[Dshield] Has anyone seen this before?

Ernest Eustace e.eustace at bringit.ca
Sat Mar 6 20:48:50 GMT 2004


Hello John,

Thanks for your reply, the logs are from one of our Fortinet ASIC based A/V
firewalls (www.fortinet.com / .ca for more info).

The units produce several different logs, the entries from my original
e-mail are from the antivirus log which keeps track of virus events and file
blocking events, thus the message "such and such file is blocked".

As noted in my previous e-mails we prevent all uploading/downloading on the
user subnets and so these apparent .com files were caught trying to leave
the network.

I correlated the timing and src/dst with the seperate traffic logs just to
be sure and confirmed that the destination is port 80, so yes the
service=http refers to the destination.

Also by comparing the complete traffic logs with just the A/V/File block
logs I noticed that some of the systems that communicated with the
207.61.136.8 ip did not try to send out these files. 

Also it never seems to be the same system twice, but I would have to go back
through more logs to confirm this. Thus it is difficult to put a sniffer on
one of these machines to see what might be happening, as they don't seem to
do it again any time soon.

Pasted below is text for the complete traffic logs for this time period
where the destination IP was 207.61.136.8, only the first system denoted
10.b.c.d seemed to send out these files.

The other hosts did not appear in the A/V logs from my original e-mail. 

Some systems here in the 192.168.x.x range are from remote sites that go
through us for internet access, also different hosts/subnets are denoted by
incrementing the c/d in the IP:

Thanks again for any input,
Ernest.

= Traffic log follows =:

28264  2004-03-05 15:41:25 log_id=0001000002 type=traffic subtype=session
pri=notice SN=1014773 duration=60 policyid=16 proto=6 service=80/tcp
status=accept src=10.b.c.d srcname=10.b.c.d dst=207.61.136.8
dstname=207.61.136.8 src_int=internal dst_int=external sent=60 rcvd=763
sent_pkt=1 rcvd_pkt=5 src_port=1225 dst_port=80 vpn=n/a tran_ip=199.b.c.d
tran_port=44295  

28292  2004-03-05 15:41:12 log_id=0001000002 type=traffic subtype=session
pri=notice SN=1014717 duration=60 policyid=16 proto=6 service=80/tcp
status=accept src=10.b.c.d srcname=10.b.c.d dst=207.61.136.8
dstname=207.61.136.8 src_int=internal dst_int=external sent=60 rcvd=763
sent_pkt=1 rcvd_pkt=5 src_port=1205 dst_port=80 vpn=n/a tran_ip=199.b.c.d
tran_port=44255  

28318  2004-03-05 15:41:02 log_id=0001000002 type=traffic subtype=session
pri=notice SN=1014687 duration=60 policyid=16 proto=6 service=80/tcp
status=accept src=10.b.c.d srcname=10.b.c.d dst=207.61.136.8
dstname=207.61.136.8 src_int=internal dst_int=external sent=60 rcvd=763
sent_pkt=1 rcvd_pkt=5 src_port=1197 dst_port=80 vpn=n/a tran_ip=199.b.c.d
tran_port=44236  

28455  2004-03-05 15:40:14 log_id=0001000002 type=traffic subtype=session
pri=notice SN=1014443 duration=120 policyid=16 proto=6 service=80/tcp
status=accept src=10.b.c.d srcname=10.b.c.d dst=207.61.136.8
dstname=207.61.136.8 src_int=internal dst_int=external sent=60 rcvd=763
sent_pkt=1 rcvd_pkt=5 src_port=1169 dst_port=80 vpn=n/a tran_ip=199.b.c.d
tran_port=44126  

28526  2004-03-05 15:39:25 log_id=0001000002 type=traffic subtype=session
pri=notice SN=1014496 duration=60 policyid=16 proto=6 service=80/tcp
status=accept src=10.b.c.d srcname=10.b.c.d dst=207.61.136.8
dstname=207.61.136.8 src_int=internal dst_int=external sent=60 rcvd=763
sent_pkt=1 rcvd_pkt=5 src_port=1177 dst_port=80 vpn=n/a tran_ip=199.b.c.d
tran_port=44157  

103583  2004-03-05 08:41:46 log_id=0001000002 type=traffic subtype=session
pri=notice SN=894859 duration=39 policyid=16 proto=6 service=80/tcp
status=accept src=10.b.c.d3 srcname=10.b.c.d3 dst=207.61.136.8
dstname=207.61.136.8 src_int=internal dst_int=external sent=952 rcvd=1367
sent_pkt=7 rcvd_pkt=5 src_port=1195 dst_port=80 vpn=n/a tran_ip=199.b.c.d
tran_port=58414  

103584  2004-03-05 08:41:46 log_id=0001000002 type=traffic subtype=session
pri=notice SN=894857 duration=39 policyid=16 proto=6 service=80/tcp
status=accept src=10.b.c.d3 srcname=10.b.c.d3 dst=207.61.136.8
dstname=207.61.136.8 src_int=internal dst_int=external sent=1359 rcvd=3390
sent_pkt=9 rcvd_pkt=5 src_port=1193 dst_port=80 vpn=n/a tran_ip=199.b.c.d
tran_port=58412  

