Jump to content

Recommended Posts

Posted

ok, this is really weird,

 

We got the message "unusual traffic detected" on google when we doing google search.

 

I did some analysis and the culprit is...the Era appliance server.

 

Some module is doing this and I don't know why.

 

Where can I found the log for this issue on the Era appliance?

 

 

 

 

post-6051-0-05571700-1432917735_thumb.png

Posted

I stop the bleeding by denied all http and https from these IP range. but it don't resolved the root of the issue

ip4:216.239.32.0/19ip4:64.233.160.0/19ip4:66.249.80.0/20ip4:72.14.192.0/18ip4:209.85.128.0/17ip4:66.102.0.0/20ip4:74.125.0.0/16ip4:64.18.0.0/20ip4:207.126.144.0/20ip4:173.194.0.0/16
  • ESET Staff
Posted

Is the appliance configured as HTTP proxy and are you using it by client machines?

Posted

Yes, every client use the proxy. We have a lot of pc that aren't in the local network we want to manage

Posted

And by proxy, I mean this (view attach file)

post-6051-0-56983100-1433236504_thumb.png

  • ESET Staff
Posted

When you temporarily disable HTTP proxy (e.g. port 3128 is not accessible or you completely stop the service) does it help? I suspect that something is connecting through HTTP proxy on the appliance and that is causing this bursts. HTTPS communication is not cached so it goes always through proxy.

Posted

When you temporarily disable HTTP proxy (e.g. port 3128 is not accessible or you completely stop the service) does it help? I suspect that something is connecting through HTTP proxy on the appliance and that is causing this bursts. HTTPS communication is not cached so it goes always through proxy.

 

where can i found the http proxy log? Can i enable some trace log?

Posted

When you temporarily disable HTTP proxy (e.g. port 3128 is not accessible or you completely stop the service) does it help? I suspect that something is connecting through HTTP proxy on the appliance and that is causing this bursts. HTTPS communication is not cached so it goes always through proxy.

 

 

Hi Michalp!

 

I'm happy because I found the root of the problem

 

Someone is trying to use the proxy.

 

Now...How can I denied all HTTP proxy request without password?

 

155.133.19.30 - - [27/May/2015:19:57:59 -0400] "GET hxxp://www.proxygen.pl/httptest.phpHTTP/1.1" 200 21

213.133.97.216 - - [27/May/2015:19:58:05 -0400] "GET hxxp://data.alexa.com/data?cli=10&dat=snbamz&url=hotmanagement.asiaHTTP/1.1" 200 254

213.133.97.216 - - [27/May/2015:19:58:08 -0400] "GET hxxp://toolbarqueries.google.com/tbr?client=navclient-auto&ch=8db2654a7&features=Rank&q=info:naravniporod.siHTTP/1.1" 200 31

155.133.19.30 - - [27/May/2015:19:58:05 -0400] "GET hxxp://www.proxygen.pl/httptest.phpHTTP/1.1" 200 21

91.196.48.31 - - [27/May/2015:19:58:10 -0400] "GET hxxp://179.184.10.23/search?tbo=d&filter=0&nfpr=1&source=hp&num=100&btnG=Search&q=%22site%3a.edu%22+%22%5binurl%3a%2fcampustour%2fframes%2findex.asp%3furl%5d%22+pomidorowaHTTP/1.1" 200 12373

213.133.97.216 - - [27/May/2015:19:58:24 -0400] "GET hxxp://archive.org/wayback/available?url=kopio.ru&timestamp=19900101HTTP/1.1" 200 167

213.133.97.216 - - [27/May/2015:19:58:26 -0400] "GET hxxp://data.alexa.com/data?cli=10&dat=snbamz&url=annaleenashem.blogspot.ruHTTP/1.1" 200 492

10.0.200.72 - - [27/May/2015:19:58:28 -0400] "CONNECT edf.eset.com:443 HTTP/1.1" 200 -

10.0.200.68 - - [27/May/2015:19:58:36 -0400] "POST hxxp://38.90.226.13:80/HTTP/1.1" 200 62

10.0.200.2 - - [27/May/2015:19:58:36 -0400] "CONNECT edf.eset.com:443 HTTP/1.1" 200 -

10.0.200.2 - - [27/May/2015:19:58:36 -0400] "CONNECT edf.eset.com:443 HTTP/1.1" 200 -

10.0.200.2 - - [27/May/2015:19:58:37 -0400] "CONNECT edf.eset.com:443 HTTP/1.1" 200 -

185.25.151.223 - - [27/May/2015:19:58:40 -0400] "GET hxxp://testp2.czar.bielawa.pl/testproxy.php?r=206.162.163.142:3128HTTP/1.1" 200 117

