This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Snort alert... would like to confirm trouble.

I've just noticed the following rules fireing this past month:

INDICATOR-COMPROMISE Suspicious .su dns query
INDICATOR-COMPROMISE Suspicious .cc dns query

Here are the complete log entries:


[FONT=monospace]/var/log/ips/2013/11/ips-2013-11-18.log.gz:2013:11:18-17:04:16  wahine snort[13776]: id="2101" severity="warn" sys="SecureNet"  sub="ips" name="Intrusion protection alert" action="alert"  reason="INDICATOR-COMPROMISE Suspicious .su dns query" group="241"  srcip="10.1.0.8" dstip="10.1.1.2" proto="17" srcport="62707"  dstport="53" sid="27721" class="A Network Trojan was detected"  priority="1"  generator="1" msgid="0" [/FONT]
[FONT=monospace]/var/log/ips/2013/11/ips-2013-11-20.log.gz:2013:11:20-18:13:36  wahine snort[13776]: id="2101" severity="warn" sys="SecureNet"  sub="ips" name="Intrusion protection alert" action="alert"  reason="INDICATOR-COMPROMISE Suspicious .cc dns query" group="241"  srcip="10.1.2.11" dstip="10.1.1.2" proto="17" srcport="13712"  dstport="53" sid="28190" class="A Network Trojan was detected"  priority="1"  generator="1" msgid="0" [/FONT]
[FONT=monospace]/var/log/ips/2013/11/ips-2013-11-20.log.gz:2013:11:20-18:13:36  wahine snort[13776]: id="2101" severity="warn" sys="SecureNet"  sub="ips" name="Intrusion protection alert" action="alert"  reason="INDICATOR-COMPROMISE Suspicious .cc dns query" group="241"  srcip="10.1.2.11" dstip="10.1.1.2" proto="17" srcport="50733"  dstport="53" sid="28190" class="A Network Trojan was detected"  priority="1"  generator="1" msgid="0" [/FONT]
[FONT=monospace]/var/log/ips/2013/11/ips-2013-11-21.log.gz:2013:11:21-00:22:16  wahine snort[13776]: id="2101" severity="warn" sys="SecureNet"  sub="ips" name="Intrusion protection alert" action="alert"  reason="INDICATOR-COMPROMISE Suspicious .su dns query" group="241"  srcip="10.1.2.11" dstip="10.1.1.2" proto="17" srcport="27493"  dstport="53" sid="27721" class="A Network Trojan was detected"  priority="1"  generator="1" msgid="0" [/FONT]
[FONT=monospace]/var/log/ips/2013/11/ips-2013-11-21.log.gz:2013:11:21-00:22:16  wahine snort[13776]: id="2101" severity="warn" sys="SecureNet"  sub="ips" name="Intrusion protection alert" action="alert"  reason="INDICATOR-COMPROMISE Suspicious .su dns query" group="241"  srcip="10.1.2.11" dstip="10.1.1.2" proto="17" srcport="24973"  dstport="53" sid="27721" class="A Network Trojan was detected"  priority="1"  generator="1" msgid="0" [/FONT]
[FONT=monospace]/var/log/ips/2013/11/ips-2013-11-21.log.gz:2013:11:21-00:22:43  wahine snort[13776]: id="2101" severity="warn" sys="SecureNet"  sub="ips" name="Intrusion protection alert" action="alert"  reason="INDICATOR-COMPROMISE Suspicious .su dns query" group="241"  srcip="10.1.2.11" dstip="10.1.1.2" proto="17" srcport="10976"  dstport="53" sid="27721" class="A Network Trojan was detected"  priority="1"  generator="1" msgid="0" [/FONT]
[FONT=monospace]/var/log/ips/2013/11/ips-2013-11-21.log.gz:2013:11:21-00:22:43  wahine snort[13776]: id="2101" severity="warn" sys="SecureNet"  sub="ips" name="Intrusion protection alert" action="alert"  reason="INDICATOR-COMPROMISE Suspicious .su dns query" group="241"  srcip="10.1.2.11" dstip="10.1.1.2" proto="17" srcport="9384"  dstport="53" sid="27721" class="A Network Trojan was detected"  priority="1"  generator="1" msgid="0" [/FONT]
[FONT=monospace]/var/log/ips/2013/11/ips-2013-11-21.log.gz:2013:11:21-00:22:43  wahine snort[13776]: id="2101" severity="warn" sys="SecureNet"  sub="ips" name="Intrusion protection alert" action="alert"  reason="INDICATOR-COMPROMISE Suspicious .su dns query" group="241"  srcip="10.1.2.11" dstip="10.1.1.2" proto="17" srcport="8039"  dstport="53" sid="27721" class="A Network Trojan was detected"  priority="1"  generator="1" msgid="0" [/FONT]
[FONT=monospace]/var/log/ips/2013/11/ips-2013-11-21.log.gz:2013:11:21-00:22:43  wahine snort[13776]: id="2101" severity="warn" sys="SecureNet"  sub="ips" name="Intrusion protection alert" action="alert"  reason="INDICATOR-COMPROMISE Suspicious .su dns query" group="241"  srcip="10.1.2.11" dstip="10.1.1.2" proto="17" srcport="40262"  dstport="53" sid="27721" class="A Network Trojan was detected"  priority="1"  generator="1" msgid="0" [/FONT]
[FONT=monospace]/var/log/ips/2013/11/ips-2013-11-21.log.gz:2013:11:21-22:05:02  wahine snort[22918]: id="2101" severity="warn" sys="SecureNet"  sub="ips" name="Intrusion protection alert" action="alert"  reason="INDICATOR-COMPROMISE Suspicious .cc dns query" group="241"  srcip="10.1.2.11" dstip="10.1.1.2" proto="17" srcport="5717"  dstport="53" sid="28190" class="A Network Trojan was detected"  priority="1"  generator="1" msgid="0" [/FONT]
[FONT=monospace]/var/log/ips/2013/11/ips-2013-11-21.log.gz:2013:11:21-22:05:02  wahine snort[22918]: id="2101" severity="warn" sys="SecureNet"  sub="ips" name="Intrusion protection alert" action="alert"  reason="INDICATOR-COMPROMISE Suspicious .cc dns query" group="241"  srcip="10.1.2.11" dstip="10.1.1.2" proto="17" srcport="48089"  dstport="53" sid="28190" class="A Network Trojan was detected"  priority="1"  generator="1" msgid="0" [/FONT]
[FONT=monospace]/var/log/ips/2013/12/ips-2013-12-01.log.gz:2013:12:01-12:57:35  wahine snort[22918]: id="2101" severity="warn" sys="SecureNet"  sub="ips" name="Intrusion protection alert" action="alert"  reason="INDICATOR-COMPROMISE Suspicious .cc dns query" group="241"  srcip="10.1.2.11" dstip="10.1.1.2" proto="17" srcport="46138"  dstport="53" sid="28190" class="A Network Trojan was detected"  priority="1"  generator="1" msgid="0" [/FONT]
[FONT=monospace]/var/log/ips/2013/12/ips-2013-12-01.log.gz:2013:12:01-12:57:35  wahine snort[22918]: id="2101" severity="warn" sys="SecureNet"  sub="ips" name="Intrusion protection alert" action="alert"  reason="INDICATOR-COMPROMISE Suspicious .cc dns query" group="241"  srcip="10.1.2.11" dstip="10.1.1.2" proto="17" srcport="19862"  dstport="53" sid="28190" class="A Network Trojan was detected"  priority="1"  generator="1" msgid="0" [/FONT]

