Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 3141 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF issue

AreshAreshi

Hi,

We are having a really strange problem with one of our web servers. We have a SG310 fully patched. 2 days ago when open a URL that point to one of the websites behind UTM a chinese website get opened and in the addres bar we see still the URL of our site but contant is in chinese. This website is published to internet by WAF. when the site internaly open we see the right contant when use the URL from internet get the wrong website.

We did use a DNAT instead of WAF and we see the correct website. the WAF is configured correctly and was working for 3 years without any problem. the WAF logs shows nothing wrong

What is going on? is the UTM get hacked? if this is MIMA DNS attack why we can open the url when using the DNAT?

 

Any suggestion?



This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to AreshAreshi

    Aresh, please show pictures of the Edits of the Virtual and Real Servers as well as of the functioning DNAT.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • 0 in reply to BAlfson

    Thank you for the update, This is the screenshots that you have requested,I did pornt this WAF rule to a different Realweb server with the same result. we would like to know is this our DNS or the DNS of our Provider that direct us to a wrong website. we have many web servers and this is the only WAF that we having a problem with it.

  • 0 in reply to AreshAreshi

    Hi  

    At this stage, I would suggest you look into the reverseproxy.log for further investigation. Please try to open this website from an external device and try to filter the logs from that device's Public IP. You should find the entire trail of the connection in the reverseproxy.log. You should not see the host URL getting changed or any website redirect code (30x) unless it was configured on UTM or the webserver. Further, do you remember making any change to the reverse-proxy config file of UTM? Also, try configuring without the option Pass host header.

    Regards

    Jaydeep

  • 0 in reply to Jaydeep

    Hi Jay,

    I did run the live logs of the WAF and when open the site from a device out side of the LAN and see this regarding the redirect


     securitysrv1-1 httpd: id="0299" srcip="83.XXXX.194" localip="62.XX.XX.190" size="179" user="-" host="83.XX.XX.194" method="GET" statuscode="302" reason="-" extra="-" exceptions="SkipURLHardening" time="1172534" url="/RDWeb/Pages/default.aspx" server="remote.mydomain.nl" port="443" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-"

     

    There has not been any chages to the UTM config as I am the only one with access to the admin account of the UTM

     UPDATE,

     Also see this and no idea why refer to  gateway.zscalertwo.net 

    2019:12:23-07:23:06 securitysrv1-1 httpd[2103]: [url_hardening:error] [pid 2103:tid 3860020080] [client 167.XX.XX.17:56606] No signature found, URI: remote.mydomain.nl/rpc, referer: https://gateway.zscalertwo.net/auW?origurl=https%3A%2F%2Fremote.mydomain.nl%2frpc&_ordtok=nsZ3WVRD73RJWzTvtnZnMM&jscript=1set&_sm_au_=iVVtwPRDfQ0ss5H&sm__idx=2cf3vQ6j&pires=nHQZW3r04Z6Vn

     

Unfiltered HTML