jedduff 1 Posted May 29, 2015 Posted May 29, 2015 ok, this is really weird, We got the message "unusual traffic detected" on google when we doing google search. I did some analysis and the culprit is...the Era appliance server. Some module is doing this and I don't know why. Where can I found the log for this issue on the Era appliance?
jedduff 1 Posted June 1, 2015 Author Posted June 1, 2015 I stop the bleeding by denied all http and https from these IP range. but it don't resolved the root of the issue ip4:216.239.32.0/19ip4:64.233.160.0/19ip4:66.249.80.0/20ip4:72.14.192.0/18ip4:209.85.128.0/17ip4:66.102.0.0/20ip4:74.125.0.0/16ip4:64.18.0.0/20ip4:207.126.144.0/20ip4:173.194.0.0/16
ESET Staff michalp 20 Posted June 2, 2015 ESET Staff Posted June 2, 2015 Is the appliance configured as HTTP proxy and are you using it by client machines?
jedduff 1 Posted June 2, 2015 Author Posted June 2, 2015 Yes, every client use the proxy. We have a lot of pc that aren't in the local network we want to manage
jedduff 1 Posted June 2, 2015 Author Posted June 2, 2015 And by proxy, I mean this (view attach file)
ESET Staff michalp 20 Posted June 4, 2015 ESET Staff Posted June 4, 2015 When you temporarily disable HTTP proxy (e.g. port 3128 is not accessible or you completely stop the service) does it help? I suspect that something is connecting through HTTP proxy on the appliance and that is causing this bursts. HTTPS communication is not cached so it goes always through proxy.
jedduff 1 Posted June 4, 2015 Author Posted June 4, 2015 When you temporarily disable HTTP proxy (e.g. port 3128 is not accessible or you completely stop the service) does it help? I suspect that something is connecting through HTTP proxy on the appliance and that is causing this bursts. HTTPS communication is not cached so it goes always through proxy. where can i found the http proxy log? Can i enable some trace log?
jedduff 1 Posted June 5, 2015 Author Posted June 5, 2015 When you temporarily disable HTTP proxy (e.g. port 3128 is not accessible or you completely stop the service) does it help? I suspect that something is connecting through HTTP proxy on the appliance and that is causing this bursts. HTTPS communication is not cached so it goes always through proxy. Hi Michalp! I'm happy because I found the root of the problem Someone is trying to use the proxy. Now...How can I denied all HTTP proxy request without password? 155.133.19.30 - - [27/May/2015:19:57:59 -0400] "GET hxxp://www.proxygen.pl/httptest.phpHTTP/1.1" 200 21 213.133.97.216 - - [27/May/2015:19:58:05 -0400] "GET hxxp://data.alexa.com/data?cli=10&dat=snbamz&url=hotmanagement.asiaHTTP/1.1" 200 254 213.133.97.216 - - [27/May/2015:19:58:08 -0400] "GET hxxp://toolbarqueries.google.com/tbr?client=navclient-auto&ch=8db2654a7&features=Rank&q=info:naravniporod.siHTTP/1.1" 200 31 155.133.19.30 - - [27/May/2015:19:58:05 -0400] "GET hxxp://www.proxygen.pl/httptest.phpHTTP/1.1" 200 21 91.196.48.31 - - [27/May/2015:19:58:10 -0400] "GET hxxp://179.184.10.23/search?tbo=d&filter=0&nfpr=1&source=hp&num=100&btnG=Search&q=%22site%3a.edu%22+%22%5binurl%3a%2fcampustour%2fframes%2findex.asp%3furl%5d%22+pomidorowaHTTP/1.1" 200 12373 213.133.97.216 - - [27/May/2015:19:58:24 -0400] "GET hxxp://archive.org/wayback/available?url=kopio.ru×tamp=19900101HTTP/1.1" 200 167 213.133.97.216 - - [27/May/2015:19:58:26 -0400] "GET hxxp://data.alexa.com/data?cli=10&dat=snbamz&url=annaleenashem.blogspot.ruHTTP/1.1" 200 492 10.0.200.72 - - [27/May/2015:19:58:28 -0400] "CONNECT edf.eset.com:443 HTTP/1.1" 200 - 10.0.200.68 - - [27/May/2015:19:58:36 -0400] "POST