This machine is my primary desktop and a vulnerability/infection is a major concern.
How can I confirm this.

I checked with clamscan and found nothing.
The system in question is a new install of Ubuntu 13.10_x64.

This thread was automatically locked due to age.

0 Sascha Paris over 11 years ago

Not sure if clam is the right tool ;o)

Other assumtion: Do you sometimes receive spammails through your spamfilter delivered to your client? I've seen lot of .cc spammails in the past, and if they use html and you open them in your mailclient, they may be the source of your sorrows. Did you search your http.log for such entries too?

From my experience everything with a .cc domain can be deleted unread anyway...
Cancel
Vote Up 0 Vote Down

Cancel
0 Sascha Paris over 11 years ago

...or you operate a Spamfilter behind the UTM which queries the UTM with such DNS lookups (RDNS etc.) due lot of .cc spammails?

Interesting article concerning such domains..

http://m.techspot.com/news/44622-google-search-blocks-11-million-cocc-websites-to-fight-malware.html

Maybe also a chance to give the UTM9.2 Beta's "advanced threat protection" feature a try, which was intended to find infected (bot) clients in your network. It's still beta and up to now still limited with pattern, but this may grow rapidly in the coming weeks...
Cancel
Vote Up 0 Vote Down

Cancel
0 SalishSwede over 11 years ago in reply to Sascha Paris

Interesting... Thanks for the excellent reply.
I have been using a web client for email so this would explain how a new machine could appear to be infected. I'll look in the http logs now.
Cancel
Vote Up 0 Vote Down

Cancel

0 SalishSwede over 11 years ago in reply to Sascha Paris

Updated: I originally had the wrong lines.
It seems I got tangled up with some Russians via email they had sent.
They have .ru sites in the Virgin Islands which my config allows. I guess I'll block the Virgin Islands. Sighhh.

