Hi all,
Recently I upgraded my VisualSVN [1] server (which is a modified Apache webserver), and in the course of diagnosing a setup failure, I discovered that Avast seems to be “penetration” testing
Hi all,
Recently I upgraded my VisualSVN [1] server (which is a modified Apache webserver), and in the course of diagnosing a setup failure, I discovered that Avast seems to be “penetration” testing
Did you run any scan…?
Yes. I accidentally hit return and this !@#$ing site sent the unfinished message. Then wouldn’t let me modify it. What I had started to say was:
[i]Hi all,
Recently I upgraded the SVN server [1] (which is a modified Apache webserver) in my home office, and in the course of diagnosing a setup failure, I discovered that Avast seems to have been “penetration” testing the old server (at least) for months. The server’s event logs were full of failed logins from non-existent users … and all the attempts were from the same machine: MINE.
Naturally, I immediately exhaustively scanned for malware, but found nothing. So I set up a firewall rule to log attempts to contact the SVN. And to my surprise, the culprit was AvastSvc.exe. Approximately every 24 hours, it tries a long series of logins using typical admin user names.
This apparently has been going on for months (extent of the logs), but I hadn’t noticed because everything was running fine. The rogue login attempts have been happening in the (wee) early morning when [generally] no one is using the computer.
Attached are excerpts [last few days] from the server and firewall logs. The firewall log included known connections from TortoiseSVN (client) which were filtered. Those are not errors/failures in the SVN log anyway.
NOTE: the FWevents file is HTML (the software exports it that way). View it with a browser.
So what is going on here? And how to stop it filling up my logs? I’m running Avast Free 18.4.2338 (it’s my personal machine) and I have only the file, behavior, mail and web shields enabled. I figured it might be a periodic network/WiFi scan, but AFAIK you have to ask for that, and it’s not trying the same ports on any other machines (my firewall filter would have caught that).
Thanks,
George
Hmmm, sounds like WiFi-Inspector, but it shouldn’t run on its own.