Reply
Regular Member
Posts: 434
Registered: ‎12-21-2016
Kudos: 51
Solutions: 7

Re: IPS Alert 1: A Network Trojan was Detected

same here today.

 

My iPhone is suddenly causing this alarm

Message: IPS Alert 1: A Network Trojan was Detected. Signature ET MALWARE Suspicious User-Agent (1 space). From: 192.168.2.189:64309, to: 203.205.143.155:8080, protocol: TCP

 203.205.143.155 (AS132203 Tencent Building, Kejizhongyi Avenue)

 

iPhone is running latest OS, not jailbroken

There is not much troubleshooting possible on an iOS device, but I suppose it is a false positve.

New Member
Posts: 1
Registered: ‎06-19-2017

Re: IPS Alert 1: A Network Trojan was Detected

[ Edited ]

I get this alert any time I run registery clean up with CCleaner 5.43.6522 (64-bit). 

Scan your CCleaner.exe. For me it came up with 

Trojan.Droma.Win32.1366

https://www.virustotal.com/#/file/e0c16136c81498b8b0cc05075b5de3fa007dec878839db7fc7f8d492d7ade5a5/d...

Regular Member
Posts: 434
Registered: ‎12-21-2016
Kudos: 51
Solutions: 7

Re: IPS Alert 1: A Network Trojan was Detected

thanks, but the device was an iPhone. So no .EXE files.

 

Anyway, the alerts did not come up again... I hope it stays that way

Established Member
Posts: 1,437
Registered: ‎08-20-2012
Kudos: 729
Solutions: 17

Re: IPS Alert 1: A Network Trojan was Detected


@jpigott wrote:

my daughters IPad (not jailbroken) is doing the same thing. She is using the app Music.ly and I think this is causing it. The IP is showing in China as well.

 

Site: Default

Message: IPS Alert 1: A Network Trojan was Detected. Signature ET MALWARE Suspicious User-Agent (1 space). From: 192.168.88.136:52461, to: 119.29.29.29:80, protocol: TCP, on interface: eth1

 

Would be nice to know more about the signatures to know more about them.


I got the same thing with my daughters also not jailbroken iPad:

IPS Varning 1: A Network Trojan was Detected. Signaturen ET MALWARE Suspicious User-Agent (1 space). Från: 192.168.10.201:55063, till: 119.29.29.29:80, protokoll: TCP	09:00 pm	2018/08/04	
IPS Varning 1: A Network Trojan was Detected. Signaturen ET MALWARE Suspicious User-Agent (1 space). Från: 192.168.10.201:55060, till: 119.29.29.29:80, protokoll: TCP	09:00 pm	2018/08/04	
IPS Varning 1: A Network Trojan was Detected. Signaturen ET MALWARE Suspicious User-Agent (1 space). Från: 192.168.10.201:55044, till: 119.29.29.29:80, protokoll: TCP	08:58 pm	2018/08/04	
IPS Varning 1: A Network Trojan was Detected. Signaturen ET MALWARE Suspicious User-Agent (1 space). Från: 192.168.10.201:55027, till: 119.29.29.29:80, protokoll: TCP	08:56 pm	2018/08/04	
IPS Varning 1: A Network Trojan was Detected. Signaturen ET MALWARE Suspicious User-Agent (1 space). Från: 192.168.10.201:55006, till: 119.29.29.29:80, protokoll: TCP	08:55 pm	2018/08/04	
IPS Varning 1: A Network Trojan was Detected. Signaturen ET MALWARE Suspicious User-Agent (1 space). Från: 192.168.10.201:54994, till: 119.29.29.29:80, protokoll: TCP	08:54 pm	2018/08/04	
IPS Varning 1: A Network Trojan was Detected. Signaturen ET MALWARE Suspicious User-Agent (1 space). Från: 192.168.10.201:54966, till: 119.29.29.29:80, protokoll: TCP	08:52 pm	2018/08/04	
IPS Varning 1: A Network Trojan was Detected. Signaturen ET MALWARE Suspicious User-Agent (1 space). Från: 192.168.10.201:54962, till: 119.29.29.29:80, protokoll: TCP	08:52 pm	2018/08/04	
IPS Varning 1: A Network Trojan was Detected. Signaturen ET MALWARE Suspicious User-Agent (1 space). Från: 192.168.10.201:54937, till: 119.29.29.29:80, protokoll: TCP	08:48 pm	2018/08/04	
IPS Varning 1: A Network Trojan was Detected. Signaturen ET MALWARE Suspicious User-Agent (1 space). Från: 192.168.10.201:54912, till: 119.29.29.29:80, protokoll: TCP	08:46 pm	2018/08/04	
IPS Varning 1: A Network Trojan was Detected. Signaturen ET MALWARE Suspicious User-Agent (1 space). Från: 192.168.10.201:54872, till: 119.29.29.29:80, protokoll: TCP	08:46 pm	2018/08/04	
IPS Varning 1: A Network Trojan was Detected. Signaturen ET MALWARE Suspicious User-Agent (1 space). Från: 192.168.10.201:54869, till: 119.29.29.29:80, protokoll: TCP	08:46 pm	2018/08/04	
IPS Varning 1: A Network Trojan was Detected. Signaturen ET MALWARE Suspicious User-Agent (1 space). Från: 192.168.10.201:54868, till: 119.29.29.29:80, protokoll: TCP	08:46 pm	2018/08/04	
IPS Varning 1: A Network Trojan was Detected. Signaturen ET MALWARE Suspicious User-Agent (1 space). Från: 192.168.10.201:54871, till: 119.29.29.29:80, protokoll: TCP	08:46 pm	2018/08/04	
IPS Varning 1: A Network Trojan was Detected. Signaturen ET MALWARE Suspicious User-Agent (1 space). Från: 192.168.10.201:54870, till: 119.29.29.29:80, protokoll: TCP	08:46 pm	2018/08/04

I have not had any alerts from this iPad earlier in this way and she has not installed anything the actual evening either.