Here is a list of http connections on the minute of one set of alerts


2013:11:21-00:22:13 wahine httpproxy[5918]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.1.2.11" dstip="193.109.247.222" user="" statuscode="200" cached="8" profile="REF_HttProSecurDeskt (secure desktops)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="4185" request="0x2999caf8" url="geminorum.narod.ru/.../html" application="http"
2013:11:21-00:22:13 wahine httpproxy[5918]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.1.2.11" dstip="193.109.247.222" user="" statuscode="200" cached="0" profile="REF_HttProSecurDeskt (secure desktops)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="1538" request="0x2999caf8" url="geminorum.narod.ru/.../
2013:11:21-00:22:13 wahine httpproxy[5918]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.1.2.11" dstip="193.109.247.222" user="" statuscode="200" cached="8" profile="REF_HttProSecurDeskt (secure desktops)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="294" request="0x24fd1638" url="geminorum.narod.ru/.../css" application="http"
2013:11:21-00:22:13 wahine httpproxy[5918]: id="0067" severity="info" sys="SecureWeb" sub="http" name="web request blocked, connection to forbidden country" action="block" method="GET" srcip="10.1.2.11" dstip="" user="" statuscode="403" cached="0" profile="REF_HttProSecurDeskt (secure desktops)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3594" request="0x24fa3850" url="counter.yadro.ru/hit;narodadst2
2013:11:21-00:22:13 wahine httpproxy[5918]: id="0067" severity="info" sys="SecureWeb" sub="http" name="web request blocked, connection to forbidden country" action="block" method="GET" srcip="10.1.2.11" dstip="" user="" statuscode="403" cached="0" profile="REF_HttProSecurDeskt (secure desktops)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3356" request="0x288761e8" url="top100-images.rambler.ru/.../banner-88x31-rambler-brown2.gif" exceptions="cache" error="" country="Russian Federation"
2013:11:21-00:22:13 wahine httpproxy[5918]: id="0067" severity="info" sys="SecureWeb" sub="http" name="web request blocked, connection to forbidden country" action="block" method="GET" srcip="10.1.2.11" dstip="" user="" statuscode="403" cached="0" profile="REF_HttProSecurDeskt (secure desktops)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3360" request="0x24fa3e50" url="mokuz.ru/.../20022007406589.jpg
2013:11:21-00:22:13 wahine httpproxy[5918]: id="0067" severity="info" sys="SecureWeb" sub="http" name="web request blocked, connection to forbidden country" action="block" method="GET" srcip="10.1.2.11" dstip="" user="" statuscode="403" cached="0" profile="REF_HttProSecurDeskt (secure desktops)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3302" request="0x28c4dc80" url="counter.rambler.ru/top100.cnt
2013:11:21-00:22:13 wahine httpproxy[5918]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.1.2.11" dstip="193.109.247.222" user="" statuscode="200" cached="8" profile="REF_HttProSecurDeskt (secure desktops)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="861" request="0x2999caf8" url="geminorum.narod.ru/.../javascript" application="http"
2013:11:21-00:22:13 wahine httpproxy[5918]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.1.2.11" dstip="193.109.247.222" user="" statuscode="200" cached="8" profile="REF_HttProSecurDeskt (secure desktops)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="634" request="0x24fd1638" url="geminorum.narod.ru/.../javascript" application="http"
2013:11:21-00:22:14 wahine httpproxy[5918]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.1.2.11" dstip="193.109.247.222" user="" statuscode="200" cached="0" profile="REF_HttProSecurDeskt (secure desktops)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="345" request="0x2959c6c0" url="geminorum.narod.ru/.../gif" application="http"
2013:11:21-00:22:14 wahine httpproxy[5918]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.1.2.11" dstip="193.109.247.222" user="" statuscode="200" cached="0" profile="REF_HttProSecurDeskt (secure desktops)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="217" request="0x24f82608" url="s200.ucoz.net/.../gif" application="http"
2013:11:21-00:22:14 wahine httpproxy[5918]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.1.2.11" dstip="193.109.247.222" user="" statuscode="200" cached="0" profile="REF_HttProSecurDeskt (secure desktops)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="134" request="0x24fd1938" url="geminorum.narod.ru/.../gif" application="http"
