.

check log from proxy ?

<<

nubie

User avatar

Newbie
Newbie

Posts: 34

Joined: Mon Jun 23, 2008 9:03 pm

Post Thu May 20, 2010 8:48 pm

check log from proxy ?

Hi all, need advices please, i've just realized yesterday on the network one user always have connection POST to http://chernomorsky.name but when i try to get in to that website i can't, basically first i try to ping the website which show the ip address and always request time out.
The log from my proxy box:
  Code:
ip-address-user POST http://chernomorsky.name/upload.php?bacf8e0422bb12604d4dcf26c99bcaa9

I'm very curious about this and had been try to use scapy to send receive packet but it always finished packets but the receives packet always not show up.
Yesterday i also block that website from my proxy box and i will be check the firewall too.

Is there any other thing i must to do to try figure out this issue, need advices please, i'm still need learn a lot from you guys or i'm just being to much paranoid about this.

Thank's a lot
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Thu May 20, 2010 9:29 pm

Re: check log from proxy ?

Are you saying that you ran a packet sniffer on the network and you can only see outgoing packets, and nothing coming back?  What's going outbound?  Is there anything goofy running on the user's computer that is making this POST request?

It could be that the remote host is only available at certain times.
~~~~~~~~~~~~~~
Ketchup
<<

nubie

User avatar

Newbie
Newbie

Posts: 34

Joined: Mon Jun 23, 2008 9:03 pm

Post Thu May 20, 2010 9:35 pm

Re: check log from proxy ?

Thank's for your reply Ketchup, i ran scapy on other pc and with direct link internet just to test the connection to http://chernomorsky.name, and right now i'm still in progress to check the pc user, cause the pc is still need to use by user to their work.

Thank's a lot
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Thu May 20, 2010 9:40 pm

Re: check log from proxy ?

Did the machine your ran the packet sniffer on have the same public IP as the machine making these connections?  The remote host can be doing IP checking.  It could also be checking for user agents, referrers, etc.
~~~~~~~~~~~~~~
Ketchup
<<

nubie

User avatar

Newbie
Newbie

Posts: 34

Joined: Mon Jun 23, 2008 9:03 pm

Post Thu May 20, 2010 9:46 pm

Re: check log from proxy ?

No Ketchup, on my box i use different ip public with network, so is there anything else i must do, i've been blocked access to that website and right now i'm gonna check the user pc.

Need any advices Ketchup thank's a lot.
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Thu May 20, 2010 10:05 pm

Re: check log from proxy ?

Sounds like the user's PC is the best place to look.  Keeps us posted and let us know how you make out.  If you find anything strange, post it, and we will try to help.
~~~~~~~~~~~~~~
Ketchup
<<

nubie

User avatar

Newbie
Newbie

Posts: 34

Joined: Mon Jun 23, 2008 9:03 pm

Post Thu May 20, 2010 10:23 pm

Re: check log from proxy ?

Right now i'm doing scan with avira personal and after finish i will try with malware bytes free, is there any suggestion please?.
And I'm just check the connection of that user ip before doing scanning av pc,
is the connection go throught illmap.ru i'm not yet check this out, i will try to find out later.

Thank's a lot
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Thu May 20, 2010 10:38 pm

Re: check log from proxy ?

I would also run a packet capture on this computer to see where else it may be connecting.  Also check the auto-run points in the registry and file systems to see what may be starting automatically that you are not aware of. 

If you do not trust this computer, I would rebuild it if I was in your shoes.  That's the only way to ensure that you wipe away any infection.  It may be overkill, but it's certainly safe. 
~~~~~~~~~~~~~~
Ketchup
<<

Xen

User avatar

Sr. Member
Sr. Member

Posts: 386

Joined: Tue Feb 03, 2009 3:59 am

Post Thu May 20, 2010 11:21 pm

Re: check log from proxy ?

Use Hijackthis http://majorgeeks.com/Trend_Micro_HijackThis_d5554.html and scan for any modified registry before using AVscanners. If any malicious code is found, delete it and run HijackThis again and compare the two log files.
Note: Do not delete any registry usign HijackThis unless you're completely sure of what it does. You can use automatic HJT log analyzers http://www.internetinspiration.co.uk/hi ... alysis.htm to assist you. Also, Google each of the registry entry.
<<

nubie

User avatar

Newbie
Newbie

Posts: 34

Joined: Mon Jun 23, 2008 9:03 pm

Post Thu May 20, 2010 11:50 pm

Re: check log from proxy ?

Thank's for all your feedback, got the exploit in C:\Document and Settings\user\Local Setting\Temp\jar_cache446947312547567613.tmp(Java.9357 exploit) and rootkit Bubnix.S rootkit C:\Windows\system32\drivers\zeepu.sys, got deleted it and now i see on my router box not have any connection from that user ip to suspect website.

You're right Ketchup, i don't trust the computer and i have told him to format the pc but he not yet give permission about that, i had told him if pc got rootkit the best way is format the pc and is there any network method to know how the rootkit and exploit got to the pc cause this is for information to users, cause if i setting firewall but users got the malware/virus/troj/rootkit from the file in internet like accidentally they download from internet or from software messenger like skype/yahoo messenger, how do i know or prevented this happen?

Thank's a lot guys,
<<

Xen

User avatar

Sr. Member
Sr. Member

Posts: 386

Joined: Tue Feb 03, 2009 3:59 am

Post Fri May 21, 2010 12:20 am

Re: check log from proxy ?

The best way to prevent such attacks is to give users the minimum privilege they need to do their work efficiently. Do the users need yahoo messenger for their work? Do they need to install software on your company's systems? In the end, even if you do everything you can-- patching,access policies etc. and some user downloads malware off of a messenger program it hurts a lot, not to mention wastage of time dealing with the infection.

Have a good security policy. Who can and can't install software on systems? What software can be installed? etc.
<<

nubie

User avatar

Newbie
Newbie

Posts: 34

Joined: Mon Jun 23, 2008 9:03 pm

Post Fri May 21, 2010 12:50 am

Re: check log from proxy ?

Yes, you're right Equix3n, but this user of this pc wants he can do installation on pc he use and actually he is some kind general manager on office so, from the beginning my supervisor give full access on his pc and it's true like you said it's all about policy and honestly i don't have such as power to make decision and i've think about sudowin and want to give a shot about that, thank you for the feedback.

Return to Incident Response

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software