Jump to content

Technikul

Members
  • Posts

    18
  • Joined

  • Last visited

Everything posted by Technikul

  1. I don't see Detection History but I did upload these two screenshots of the malicious inbound connections being detected.
  2. I also JUST noticed another inbound website blocked notification as Trojan on port 443 w/ file c:\xampp\apache\bin\httpd.exe. Any clue how to remediate this?
  3. Excellent, I'll make sure to scan the servers with MWB first next time. Thank YOU
  4. Yep they were removed! So for my record the synopsis was that the malicious scheduled tasks weren't completely removed from task scheduler? What would be the appropriately course of action next time to make sure those malicious tasks are properly removed? Fixlog.txt
  5. Thanks, I got access is denied for each of those lines. I did run command prompt as admin too. Here is the new reg_export.txt though. reg_export.txt
  6. Yes, we used Emsisoft Emergency Kit scanner to help remediate the threats. It did remove malicious scheduled tasks "WinNet" and "Sync"(apparently) and we also used Microsoft Safety Scanner.
  7. Thanks, it didn't generate a reg_export.txt for some reason but I've got 4 separate files the batch file created. 3.txt 4.txt 1.txt 2.txt
  8. Thanks for your help. Looks like the powershell.exe outbound connections have stopped but we've now got the following Compromised Inbound Connection IP Address 222.186.136.150 Port: 443 File: C:\xammp\apache\bin\httpd.exe Compromised Inbound Connection IP Address 222.112.190.70 Port: 80 File: C:\xammp\apache\bin\httpd.exe Trojan Inbound Connection IP Address 209.141.60.60 Port: 443 File: C:\xammp\apache\bin\httpd.exe And various similar reports from different IPs but same port number. This is a FileCloud server by the way. I've reattached the latest FRST and JSON files. Thank you again! Addition.txt FRST.txt
  9. Yes, the most recent one was 11:32 am and the server has been online for 45 minutes so far.
  10. Morning, we've got a server that is continuing to prompt powershell.exe outbound connections using Malwarebytes. From what I can tell it's occurring every 40 minutes. We believe this might be a payload from a recently cleaned Exchange server that fell victim to the Hafnium exploit. I ran the FRST tool and have provided the needed logs for review. Thank you in advance! Addition.txt FRST.txt
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.