2013:11:21-00:22:14 wahine httpproxy[5918]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.1.2.11" dstip="193.109.247.222" user="" statuscode="200" cached="0" profile="REF_HttProSecurDeskt (secure desktops)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="127" request="0x2885f7e0" url="geminorum.narod.ru/.../gif" application="http"
2013:11:21-00:22:14 wahine httpproxy[5918]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.1.2.11" dstip="193.109.247.222" user="" statuscode="200" cached="0" profile="REF_HttProSecurDeskt (secure desktops)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="528" request="0x2885f360" url="geminorum.narod.ru/.../
2013:11:21-00:22:14 wahine httpproxy[5918]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.1.2.11" dstip="193.109.247.222" user="" statuscode="200" cached="0" profile="REF_HttProSecurDeskt (secure desktops)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="301" request="0x2999caf8" url="geminorum.narod.ru/.../gif" application="http"
2013:11:21-00:22:14 wahine httpproxy[5918]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.1.2.11" dstip="193.109.247.222" user="" statuscode="200" cached="0" profile="REF_HttProSecurDeskt (secure desktops)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3527" request="0x24fd1638" url="geminorum.narod.ru/.../gif" application="http"
2013:11:21-00:22:14 wahine httpproxy[5918]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.1.2.11" dstip="193.109.247.234" user="" statuscode="200" cached="8" profile="REF_HttProSecurDeskt (secure desktops)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="1539" request="0x250121e0" url="s212.ucoz.net/.../javascript" application="http"
2013:11:21-00:22:14 wahine httpproxy[5918]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.1.2.11" dstip="193.109.247.234" user="" statuscode="200" cached="8" profile="REF_HttProSecurDeskt (secure desktops)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="208" request="0x24f787b0" url="s212.ucoz.net/.../javascript" application="http"
2013:11:21-00:22:14 wahine httpproxy[5918]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.1.2.11" dstip="38.103.18.141" user="" statuscode="200" cached="8" profile="REF_HttProSecurDeskt (secure desktops)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="301" request="0x39b5f1d0" url="cache.betweendigital.com/.../x-javascript" application="http"
2013:11:21-00:22:14 wahine httpproxy[5918]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.1.2.11" dstip="193.109.247.222" user="" statuscode="200" cached="0" profile="REF_HttProSecurDeskt (secure desktops)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="232" request="0x24f82608" url="s200.ucoz.net/.../gif" application="http"
2013:11:21-00:22:15 wahine httpproxy[5918]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.1.2.11" dstip="37.58.76.196" user="" statuscode="200" cached="0" profile="REF_HttProSecurDeskt (secure desktops)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3541" request="0x288797a8" url="ads.betweendigital.com/.../javascript" application="http"
2013:11:21-00:22:15 wahine httpproxy[5918]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.1.2.11" dstip="37.58.76.196" user="" statuscode="200" cached="0" profile="REF_HttProSecurDeskt (secure desktops)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="43" request="0x288797a8" url="ads.betweendigital.com/.../gif" application="http"
2013:11:21-00:22:16 wahine httpproxy[5918]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.1.2.11" dstip="37.58.76.196" user="" statuscode="200" cached="0" profile="REF_HttProSecurDeskt (secure desktops)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="232" request="0x39b5f950" url="ads.betweendigital.com/adj
2013:11:21-00:22:16 wahine httpproxy[5918]: id="0067" severity="info" sys="SecureWeb" sub="http" name="web request blocked, connection to forbidden country" action="block" method="GET" srcip="10.1.2.11" dstip="" user="" statuscode="403" cached="0" profile="REF_HttProSecurDeskt (secure desktops)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3302" request="0x3a0994d8" url="autocontext.begun.ru/autocontext2.js" exceptions="" error="" country="Russian Federation"
2013:11:21-00:22:16 wahine httpproxy[5918]: id="0067" severity="info" sys="SecureWeb" sub="http" name="web request blocked, connection to forbidden country" action="block" method="GET" srcip="10.1.2.11" dstip="" user="" statuscode="403" cached="0" profile="REF_HttProSecurDeskt (secure desktops)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3302" request="0x2868bcc8" url="counter.rambler.ru/top100.cnt