hxxp://38.90.226.13:80/HTTP/1.1" 200 62 10.0.200.2 - - [27/May/2015:19:58:36 -0400] "CONNECT edf.eset.com:443 HTTP/1.1" 200 - 10.0.200.2 - - [27/May/2015:19:58:36 -0400] "CONNECT edf.eset.com:443 HTTP/1.1" 200 - 10.0.200.2 - - [27/May/2015:19:58:37 -0400] "CONNECT edf.eset.com:443 HTTP/1.1" 200 - 185.25.151.223 - - [27/May/2015:19:58:40 -0400] "GET hxxp://testp2.czar.bielawa.pl/testproxy.php?r=206.162.163.142:3128HTTP/1.1" 200 117 185.25.151.223 - - [27/May/2015:19:58:40 -0400] "CONNECT www.google.pl:443 HTTP/1.1" 200 - 213.133.97.216 - - [27/May/2015:19:58:43 -0400] "GET hxxp://toolbarqueries.google.com/tbr?client=navclient-auto&ch=810983536&features=Rank&q=info:texasbeatz.netHTTP/1.1" 200 31 198.50.151.0 - - [27/May/2015:19:58:26 -0400] "CONNECT www.google.pl:443 HTTP/1.1" 200 - 213.133.97.216 - - [27/May/2015:19:58:47 -0400] "GET hxxp://data.alexa.com/data?cli=10&dat=snbamz&url=ncdc.unl.eduHTTP/1.1" 200 2060 155.133.19.30 - - [27/May/2015:19:58:59 -0400] "GET hxxp://www.proxygen.pl/httptest.phpHTTP/1.1" 200 21 213.133.97.216 - - [27/May/2015:19:59:05 -0400] "GET hxxp://data.alexa.com/data?cli=10&dat=snbamz&url=itsnotokcupid.wordpress.comHTTP/1.1" 200 280 155.133.19.30 - - [27/May/2015:19:59:04 -0400] "GET hxxp://www.proxygen.pl/httptest.phpHTTP/1.1" 200 21 91.196.48.31 - - [27/May/2015:19:59:10 -0400] "GET hxxp://179.184.10.23/search?tbo=d&filter=0&nfpr=1&source=hp&num=100&btnG=Search&q=%22%5binurl%3a.edu%2fredirect.aspx%3furl%5d%22+pooperacyjn%c4%85HTTP/1.1" 200 11431 213.133.97.216 - - [27/May/2015:19:59:19 -0400] "GET hxxp://toolbarqueries.google.com/tbr?client=navclient-auto&ch=864f1d511&features=Rank&q=info:mohedaror.seHTTP/1.1" 200 29 10.0.200.68 - - [27/May/2015:19:59:19 -0400] "CONNECT edf.eset.com:443 HTTP/1.1" 200 - 10.0.200.68 - - [27/May/2015:19:59:20 -0400] "CONNECT edf.eset.com:443 HTTP/1.1" 200 - 10.0.200.68 - - [27/May/2015:19:59:20 -0400] "CONNECT edf.eset.com:443 HTTP/1.1" 200 - 213.133.97.216 - - [27/May/2015:19:59:27 -0400] "GET hxxp://data.alexa.com/data?cli=10&dat=snbamz&url=lasthand.wordpress.comHTTP/1.1" 200 246 104.152.188.72 - - [27/May/2015:19:59:32 -0400] "GET hxxp://lotustours.net/forum/member.php?action=profile&uid=397552HTTP/1.0" 404 689 104.152.188.72 - - [27/May/2015:19:59:33 -0400] "GET hxxp://lotustours.net/HTTP/1.1" 200 25354 213.133.97.216 - - [27/May/2015:19:59:46 -0400] "GET hxxp://data.alexa.com/data?cli=10&dat=snbamz&url=sparcc.wordpress.comHTTP/1.1" 200 259 64.62.219.170 - - [27/May/2015:19:59:47 -0400] "CONNECT support.microsoft.com:443 HTTP/1.0" 200 - 213.133.97.216 - - [27/May/2015:20:00:01 -0400] "GET hxxp://toolbarqueries.google.com/tbr?client=navclient-auto&ch=86bca50da&features=Rank&q=info:sparksoflife.coHTTP/1.1" 200 29 213.133.97.216 - - [27/May/2015:20:00:00 -0400] "GET hxxp://archive.org/wayback/available?url=mobi-games.ru×tamp=19900101HTTP/1.1" 200 172
Solution jedduff 1 Posted June 5, 2015 Author Solution Posted June 5, 2015 That is not a smart move from you. Letting the http proxy without password on the ESET Appliance!! I create a user password with this cmd on /opt/apache/bin ./htpasswd -c /opt/apache/.htpasswd USERNAME I create a .group on /opt/apache/ with usergroup : USERNAME on it Added the following string on the config file on /opt/apache/conf/httpd.conf (just before </Proxy>) AuthType Basic AuthName "Password Required" AuthUserFile "/opt/apache/.htpasswd" AuthGroupFile "/opt/apache/.group" Require group usergroup And voilà! My access file log is clean like water and I can see a the bad guys on the error log. You should create a kb with this informaiton..
Recommended Posts