185.25.151.223 - - [27/May/2015:19:58:40 -0400] "CONNECT www.google.pl:443 HTTP/1.1" 200 -

213.133.97.216 - - [27/May/2015:19:58:43 -0400] "GET hxxp://toolbarqueries.google.com/tbr?client=navclient-auto&ch=810983536&features=Rank&q=info:texasbeatz.netHTTP/1.1" 200 31

198.50.151.0 - - [27/May/2015:19:58:26 -0400] "CONNECT www.google.pl:443 HTTP/1.1" 200 -

213.133.97.216 - - [27/May/2015:19:58:47 -0400] "GET hxxp://data.alexa.com/data?cli=10&dat=snbamz&url=ncdc.unl.eduHTTP/1.1" 200 2060

155.133.19.30 - - [27/May/2015:19:58:59 -0400] "GET hxxp://www.proxygen.pl/httptest.phpHTTP/1.1" 200 21

213.133.97.216 - - [27/May/2015:19:59:05 -0400] "GET hxxp://data.alexa.com/data?cli=10&dat=snbamz&url=itsnotokcupid.wordpress.comHTTP/1.1" 200 280

155.133.19.30 - - [27/May/2015:19:59:04 -0400] "GET hxxp://www.proxygen.pl/httptest.phpHTTP/1.1" 200 21

91.196.48.31 - - [27/May/2015:19:59:10 -0400] "GET hxxp://179.184.10.23/search?tbo=d&filter=0&nfpr=1&source=hp&num=100&btnG=Search&q=%22%5binurl%3a.edu%2fredirect.aspx%3furl%5d%22+pooperacyjn%c4%85HTTP/1.1" 200 11431

213.133.97.216 - - [27/May/2015:19:59:19 -0400] "GET hxxp://toolbarqueries.google.com/tbr?client=navclient-auto&ch=864f1d511&features=Rank&q=info:mohedaror.seHTTP/1.1" 200 29

10.0.200.68 - - [27/May/2015:19:59:19 -0400] "CONNECT edf.eset.com:443 HTTP/1.1" 200 -

10.0.200.68 - - [27/May/2015:19:59:20 -0400] "CONNECT edf.eset.com:443 HTTP/1.1" 200 -

10.0.200.68 - - [27/May/2015:19:59:20 -0400] "CONNECT edf.eset.com:443 HTTP/1.1" 200 -

213.133.97.216 - - [27/May/2015:19:59:27 -0400] "GET hxxp://data.alexa.com/data?cli=10&dat=snbamz&url=lasthand.wordpress.comHTTP/1.1" 200 246

104.152.188.72 - - [27/May/2015:19:59:32 -0400] "GET hxxp://lotustours.net/forum/member.php?action=profile&uid=397552HTTP/1.0" 404 689

104.152.188.72 - - [27/May/2015:19:59:33 -0400] "GET hxxp://lotustours.net/HTTP/1.1" 200 25354

213.133.97.216 - - [27/May/2015:19:59:46 -0400] "GET hxxp://data.alexa.com/data?cli=10&dat=snbamz&url=sparcc.wordpress.comHTTP/1.1" 200 259

64.62.219.170 - - [27/May/2015:19:59:47 -0400] "CONNECT support.microsoft.com:443 HTTP/1.0" 200 -

213.133.97.216 - - [27/May/2015:20:00:01 -0400] "GET hxxp://toolbarqueries.google.com/tbr?client=navclient-auto&ch=86bca50da&features=Rank&q=info:sparksoflife.coHTTP/1.1" 200 29

213.133.97.216 - - [27/May/2015:20:00:00 -0400] "GET hxxp://archive.org/wayback/available?url=mobi-games.ru&timestamp=19900101HTTP/1.1" 200 172

 

  • Solution
Posted

That is not a smart move from you. Letting the http proxy without password on the ESET Appliance!!

 

I create a user password with this cmd

 

on /opt/apache/bin

 

./htpasswd -c /opt/apache/.htpasswd USERNAME

 

I create a .group on /opt/apache/ with usergroup : USERNAME on it

 

 

Added the following string on the config file on /opt/apache/conf/httpd.conf (just before </Proxy>)

 

  AuthType Basic
    AuthName "Password Required"
    AuthUserFile "/opt/apache/.htpasswd"
    AuthGroupFile "/opt/apache/.group"
    Require group usergroup

 

 

And voilà! My access file log is clean like water and I can see a the bad guys on the error log.

 

You should create a kb with this informaiton..

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...