2013:11:21-00:22:16 wahine httpproxy[5918]: id="0067" severity="info" sys="SecureWeb" sub="http" name="web request blocked, connection to forbidden country" action="block" method="GET" srcip="10.1.2.11" dstip="" user="" statuscode="403" cached="0" profile="REF_HttProSecurDeskt (secure desktops)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3356" request="0x2863e3d0" url="top100-images.rambler.ru/.../banner-88x31-rambler-brown2.gif" exceptions="cache" error="" country="Russian Federation"
2013:11:21-00:22:16 wahine httpproxy[5918]: id="0067" severity="info" sys="SecureWeb" sub="http" name="web request blocked, connection to forbidden country" action="block" method="GET" srcip="10.1.2.11" dstip="" user="" statuscode="403" cached="0" profile="REF_HttProSecurDeskt (secure desktops)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3360" request="0x28876c68" url="mokuz.ru/.../20022007406589.jpg
2013:11:21-00:22:16 wahine httpproxy[5918]: id="0067" severity="info" sys="SecureWeb" sub="http" name="web request blocked, connection to forbidden country" action="block" method="GET" srcip="10.1.2.11" dstip="" user="" statuscode="403" cached="0" profile="REF_HttProSecurDeskt (secure desktops)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3810" request="0x39ff8388" url="counter.yadro.ru/hit
2013:11:21-00:22:16 wahine httpproxy[5918]: id="0067" severity="info" sys="SecureWeb" sub="http" name="web request blocked, connection to forbidden country" action="block" method="GET" srcip="10.1.2.11" dstip="" user="" statuscode="403" cached="0" profile="REF_HttProSecurDeskt (secure desktops)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3598" request="0x24fd1ab8" url="counter.yadro.ru/hit;narodcounter
2013:11:21-00:22:16 wahine httpproxy[5918]: id="0067" severity="info" sys="SecureWeb" sub="http" name="web request blocked, connection to forbidden country" action="block" method="GET" srcip="10.1.2.11" dstip="" user="" statuscode="403" cached="0" profile="REF_HttProSecurDeskt (secure desktops)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3268" request="0x2894ec28" url="openstat.net/cnt.js" exceptions="" error="" country="Russian Federation"
2013:11:21-00:22:16 wahine httpproxy[5918]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.1.2.11" dstip="193.109.247.222" user="" statuscode="200" cached="0" profile="REF_HttProSecurDeskt (secure desktops)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2443" request="0x24f82608" url="s200.ucoz.net/.../png" application="http"
2013:11:21-00:22:16 wahine httpproxy[5918]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.1.2.11" dstip="193.109.247.222" user="" statuscode="200" cached="0" profile="REF_HttProSecurDeskt (secure desktops)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="488" request="0x24fd1638" url="geminorum.narod.ru/.../gif" application="http"
2013:11:21-00:22:16 wahine httpproxy[5918]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.1.2.11" dstip="193.109.247.222" user="" statuscode="200" cached="0" profile="REF_HttProSecurDeskt (secure desktops)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="1964" request="0x2885f360" url="geminorum.narod.ru/.../gif" application="http"
2013:11:21-00:22:16 wahine httpproxy[5918]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.1.2.11" dstip="193.109.247.222" user="" statuscode="200" cached="0" profile="REF_HttProSecurDeskt (secure desktops)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="358" request="0x2999caf8" url="geminorum.narod.ru/.../gif" application="http"
2013:11:21-00:22:16 wahine httpproxy[5918]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.1.2.11" dstip="193.109.247.222" user="" statuscode="200" cached="0" profile="REF_HttProSecurDeskt (secure desktops)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="1475" request="0x2999cc78" url="s200.ucoz.net/.../png" application="http"
2013:11:21-00:22:16 wahine httpproxy[5918]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.1.2.11" dstip="193.109.247.222" user="" statuscode="200" cached="0" profile="REF_HttProSecurDeskt (secure desktops)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3212" request="0x2999cdf8" url="s200.ucoz.net/.../png" application="http"
2013:11:21-00:22:16 wahine httpproxy[5918]: id="0067" severity="info" sys="SecureWeb" sub="http" name="web request blocked, connection to forbidden country" action="block" method="GET" srcip="10.1.2.11" dstip="" user="" statuscode="403" cached="0" profile="REF_HttProSecurDeskt (secure desktops)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3612" request="0x3a0a3010" url="da.ca.bd.a0.top.list.ru/counter
2013:11:21-00:22:17 wahine httpproxy[5918]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.1.2.11" dstip="193.109.247.222" user="" statuscode="200" cached="0" profile="REF_HttProSecurDeskt (secure desktops)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="894" request="0x2999caf8" url="geminorum.narod.ru/.../x-icon" application="http"
