Jump to content

Recommended Posts

I just need a quick log file question answered. I've got the following in my protection log:

11:53:28 AdminAccount MESSAGE Protection started successfully

11:53:32 AdminAccount MESSAGE IP Protection started successfully

11:59:24 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80)

11:59:24 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80)

11:59:32 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80)

11:59:32 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80)

11:59:40 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80)

11:59:56 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80)

12:09:26 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80)

12:09:26 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80)

12:09:34 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80)

12:19:45 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80)

12:19:45 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80)

12:19:45 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80)

12:19:53 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80)

12:20:01 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80)

12:20:17 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80)

12:30:35 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80)

12:30:35 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80)

12:30:35 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80)

12:40:53 (null) IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80)

12:40:53 (null) IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80)

12:40:53 (null) IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80)

12:41:01 (null) IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80)

12:41:09 (null) IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80)

12:41:25 (null) IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80)

12:51:35 (null) IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80)

12:51:35 (null) IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80)

12:51:35 (null) IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80)

12:51:43 (null) IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80)

12:51:51 (null) IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80)

14:00:43 AdminAccount MESSAGE Protection started successfully

14:00:48 AdminAccount MESSAGE IP Protection started successfully

14:02:15 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80)

14:02:23 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80)

14:02:23 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80)

14:05:19 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80)

14:05:19 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80)

14:05:27 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80)

14:26:27 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80)

14:26:27 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80)

14:26:27 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80)

14:34:27 AdminAccount IP-BLOCK 31.214.169.124 (Type: incoming, Port: 80)

14:34:36 AdminAccount IP-BLOCK 31.214.169.124 (Type: incoming, Port: 80)

14:34:36 AdminAccount IP-BLOCK 31.214.169.124 (Type: incoming, Port: 80)

14:35:00 AdminAccount IP-BLOCK 31.214.169.124 (Type: incoming, Port: 80)

14:35:00 AdminAccount IP-BLOCK 31.214.169.124 (Type: incoming, Port: 80)

14:35:08 AdminAccount IP-BLOCK 31.214.169.124 (Type: incoming, Port: 80)

14:35:40 AdminAccount IP-BLOCK 31.214.169.124 (Type: incoming, Port: 80)

14:35:40 AdminAccount IP-BLOCK 31.214.169.124 (Type: incoming, Port: 80)

14:35:48 (null) IP-BLOCK 31.214.169.124 (Type: incoming, Port: 80)

14:37:32 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80)

14:37:32 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80)

14:37:32 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80)

14:38:52 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80)

14:38:52 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80)

14:38:52 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80)

15:08:41 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80)

15:08:41 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80)

15:08:42 AdminAccount IP-BLOCK 213.186.127.4 (Type: incoming, Port: 80)

These are all INCOMING, one IP is in Ukraine and the other in Germany. I just need a quick explanation of 2 things:

1. Most of them have my admin account listed (I renamed it for the example above)...is that because there is actually some kind of attack that is attempting to use that account (which means that somehow they figured out the admin account name)...or is it because the IIS service is running under that account and the access is coming from port 80?

2. What does it mean when it has NULL instead of an account listed?

Considering that these are all incoming and the server is online right now, I'm thinking that I don't have an active infection, just active attempts. We did have (4) "infected" files in our vBulletin forum earlier today (PHP/Webshell.NAG Trojan), but from what I'm reading of that particular issue, deleting the files and re-uploading from the originals cures it. We've deleted the files that were an issue, uploaded a new file set, but will not be putting the site live again until I'm confident we've taken every precaution to prevent it going forward. Our AntiVirus detected and quarantined the trojan, and subsequent AV and MBAM scans have revealed no further issues.

So...am I likely correct in that these are just attempts to access...or is there something above that should cause me to look further? I couldn't find any kind of "how to read the log file" FAQ that explained the columns and answered my questions...and couldn't find anything with search. Sorry if this is already covered somewhere.

THANK YOU!!!!!!!!!!!

Link to post
Share on other sites

33 views and no input?

I think I may have figured this out on my own.

When the "incoming" items are added to the log file WHILE I'M CONNECTED VIA RPC AND CAN SEE THE POPUP BALLOON, the admin account shows in the log. If they come in while I'm not logged in via RPC, they show as "null". If there is a different reason for the way these have shown up, I'd like to know...otherwise that seems to be the pattern.

Link to post
Share on other sites

Corporate Support Response

As your statement seems to indicate that this is a business please contact corporate support and they will assist you with this.

Considering that these are all incoming and the server is online right now, I'm thinking that I don't have an active infection, just active attempts. We did have (4) "infected" files in our vBulletin forum earlier today (PHP/Webshell.NAG Trojan),

Please send an email to corporate-support@malwarebytes.org

Also make sure you have malwarebytes.org and salesforce.com in your Safe Sender list in email.

In order to assist you better please provide the following information when contacting them.

Cleverbridge Order Reference Number:

Organization name:

Approved Contact name:

If you no longer have access to the order number you can contact Cleverbridge to obtain information about your order.

Cleverbridge customer service

Thank you

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.