Tulisan Terbaru

Halaman: 1 ... 8 9 [10]
91
Konsultasi Virus / Re:CSRSS trojan miner folder WmiAppSrv
« Tulisan terakhir oleh luci pada November 23, 2018, 04:07:47 PM »
Tanggal 23 q cek data ip 210.108.146.96 lewat https://ipinfo.info/html/ip_checker.php

Muncul data sebagai berikut:

Checking IP Address

IP Address: 210.108.146.96

Geolocation: KR (Korea, Republic of), N/A, N/A, N/A N/A - Google Maps

Reverse DNS Lookup

No entry found

IP Address Check

query : 210.108.146.96


# KOREAN(UTF8)

조회하신 IPv4주소는 한국인터넷진흥원으로부터 아래의 관리대행자에게 할당되었으며, 할당 정보는 다음과 같습니다.

[ 네트워크 할당 정보 ]
IPv4주소 : 210.108.0.0 - 210.108.255.255 (/16)
기관명 : (주)엘지유플러스
서비스명 : BORANET
주소 : 서울특별시 용산구 한강대로 32
우편번호 : 04389
할당일자 : 20030402

이름 : IP주소 담당자
전화번호 : +82-2-10-1
전자우편 : ipadm@lguplus.co.kr

조회하신 IPv4주소는 위의 관리대행자로부터 아래의 사용자에게 할당되었으며, 할당 정보는 다음과 같습니다.
--------------------------------------------------------------------------------


[ 네트워크 할당 정보 ]
IPv4주소 : 210.108.146.0 - 210.108.146.255 (/24)
기관명 : LG유플러스
네트워크 구분 : CUSTOMER
주소 : 경기도 안양시 만안구 덕천로 37
우편번호 : 14088
할당내역 등록일 : 20141128

이름 : IP주소 담당자
전화번호 : +82-2-2089-7750
전자우편 : b8273338@user.bora.net


# ENGLISH

KRNIC is not an ISP but a National Internet Registry similar to APNIC.

[ Network Information ]
IPv4 Address : 210.108.0.0 - 210.108.255.255 (/16)
Organization Name : LG DACOM Corporation
Service Name : BORANET
Address : Seoul Yongsan-gu Hangang-daero 32
Zip Code : 04389
Registration Date : 20030402

Name : IP Manager
Phone : +82-2-10-1
E-Mail : ipadm@lguplus.co.kr

--------------------------------------------------------------------------------

More specific assignment information is as follows.

[ Network Information ]
IPv4 Address : 210.108.146.0 - 210.108.146.255 (/24)
Organization Name : LG Uplus
Network Type : CUSTOMER
Address : Gyeonggi-do Manan-gu, Anyang-si Deokcheon-ro 37
Zip Code : 14088
Registration Date : 20141128

Name : IP Manager
Phone : +82-2-2089-7750
E-Mail : b8273338@user.bora.net


=============================================
screenshot kedua google mapnya= https://www.google.com/maps/place/37%C2%B030'40.3%22N+126%C2%B058'26.8%22E/@37.5112,126.974098,5z/data=!4m5!3m4!1s0x0:0x0!8m2!3d37.5112!4d126.974098?hl=id

Alamat: Korea Selatan, Gyeonggi-do, 평택시 Ichon 1(il)-dong, 팽성읍 안정순환로104번길 23 1층 10호 Main Realty

GX6F+FJ Seoul, Korea Selatan




Itu apa ya min? kok notif malwarebyte yg 12biji mau buka itu ip?  :o


92
Konsultasi Virus / Re:CSRSS trojan miner folder WmiAppSrv
« Tulisan terakhir oleh luci pada November 23, 2018, 01:01:07 PM »
Kemarin ada orang yg nyaranin pakai aplikasi wireshark buat cek port yg dipake trojannya lalu bikin rule difirewallnya


12 notifikasi malwarebyte (yg mau melakukan koneksi ke luar):

-Blocked Website Details-
Malicious Website: 1
, , Blocked, [-1], [-1],0.0.0

-Website Data-
Category: Trojan
Domain: indonesias.me
IP Address: 210.108.146.96
Port: [56770]
Type: Outbound
File: C:\Windows\System32\lsass.exe

-Website Data-
Category: Trojan
Domain: indonesias.me
IP Address: 210.108.146.96
Port: [56772]
Type: Outbound
File: C:\Windows\System32\lsass.exe

-Website Data-
Category: Trojan
Domain: indonesias.me
IP Address: 210.108.146.96
Port: [56773]
Type: Outbound
File: C:\Windows\System32\lsass.exe

-Website Data-
Category: Trojan
Domain: indonesias.me
IP Address: 210.108.146.96
Port: [56775]
Type: Outbound
File: C:\Windows\System32\lsass.exe