2013:11:21-00:22:20 wahine httpproxy[5918]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.1.2.11" dstip="68.180.206.184" user="" statuscode="301" cached="0" profile="REF_HttProSecurDeskt (secure desktops)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="81" request="0x39d23da8" url="babelfish.altavista.com/.../urltrurl
2013:11:21-00:22:20 wahine httpproxy[5918]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.1.2.11" dstip="206.190.36.45" user="" statuscode="301" cached="0" profile="REF_HttProSecurDeskt (secure desktops)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="267" request="0x28a589b0" url="www.yahoo.com/.../urltrurl
2013:11:21-00:22:20 wahine httpproxy[5918]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.1.2.11" dstip="68.142.243.179" user="" statuscode="301" cached="0" profile="REF_HttProSecurDeskt (secure desktops)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="81" request="0x2959ccc0" url="babelfish.yahoo.com/.../urltrurl
2013:11:21-00:22:20 wahine httpproxy[5918]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.1.2.11" dstip="206.190.36.45" user="" statuscode="404" cached="0" profile="REF_HttProSecurDeskt (secure desktops)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2531" request="0x28a589b0" url="www.yahoo.com/urltrurl
2013:11:21-00:22:20 wahine httpproxy[5918]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="POST" srcip="10.1.2.11" dstip="72.21.91.29" user="" statuscode="200" cached="0" profile="REF_HttProSecurDeskt (secure desktops)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="471" request="0x39cceb30" url="ocsp.digicert.com/.../ocsp-response" application="ocsp"
2013:11:21-00:22:21 wahine httpproxy[5918]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.1.2.11" dstip="206.190.36.45" user="" statuscode="200" cached="0" profile="REF_HttProSecurDeskt (secure desktops)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="5430" request="0x28a589b0" url="www.yahoo.com/.../x-icon" application="yahoo"
2013:11:21-00:22:33 wahine httpproxy[5918]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="10.1.2.2" dstip="173.194.33.105" user="" statuscode="200" cached="0" profile="REF_HttProInterDeskt (Internal Desktops)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="7648" request="0x29371928" url="calendar.google.com/" exceptions="av,auth,content,url,mime,cache,fileextension" error=""
2013:11:21-00:22:41 wahine httpproxy[5918]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.1.2.11" dstip="193.109.247.222" user="" statuscode="200" cached="8" profile="REF_HttProSecurDeskt (secure desktops)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2385" request="0x2821eb28" url="geminorum.narod.ru/.../html" application="http"
2013:11:21-00:22:41 wahine httpproxy[5918]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.1.2.11" dstip="193.109.247.222" user="" statuscode="200" cached="0" profile="REF_HttProSecurDeskt (secure desktops)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="1478" request="0x2821eb28" url="geminorum.narod.ru/.../
2013:11:21-00:22:41 wahine httpproxy[5918]: id="0067" severity="info" sys="SecureWeb" sub="http" name="web request blocked, connection to forbidden country" action="block" method="GET" srcip="10.1.2.11" dstip="" user="" statuscode="403" cached="0" profile="REF_HttProSecurDeskt (secure desktops)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3492" request="0x24fa3250" url="counter.yadro.ru/hit;narodadst2
2013:11:21-00:22:41 wahine httpproxy[5918]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.1.2.11" dstip="193.109.247.222" user="" statuscode="200" cached="0" profile="REF_HttProSecurDeskt (secure desktops)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="528" request="0x2821eb28" url="geminorum.narod.ru/.../
2013:11:21-00:22:41 wahine httpproxy[5918]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.1.2.11" dstip="37.58.76.196" user="" statuscode="200" cached="0" profile="REF_HttProSecurDeskt (secure desktops)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3532" request="0x288797a8" url="ads.betweendigital.com/.../javascript" application="http"
2013:11:21-00:22:42 wahine httpproxy[5918]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.1.2.11" dstip="37.58.76.196" user="" statuscode="200" cached="0" profile="REF_HttProSecurDeskt (secure desktops)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="43" request="0x288797a8" url="ads.betweendigital.com/.../gif" application="http"

