Jump to content

Windows Server 2012 R2 - RTP detection to a blocked website


Recommended Posts

Hello

I'm managing a Windows Server 2012 R2 which hosts multiple websites. I've installed Malwarebytes for Teams (Trial) today and ran a full scan, no threats were detected.

However, after a while a Malwarebytes popup was displayed, notifying me about an RTP detection. According to your website it's Ransom.Locky and while Malwarebytes blocked the website successfully, I still would like to remove the source so it doesn't happen again. However, I can't figure out from which process/service the call came from. Is there any way to retrieve that information? Do I have a malware on the server which tries to connect to the blocked IP address?

I've attached the log details and the log json file.

Thank you for your help and support!

log_details.txt log_json.txt

Link to post
Share on other sites

Hi,

This is an Inbound block so it means someone is trying to exploit a vulnerability on your server. Make sure you patch it.

HAFNIUM targeting Exchange Servers with 0-day exploits - Microsoft Security

Released: March 2021 Exchange Server Security Updates - Page 4 - Microsoft Tech Community

Edited by AdvancedSetup
corrected font issue
Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.