-Website Data-
Category: Trojan
Domain: indonesias.me
IP Address: 210.108.146.96
Port: [56776]
Type: Outbound
File: C:\Windows\System32\lsass.exe

-Website Data-
Category: Trojan
Domain: indonesias.me
IP Address: 210.108.146.96
Port: [56777]
Type: Outbound
File: C:\Windows\System32\lsass.exe

-Website Data-
Category: Trojan
Domain: indonesias.me
IP Address: 210.108.146.96
Port: [56779]
Type: Outbound
File: C:\Windows\System32\lsass.exe

-Website Data-
Category: Trojan
Domain: indonesias.me
IP Address: 210.108.146.96
Port: [56782]
Type: Outbound
File: C:\Windows\System32\lsass.exe

-Website Data-
Category: Trojan
Domain: indonesias.me
IP Address: 210.108.146.96
Port: [56786]
Type: Outbound
File: C:\Windows\System32\lsass.exe

-Website Data-
Category: Trojan
Domain: indonesias.me
IP Address: 210.108.146.96
Port: [56787]
Type: Outbound
File: C:\Windows\System32\lsass.exe

-Website Data-
Category: Trojan
Domain: indonesias.me
IP Address: 210.108.146.96
Port: [56789]
Type: Outbound
File: C:\Windows\System32\lsass.exe

-Website Data-
Category: Trojan
Domain: indonesias.me
IP Address: 210.108.146.96
Port: [56790]
Type: Outbound
File: C:\Windows\System32\lsass.exe

-----------------------------------------------------------------------------------------------------
Dr situ bisa dilihat ip tujuan semua sama tapi menggunakan port yg berbeda2, tp mulai dr port 567xx

Aq rencana mau bikin rule firewall,  block koneksi outbound ama inbound dr firewall block port ama ipnya dr sana. Soalnya dah ketauan trojannya tujuan ipnya ke 210.108.146.96



**Edit:
Tanggal 23 nov 2018, jam 13.02 muncul percobaan koneksi outbound lg, ip depan sama tp angka belakang beda,  port yg berbeda juga:


-Blocked Website Details-
Malicious Website: 1
, , Blocked, [-1], [-1],0.0.0

-Website Data-
Category: Trojan
Domain: indonesias.me
IP Address: 210.108.146.102
Port: [61054]
Type: Outbound
File: C:\Windows\System32\lsass.exe

Dia skrng mau coba pakai port 61054, abis itu q scan pakai malwarebyte ya clean. kok curiga dia dateng dr browser chromeku ya, tp q scan pakai chrome://settings/cleanup clean  :(

Kemarin mau connect ke 210.108.146.96 skrng dia td muncul notif 1 kali mau connect ke 210.108.146.102
93
Bug, Kritik, Saran / Re:Error printing smadav in excell
« Tulisan terakhir oleh Brata pada November 23, 2018, 09:11:41 AM »
So, what's the answer of the question "Error printing smadav in excell"?, can you share it.
Thanks.
94
Konsultasi Virus / Re:CSRSS trojan miner folder WmiAppSrv
« Tulisan terakhir oleh luci pada November 22, 2018, 05:41:24 PM »
Nih q kasih log lagi, lognya aplikasi hijact this

https://www.bleepingcomputer.com/tutorials/how-to-use-hijackthis/?fbclid=IwAR194XD2-jL6RxS4GYNuS50UWd8ITNvV_EzNFjkj_YQC5GUfyWqjYjJ_Qs0

Tolong banget min, dicek lognya

Jd dr beberapa post q dah kasih beberapa log ya:
- 2 log farbar
- log hijackthis+startup hijackthis
- log ip website malware

- log reportnya malwarebyte

4 log tersebut mohon dicek semua

Di attachment itu log ama aplikasi hijactthisnya
95
Software / Re:Ini Alasan Kenapa Anda Perlu Software Payroll Terbaik
« Tulisan terakhir oleh smithdadu pada November 22, 2018, 05:17:21 PM »
Software payroll saat ini sudah banyak digunakan sebagai hal  yang sangat penting dalam meminimlisir dan membuat semua pekerjaan menjadi simple tetapi akan lebih baik jika software payroll ini juga dapat di aplikasi untuk semua hal dan dapat digunakan dalam mobile atau handphone
96
Konsultasi Virus / Re:CSRSS trojan miner folder WmiAppSrv
« Tulisan terakhir oleh luci pada November 22, 2018, 05:04:17 PM »
Nah ini q kasih lognya pas mau buka web notif 12biji, buka log report di attachment, kalo file satunya lognya malwarebyte pas cegat malware mau buka web td


Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 11/22/18
Protection Event Time: 3:11 PM
Log File: 2b3907e2-ee2e-11e8-8bc5-00ff3820cd7a.json
Administrator: Yes