0 SalishSwede over 11 years ago in reply to SalishSwede

I block Google Analytics. Nothing out of the ordinary there.
Cancel
Vote Up 0 Vote Down

Cancel
0 SalishSwede over 11 years ago in reply to Sascha Paris

I copied the wrong timestamps from the http log. I corrected the problem and found Russians. This clarifies the problem.
Cancel
Vote Up 0 Vote Down

Cancel
0 SalishSwede over 11 years ago in reply to SalishSwede
www.celestiamotherlode.net/catalog/show_creator_details.php?creator_id=81

The page above is from a site that contains a massive amount of data for the linux astronomy program Celesitia. This is a page for a provider of content for the program that adds specific comets to the 3d model of the universe. Clicking on the homepage of the content provider was the source of the problem it seems. Note: Don't click on 'homepage' ;-)
Cancel
Vote Up 0 Vote Down

Cancel
0 BarryG over 11 years ago

Hi,

If your PC is still trying to contact strange sites, then you probably need to save your documents and nuke it.

Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 SalishSwede over 11 years ago in reply to BarryG

The machine in question has been 'nuked' about weekly as I investigate Linux Distros.
I believe Sascha has identified the issue. I identified the source web site that caused the problem and notified the hosting organisation. The source is Russian with some .ru servers in the British Virgin Islands.
Cancel
Vote Up 0 Vote Down

Cancel
0 SalishSwede over 10 years ago

Interesting that no one is commenting.
I'm still having trouble with unaccounted for alerts of trojans.
No one will help?
Cancel
Vote Up 0 Vote Down

Cancel