check log from proxy ?

Viewing 11 reply threads
  • Author
    Posts
    • #5081
      nubie
      Participant

      Hi all, need advices please, i’ve just realized yesterday on the network one user always have connection POST to http://chernomorsky.name but when i try to get in to that website i can’t, basically first i try to ping the website which show the ip address and always request time out.
      The log from my proxy box:


      ip-address-user POST http://chernomorsky.name/upload.php?bacf8e0422bb12604d4dcf26c99bcaa9

      I’m very curious about this and had been try to use scapy to send receive packet but it always finished packets but the receives packet always not show up.
      Yesterday i also block that website from my proxy box and i will be check the firewall too.

      Is there any other thing i must to do to try figure out this issue, need advices please, i’m still need learn a lot from you guys or i’m just being to much paranoid about this.

      Thank’s a lot

    • #32250
      Ketchup
      Participant

      Are you saying that you ran a packet sniffer on the network and you can only see outgoing packets, and nothing coming back?  What’s going outbound?  Is there anything goofy running on the user’s computer that is making this POST request?

      It could be that the remote host is only available at certain times.

    • #32251
      nubie
      Participant

      Thank’s for your reply Ketchup, i ran scapy on other pc and with direct link internet just to test the connection to http://chernomorsky.name, and right now i’m still in progress to check the pc user, cause the pc is still need to use by user to their work.

      Thank’s a lot

    • #32252
      Ketchup
      Participant

      Did the machine your ran the packet sniffer on have the same public IP as the machine making these connections?  The remote host can be doing IP checking.  It could also be checking for user agents, referrers, etc.

    • #32253
      nubie
      Participant

      No Ketchup, on my box i use different ip public with network, so is there anything else i must do, i’ve been blocked access to that website and right now i’m gonna check the user pc.

      Need any advices Ketchup thank’s a lot.

    • #32254
      Ketchup
      Participant

      Sounds like the user’s PC is the best place to look.  Keeps us posted and let us know how you make out.  If you find anything strange, post it, and we will try to help.

    • #32255
      nubie
      Participant

      Right now i’m doing scan with avira personal and after finish i will try with malware bytes free, is there any suggestion please?.
      And I’m just check the connection of that user ip before doing scanning av pc,
      is the connection go throught illmap.ru i’m not yet check this out, i will try to find out later.

      Thank’s a lot

    • #32256
      Ketchup
      Participant

      I would also run a packet capture on this computer to see where else it may be connecting.  Also check the auto-run points in the registry and file systems to see what may be starting automatically that you are not aware of. 

      If you do not trust this computer, I would rebuild it if I was in your shoes.  That’s the only way to ensure that you wipe away any infection.  It may be overkill, but it’s certainly safe. 

    • #32257
      Xen
      Participant

      Use Hijackthis http://majorgeeks.com/Trend_Micro_HijackThis_d5554.html and scan for any modified registry before using AVscanners. If any malicious code is found, delete it and run HijackThis again and compare the two log files.
      Note: Do not delete any registry usign HijackThis unless you’re completely sure of what it does. You can use automatic HJT log analyzers http://www.internetinspiration.co.uk/hijack%20this-Automated%20analysis.htm to assist you. Also, Google each of the registry entry.

    • #32258
      nubie
      Participant

      Thank’s for all your feedback, got the exploit in C:Document and SettingsuserLocal SettingTempjar_cache446947312547567613.tmp(Java.9357 exploit) and rootkit Bubnix.S rootkit C:Windowssystem32driverszeepu.sys, got deleted it and now i see on my router box not have any connection from that user ip to suspect website.

      You’re right Ketchup, i don’t trust the computer and i have told him to format the pc but he not yet give permission about that, i had told him if pc got rootkit the best way is format the pc and is there any network method to know how the rootkit and exploit got to the pc cause this is for information to users, cause if i setting firewall but users got the malware/virus/troj/rootkit from the file in internet like accidentally they download from internet or from software messenger like skype/yahoo messenger, how do i know or prevented this happen?

      Thank’s a lot guys,

    • #32259
      Xen
      Participant

      The best way to prevent such attacks is to give users the minimum privilege they need to do their work efficiently. Do the users need yahoo messenger for their work? Do they need to install software on your company’s systems? In the end, even if you do everything you can– patching,access policies etc. and some user downloads malware off of a messenger program it hurts a lot, not to mention wastage of time dealing with the infection.

      Have a good security policy. Who can and can’t install software on systems? What software can be installed? etc.

    • #32260
      nubie
      Participant

      Yes, you’re right Equix3n, but this user of this pc wants he can do installation on pc he use and actually he is some kind general manager on office so, from the beginning my supervisor give full access on his pc and it’s true like you said it’s all about policy and honestly i don’t have such as power to make decision and i’ve think about sudowin and want to give a shot about that, thank you for the feedback.

Viewing 11 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?