[unisog] Czdlxy.163.com and High Bandwidth Utilisation

Darden, Patrick S. darden at armc.org
Mon Aug 18 16:28:21 GMT 2008 

 
What kind of proxy?  Squid?  Obvious stuff:
 
1.  are you disallowing inside networks from coming into your network?  (i.e. filtering spoofed internal IPs)
2.  do you have access control on your Proxies that only allow certain networks to access them?  Squid is easy to setup.  Do a file locate/find for squid.conf, open it up in your favorite editor and search for "acl allowed_hosts src"  and make sure it is using your internal networks only--e.g. "acl allowed_hosts src 68.153.50.0/255.255.255.0" and follow that up by applying the ACL and setting a deny all default.  Something like this:
 
    acl allowed_hosts src 68.153.50.0/255.255.255.0
    http_access allow allowed_hosts password
    http_access deny  all

 
If all of the above is already good, then you might have a massive internal infestation on PCs or servers.  What IPs are hitting the proxies?  Add an ACL to your proxies that disallows those IPs, then go check the holders of those IPs for malware.  You might want to add an extra ACL to your border router to dump traffic to/from Czdlxy.163.com  For Squid it would look like this:
 
    acl allowed_hosts src 68.153.50.0/255.255.255.0  192.168.0.0/24
    acl denied_hosts src 68.153.50.10/32  68.153.50.11/32  68.153.50.12/32
    http_access deny denied_hosts
    http_access allow allowed_hosts password
    http_access deny  all

Good luck,
--Patrick Darden

-----Original Message-----
From: unisog-bounces at lists.dshield.org [mailto:unisog-bounces at lists.dshield.org]On Behalf Of tim.lane at scu.edu.au
Sent: Monday, August 18, 2008 4:26 AM
To: The EDUCAUSE Security Constituent Group Listserv; unisog at lists.dshield.org; security-l at clix.aarnet.edu.au
Subject: [unisog] Czdlxy.163.com and High Bandwidth Utilisation


Hi All,
 
we are having an anamoly occur on our network where our Internet link is experiencing 100% utilisation and the proxies are reporting massive downloads from Czdlxy.163.com  but the traffic does not seem to come inside our network to workstations, just to the proxies.
 
Czdlxy.163.com appears to be related to some Chinese Online Gaming website (but translation makes it difficult to pinpoint exactly).  This makes me think that either:
 
1)       Proxy servers are compromised and are hosting content
2)       Denial of service
3)       Traffic is actually going inside our network and we cannot see it (at this
stage).

I  realise this is basic informatin but has anyone heard of this site before or do they have any suggestions or thoughts on what could be occuring?  Is anyone else seeing something similar?
 
Thanks,
 
Tim Lane


Tim Lane 
Information Security Program Manager 

Information Technology and Telecommunication Services 
Southern Cross University 
PO Box 157 Lismore NSW 2480 

Phone (02) 6620 3290    Fax(02) 6620 3033   
Email: tlane at scu.edu.au 
http://www.scu.edu.au 



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sans.org/pipermail/unisog/attachments/20080818/52280e64/attachment.htm

More information about the unisog mailing list