I have a shared hosting account with Hostwinds that has become compromised by malware. The guys … | Read the rest of http://www.webhostingtalk.com/showthread.php?t=1757849&goto=newpost
My father is pretty careless about his security and this is not new. He even said to me that in the last year he used Tor to access some links just for curiosity, because he have read about it in some news and followed a tutorial on the internet to do this.
In the last night, I used his PC and saw strangers programs running and, in his history, that he accessed some adult sites and some strangers urls too (probably from ads and pop-ups in these sites). Antivirus don’t work because he click on everything.
I spoke with him many times but nothing has effect and I’m tired of this. I have blocked all inbound connections in my PC’s firewall, so I can’t see anything suspicious, but my mother have her own PC and she is a very common user, so it’s nothing a option to install a firewall that asks about every new connection, and I don’t have time to monitora her PC all the time. Furthermore, we all have our own smartphones, so even if our PCs are protect, the smartphones don’t.
So, is there a way that I can be free of this terrible headache and protect our devices? I don’t have knowledge in networks, I even know if my worry are a relevant point, so I will appreciate a more non-technical language if it is possible.
Obs: all the devices are android or windows.
I have the latest version of Modsecurity (as of March 25th 2019) installed on my server. I am using OWASP rulesets along with fail2ban on Linux.
I know it is designed to block hacking attempts. Should I assume that people who are not attempting to hack my server, but simply may have infected computers are detected the same as hackers and hacker bots etc?
What happens is that certain people try to connect to my computer and tell me they cannot. So I look in the logs and sure enough, Modsecurity detected either an SQL injection attack from their IP or some other severe level attack.
So, to several of them I suggested they run an updated boot time scan of their computer and sure enough, they found lots of malware and viruses and were able to connect after clearing them with no further issues.
So, now I’m trying to confirm that when my forum members try to connect to my server and modsecurity reports a lot of nefarious activity from their verified IP address, that it is because their computer has viruses or malware on it that is being payloaded onto their connection to my server.
I need to be confident that I am telling them the correct thing if I suggest to them that they need to check their own computer for malware or viruses.
I can’t see any other explanation. Can someone confirm this is probably what’s happening since some of those members are quite sure (even without checking) that their computers are not infected with any malware or viruses.
And if that’s the case, then I need to find out why modsecurity is saying otherwise because it is blocking my forum members.
My phone has been infected with viruses for nearly a year. At first it was just a virus in disguise called ‘settings’, but then it spread to my Chrome, opening a site called ‘aiboo.com’ SmartSite. I had to disable Chrome, and now there are 3 other viruses on my phone: One called Magic, which pops up ads on my phone screen, Lake worth ISD or something, Then one called System with the note saying ‘Guerilla exe.’ I use Eset Mobile Security to remove them, but every time I get access to internet, they get installed again. Sometimes they get installed even if I don’t have network connection.
Someone please help!
WAIT! Before you reflexively down vote this, see my answer!
In the process of trying to resolve the infection, I kept hitting major, dangerous hurdles. I had a pretty good guess as to what had led to the infection, but hit hurdle after hurdle as I tried to act accordingly.
I was surprised that the simple steps I tried didn’t work. But then, I’m used to the iOS environment, which is much better defended.
Let’s say there is a particular network which has a “monthly” successful cryptolocker attack. Every time, every computer in that network is infected.
The set up is like this:
- 1x Windows 2003 server (SMB1)
- 4x Windows 10 Client computers
Every time, the server and 3x Windows 10 machines are infected. 1 machine remains unaffected.
They are all part of the same domain.
Is it possible, that a virus infection resides on that one computer that never gets infected, and spreads the crypto onto the other machines without infecting it’s host? Has anyone experiences likewise behavior?
Multiple hosts were attempting CNC communication that is specific to a threat from at least 2013, H-worm.
However, endpoint protection is deployed on these hosts and functioning but no malicious files were recently detected. The endpoint protection product is even specified in the malware’s CNC. But this threat is very old and my vendor seems to have signatures for it. I queried some file hashes (from the FireEye article I linked above) in VirusTotal to see if my vendor detects them and it does. Scheduled antivirus scans were also running as they should but nothing was detected.
My main question is, why did the endpoint protection miss these infections?
Right now I have 3 guesses:
- A product malfunction has taken place and I need to contact my vendor;
- There exist (new?) instances of H-worm that are not detected by my vendor
- These infections are not reflected in endpoint protection logs for some legitimate reason
Clamscan (tested on Ubuntu and Debian) reports an infection of skype version 188.8.131.52 with Unix.Trojan.Mirai-5932143-0:
$ clamscan --max-filesize=100M /usr/share/skypeforlinux/skypeforlinux /usr/share/skypeforlinux/skypeforlinux: Unix.Trojan.Mirai-5932143-0 FOUND ----------- SCAN SUMMARY ----------- Known viruses: 6714080 Engine version: 0.100.2 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 78.09 MB Data read: 77.37 MB (ratio 1.01:1) Time: 33.259 sec (0 m 33 s) $ The same virus name is identified when the option "-d /var/lib/clamav/main.cld" is passed to clamscan.
Virustotal reports this file as clean.
It may still be a real infection, a bug of the
clamav database, or a bug of
clamscanitself. Which one is the case, is unknown to me. Since skype is closed-source, I cannot re-compile it for the purpose of producing a different binary. Any insight from the security community?
Related: https://bugzilla.clamav.net/show_bug.cgi?id=12223, https://askubuntu.com/questions/1041517/clamscan-report-virus-for-skypeforlinux-unix-trojan-mirai-5932143-0-found, https://askubuntu.com/questions/973533/unix-trojan-mirai-5932143-0-found