-Software Information-
Version: 3.5.1.2522
Components Version: 1.0.365
Update Package Version: 1.0.7961
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, , Blocked, [-1], [-1],0.0.0

-Website Data-
Category: Trojan
Domain: indonesias.me
IP Address: 210.108.146.96
Port: [56790]
Type: Outbound
File: C:\Windows\System32\lsass.exe



(end)
97
Konsultasi Virus / Re:CSRSS trojan miner folder WmiAppSrv
« Tulisan terakhir oleh luci pada November 22, 2018, 04:50:56 PM »
abis itu q scan pake ADWCLEANER

Nih log file di attachment

Pas q scan pake malwarebyte clean, pake aw cleaner kedetect itu, tp q cek lognya katanya clean

Tp yg aneh, walopun service.exe file yg tadi dah masuk karantina tapi kok tetep ada percobaan ngebuka website??


Kalo saya cek dia mau ngebuka website dg ip 210.108.146.96

Cek attachment min, dr 12 notifikasi, dia mau melakukan 12 kali eprcobaan dg alamat IP website tujuan yg sama yaitu 210.18.146.96 semua dg domain indonesias.me


Min bisa cek, itu ip 210.108.146.96 itu ip menuju kemana? karena malwarenya selalu mau buka itu ip


log:
Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 11/22/18
Protection Event Time: 3:11 PM
Log File: 2b3907e2-ee2e-11e8-8bc5-00ff3820cd7a.json
Administrator: Yes

-Software Information-
Version: 3.5.1.2522
Components Version: 1.0.365
Update Package Version: 1.0.7961
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, , Blocked, [-1], [-1],0.0.0

-Website Data-
Category: Trojan
Domain: indonesias.me
IP Address: 210.108.146.96
Port: [56790]
Type: Outbound
File: C:\Windows\System32\lsass.exe



(end)
98
Konsultasi Virus / Re:CSRSS trojan miner folder WmiAppSrv
« Tulisan terakhir oleh luci pada November 22, 2018, 04:15:37 PM »
selanjutnya q coba pindahin file sample service.exe td ke dalam suatu folder, lalu q scan pake malwarebyte

Malah malwarenya hasil scannya ga kedetect lg, kok aneh ya, padahal ini file q copy paste dr file yg sama pas kedetect pertama kali ama malwarebyte lho

Coba cek screenshot postku diatas, pas awal2 ada kan kedetect sbg backdoor? ya ini file pelaku yg mau ngebuka website

Info aja lagi min, kondisi PCku saat ini file trojan yg makan cpu usage dah ga ada, tp malah muncul malware lain yg ini, dia tepat jam 13.11 ngebikin file service.exe di folder windows, lalu dia mau ngebuka website

Nah, pas aq nyalain pc awal itu file ga ada sama sekali di folder windows, yg anehnya knp selalu tepat jam 13.11? posisi tidak idle aq lg main emulator mumu


Kemarin kejadian gini juga, setelah jam 3.11 selanjutnya dia mau coba buka itu nanti sore/malam, lalu tengah malam dia mau coba buka lagi :(

Liat ja tebakanku walo file service.exe udah di karantina, tp dia nanti kan mau coba2 ngebuka website lagi :(
99
Konsultasi Virus / Re:CSRSS trojan miner folder WmiAppSrv
« Tulisan terakhir oleh luci pada November 22, 2018, 04:08:22 PM »
aq cek date modifiednya ya min, itu file yg q rar td, bisa dilihat di screenshot date modified jam 3.11, itu jamnya sama kaya jam notif malwarebyte muncul pertama kali jam 3.11

Min cobaa perhatikan kedua screenshot saya dibawah, jamnya sama kan? antara date modified ama jam notif malwarebyte?

Jd pertama dia naruh service.exe di dalam folder windows abis itu dia mau ngebuka website


Tapi anehnya min, q scan ini file ke virustotal ga kedetect dianggap clean, padahal ya itu file ngebuka website yg diblokir malwarebyte, 12 notif td

Ini hasil scan report virustotalnya
https://www.virustotal.com/#/file/0c7e5b5ed080bc7871e737066507393d3df0cded828c99694094dc09ef677528/detection
100
Konsultasi Virus / Re:CSRSS trojan miner folder WmiAppSrv
« Tulisan terakhir oleh luci pada November 22, 2018, 03:35:55 PM »
hasil reportnya malwarebyte tulisannya website blocked pas muncul notif 12biji jam 3.13 sore

Lalu pas q scan ada tulisannya service.exe difolder windows :"(

Informasi aja, itu file service.exe di dalam folder windows pas awal nyalain PC ga ada lho, tiba2 muncul lagi ini file, kemarin ini file service.exe juga muncul udah q karantina, skrng muncul lg, gimana min? :"(

Min ini q kasih sampel malwarenya, service.rar itu
Halaman: 1 ... 8 9 [10]