This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

OneAgent v1.277.165 on Win Srv 2019 v1809 generates thousands of logins to 445 SMB

Go to solution
gilles_tabary
Mentor

‎30 Nov 2023 08:58 AM

Hello.

On a Windows box A (Windows Server 2019 Version 1809 OS Build 17763.5122), we upgraded OneAgent from 1.271.135.20230810-115019 to 1.277.165.20231024-150054 : we get thousands of network attempted logins from box A, with many local technical users, and many Active Directory recently connected users, to many Windows  targets machines on port 445 (SMB). Some times thousands per minute. Also toward Unix boxes. It is not constant. Happens some times for hour, sometime for minutes. It triggers alerts here. And stopped us to deploy this version on the parc.

When we stop or rollback OneAgent : no problem any more.
We tried intermédiate version : 1.275.146.20231002-095820 : looks like no problem in that case.
We also tried latest OA version : 1.277.196 : same problem.

Looks like brute force attack. Maybe attempting vulnerabilities exploit ?

Any one exposed to that ? Any known solutions ?

Regards.

--

Tickets ref:
Dynatrace: 250650
Private internal: Jira DEVOPS-15019

Labels:
Reply
1 REPLY 1

Go to solution
gilles_tabary
Mentor

‎15 Feb 2024 12:08 PM

Turns out

- it can be mitigated by excluding network disk monitoring 

 

Operating system: 'Windows', name: ''\\*\*'
Operating system: 'Windows', name: '\\*'

 

- support says "we found a bug"

Reply
Ask a question

Featured Posts