 

Emerging Member
Posts: 47
Registered: ‎07-17-2018
Kudos: 4
Solutions: 1

Re: IPS Alert 1: A Network Trojan was Detected

Same here as @rdahlin from an iPhone. Happened 1st time today x4.
Highlighted
Emerging Member
Posts: 60
Registered: ‎08-08-2013
Kudos: 9
Solutions: 2

Re: IPS Alert 1: A Network Trojan was Detected

 


@okolgroup wrote:

I'm getting the same alert, however, it says it comes from 192.168.1.190 but there is no client in the network with that address!


I am also seeing this alert, but with no client matching the local IP??

New Member
Posts: 1
Registered: ‎08-10-2018

Re: IPS Alert 1: A Network Trojan was Detected

Was there any resolution to this? 

 

I had a coworker who runs wechat on his phone flagged for connecting to 203.205.219.139:8080 which may actually just be legitimate traffic.

 

Would that make sense in your case? 

 

How do we find out more about the particular connection, is there a way for the IDS to actually look at the content and judge based on that, or does it just flag because of a connection to such a port which could be anything, benign as well

New Member
Posts: 3
Registered: ‎04-05-2018

Re: IPS Alert 1: A Network Trojan was Detected

I would suspect that the users have WeChat installed on their device which goes to Tencent.  I'd simply ask to confirm if this is correct.  I am seeing this from my network quite a bit (as I host students from various countries from time to time including China).

 

 

--------------------------------------------

USG Pro-4 v4.4.22.5086057

Controller v5.9.22.0 (beta)

UAP AC Pro v3.9.47.9228 (beta)

UniFi Switch 16 POE-150W v3.9.42.9152

Regular Member
Posts: 434
Registered: ‎12-21-2016
Kudos: 51
Solutions: 7

Re: IPS Alert 1: A Network Trojan was Detected

Hi @johncrowe, at least for me I can confirm that I have WeChat installed (from official Apple IOS app store, of course :-)

New Member
Posts: 3
Registered: ‎04-05-2018

Re: IPS Alert 1: A Network Trojan was Detected

Thanks for confirming @mbrust. Seeing WeChat traffic through to Tencent from the following IP addresses : destination port numbers in my logs:

203.205.128.110 : 8080
203.205.219.139 : 8080
203.205.143.155 : 8080
Emerging Member
Posts: 63
Registered: ‎08-26-2016
Kudos: 13

Re: IPS Alert 1: A Network Trojan was Detected

Seeing this a lot as well, to the same three addresses.

Sample alert:

IPS Alert 1: A Network Trojan was Detected. Signature ET MALWARE Suspicious User-Agent (1 space). From: <ip>:65074, to: 203.205.143.155:8080, protocol: TCP, in interface: eth1
Member
Posts: 195
Registered: ‎03-09-2017
Kudos: 53
Solutions: 11

Re: IPS Alert 1: A Network Trojan was Detected

Clearing Safari history and website data on offending IOS devices solves the problem for me.

Settings>Safari>Clear History and Website Data

Member
Posts: 158
Registered: ‎07-01-2016
Kudos: 78
Solutions: 1

Re: IPS Alert 1: A Network Trojan was Detected

I'm also getting this from LG Smart TVs.

A Network Trojan was Detected. Signature ET MALWARE Misspelled Mozilla User-Agent (Mozila)

New Member
Posts: 20
Registered: ‎12-29-2016
Kudos: 7
Solutions: 1

Re: IPS Alert 1: A Network Trojan was Detected

I am seeing this too, specifcally with the Tencent Servers in China.  I haven't tracked down the source specifcally, but the family does have WeChat and other chinese applications installed.  It is the main reason why they are all on a Guest network.

I will work on identifing the exact source and report back....

 

I have gone to the point of creating a WAN-OUT blocklist.  I"m currently blocking the following IPs:

203.205.219.244

203.205.146.77

203.205.142.208

203.205.255.78

203.205.255.79

203.205.255.80

 

I will see if the Family starts to complain about WeChat or another application not working....

New Member
Posts: 1
Registered: yesterday

Re: IPS Alert 1: A Network Trojan was Detected

[ Edited ]

I have the same issue.

In my case the "gameHouse" louncher will produce this event.

 

Established Member
Posts: 923
Registered: ‎01-29-2015
Kudos: 125
Solutions: 39

Re: IPS Alert 1: A Network Trojan was Detected


@winsucker wrote:

I get this alert any time I run registery clean up with CCleaner 5.43.6522 (64-bit). 

Scan your CCleaner.exe. For me it came up with 

Trojan.Droma.Win32.1366

https://www.virustotal.com/#/file/e0c16136c81498b8b0cc05075b5de3fa007dec878839db7fc7f8d492d7ade5a5/d...


You are brave running that app. I don't recommend it to anyone anymore.

https://www.ecommercetimes.com/story/84818.html

Reply