ago. Maybe one notice once a week or so from PC's behind my firewall.  Sorry I could not be of more help.

Offline gkinrade

  • Newbie
  • *
  • Posts: 2
Re: Bruteforce
« Reply #25 on: January 23, 2021, 10:39:51 AM »
I'm suddenly getting this exact same issue.  I cannot access my home server, which runs Windows 10 and Avast Premium, from any PC any more using its name ("Server" - original I know) and can only access the server using its IP address.  Logging into the server using Remote Desktop I can see the Avast popups saying
 
Incoming connection blocked
Threat name SMB:BruteForce
URL smb://blahblahblah

The URL matches the link-local IPv6 Address of my main desktop PC found using ipconfig /all.  Avast claims it's fully up to date with the following versions installed:

Virus definitions - Release Date 23rd January 2021 09:34 (ver: 210122-10)
Application - Release Date 9th December 2020 08:25 (ver. 20.10.2442 - build 20.10.5824.624)

Any help greatly appreciated!

Edit:  Disabling Samba protection withing the Remote Access Shield settings seems to 'fix' it although I wouldn't really count disabling part of the protection offered an actual fix...
« Last Edit: January 23, 2021, 11:01:53 AM by gkinrade »

Offline Jakub Dubovic

  • Avast team
  • Jr. Member
  • *
  • Posts: 50
Re: Bruteforce
« Reply #26 on: March 02, 2021, 01:42:39 AM »
Hello gkinrade,

Thanks for reporting the issue. As with similar issues, the detections are caused by multiple unsuccessful connections from the blahblahblah address to your PC. Without more information it's impossible to decide whether the connections are a malicious attempt to guess your credentials, or just a legitimate application that has, for example, wrong configuration and thus fails to connect.

We have published an FAQ article with answers to some of your questions: https://support.avast.com/en-sg/article/95/
There is a way to disable notifications ("What can I do if Remote Access Shield shows too many notifications?" in the FAQ) if they bother you. But the computer attempting the unsuccessful connections will still be blocked from Samba connections to your PC by Avast, unless you disable the Samba protection. But, as you said, it could compromise your security.

A more secure way to solve this would be to find out why the connections are sent - if an application is misbehaving (common offenders are for example music/video sharing applications attempting automatically to access shared folders in the local network), or whether actual malware is involved.

Offline 4ahobbs

  • Newbie
  • *
  • Posts: 12
Re: Bruteforce
« Reply #27 on: March 24, 2021, 08:08:33 PM »
Hi All and @Jakub Dubovic,

I'm not the OP, but I did join this thread a long time ago, November 2020, complaining about this ongoing problem with Avast Premium blocking PC's on my internal network.  I read your responses and the the FAQ you suggested.  I just added a new PC on my network, and previously had followed all the steps gkinrade described earlier to diagnose the issue.  This time, however, I set up a dual monitor and remote accessed into my server running Avast Premium, while operating File Manager on my new PC and viewing it on the other monitor.  Using both monitors, I can see the actual block as it happens, and Avast logs the block as an IPv6 address instead of IPv4 (I never got an explanation about that, although I've asked it in this thread a few times).  This time, as I had done previously, I entered IP addresses under Settings to exclude the block.  It never worked completely before.  I've entered an IPv4 range AND I've entered both the specific IPv4 and IPv6 addresses of the blocked new PC.  Avast still blocked the specific PC.  What DID work, surprisingly--and I did this on impulse just see what will happen, was I turned the "Enable SAMBA Protection" OFF on the Avast running on the server, tried to access the server through File Manager on the new PC (it worked) and THEN I turned "Enable SAMBA Protection" ON  again on the server.  Thereafter, the new PC was able to access my server.  Go figure, right?  We will see if this solves the problem.

Offline 4ahobbs

  • Newbie
  • *
  • Posts: 12
Re: Bruteforce
« Reply #28 on: April 04, 2021, 11:37:18 PM »
Just an update.  My adjustment (described earlier) worked for a while, and then Avast on my Windows 10 server started to regard one of my five PC's on the network as hostile and blocked it from accessing files and folders again, even though I had its IPv4 and IPv6 addresses in the BLOCK ALL CONNECTIONS EXCEPT THE FOLLOWING section.  I even unchecked the box next to BLOCK ALL CONNECTIONS EXCEPT . . .. It still blocked that one PC.  The others are not blocked, but I don't see any rationale for that action.

I've given up and submitted a ticket.  The ONLY way I can work with AVAST is if I completely and indefinitely TURN OFF Remote Access Shield.  It shouldn't be this way