104633  2004-03-05 08:37:52 log_id=0001000002 type=traffic subtype=session
pri=notice SN=893576 duration=77 policyid=16 proto=6 service=80/tcp
status=accept src=10.b.c.d3 srcname=10.b.c.d3 dst=207.61.136.8
dstname=207.61.136.8 src_int=internal dst_int=external sent=532 rcvd=897
sent_pkt=5 rcvd_pkt=5 src_port=1095 dst_port=80 vpn=n/a tran_ip=199.b.c.d
tran_port=57555  

104634  2004-03-05 08:37:52 log_id=0001000002 type=traffic subtype=session
pri=notice SN=893575 duration=77 policyid=16 proto=6 service=80/tcp
status=accept src=10.b.c.d3 srcname=10.b.c.d3 dst=207.61.136.8
dstname=207.61.136.8 src_int=internal dst_int=external sent=922 rcvd=1702
sent_pkt=7 rcvd_pkt=6 src_port=1094 dst_port=80 vpn=n/a tran_ip=199.b.c.d
tran_port=57554  

105240  2004-03-05 08:34:06 log_id=0001000002 type=traffic subtype=session
pri=notice SN=892814 duration=71 policyid=16 proto=6 service=80/tcp
status=accept src=192.168.c.d srcname=192.168.c.d dst=207.61.136.8
dstname=207.61.136.8 src_int=internal dst_int=external sent=572 rcvd=328
sent_pkt=5 rcvd_pkt=4 src_port=1197 dst_port=80 vpn=n/a tran_ip=199.b.c.d
tran_port=57109  

105242  2004-03-05 08:34:06 log_id=0001000002 type=traffic subtype=session
pri=notice SN=892799 duration=76 policyid=16 proto=6 service=80/tcp
status=accept src=192.168.c.d srcname=192.168.c.d dst=207.61.136.8
dstname=207.61.136.8 src_int=internal dst_int=external sent=1825 rcvd=1104
sent_pkt=11 rcvd_pkt=10 src_port=1196 dst_port=80 vpn=n/a tran_ip=199.b.c.d
tran_port=57098  

107556  2004-03-05 08:23:33 log_id=0001000002 type=traffic subtype=session
pri=notice SN=890415 duration=15 policyid=16 proto=6 service=80/tcp
status=accept src=10.b.c.d4 srcname=10.b.c.d4 dst=207.61.136.8
dstname=207.61.136.8 src_int=internal dst_int=external sent=1739 rcvd=6400
sent_pkt=12 rcvd_pkt=12 src_port=1181 dst_port=80 vpn=n/a tran_ip=199.b.c.d
tran_port=55547  

107557  2004-03-05 08:23:33 log_id=0001000002 type=traffic subtype=session
pri=notice SN=890414 duration=15 policyid=16 proto=6 service=80/tcp
status=accept src=10.b.c.d4 srcname=10.b.c.d4 dst=207.61.136.8
dstname=207.61.136.8 src_int=internal dst_int=external sent=2110 rcvd=4758
sent_pkt=13 rcvd_pkt=12 src_port=1180 dst_port=80 vpn=n/a tran_ip=199.b.c.d
tran_port=55546  

108147  2004-03-05 08:21:02 log_id=0001000002 type=traffic subtype=session
pri=notice SN=889519 duration=77 policyid=16 proto=6 service=80/tcp
status=accept src=10.b.c.d5 srcname=10.b.c.d5 dst=207.61.136.8
dstname=207.61.136.8 src_int=internal dst_int=external sent=559 rcvd=344
sent_pkt=5 rcvd_pkt=4 src_port=2436 dst_port=80 vpn=n/a tran_ip=199.b.c.d
tran_port=54985  

113476  2004-03-05 07:49:38 log_id=0001000002 type=traffic subtype=session
pri=notice SN=883184 duration=71 policyid=16 proto=6 service=80/tcp
status=accept src=192.168.21.51 srcname=192.168.c2.d dst=207.61.136.8
dstname=207.61.136.8 src_int=internal dst_int=external sent=720 rcvd=358
sent_pkt=5 rcvd_pkt=3 src_port=1068 dst_port=80 vpn=n/a tran_ip=199.b.c.d
tran_port=51734  

114798  2004-03-05 07:40:41 log_id=0001000002 type=traffic subtype=session
pri=notice SN=881557 duration=73 policyid=16 proto=6 service=80/tcp
status=accept src=10.54.1.77 srcname=10.54.c.d6 dst=207.61.136.8
dstname=207.61.136.8 src_int=internal dst_int=external sent=682 rcvd=556
sent_pkt=5 rcvd_pkt=3 src_port=1138 dst_port=80 vpn=n/a tran_ip=199.b.c.d
tran_port=50840  

   
= end =

-----Original Message-----
From: John Sage
To: General DShield Discussion List
Cc: Ernest Eustace
Sent: 3/6/04 11:28 AM
Subject: Re: [Dshield] Has anyone seen this before?

Ernest:

The firewall logs you show have some familiar aspects, and some that
are unfamiliar.

On Sat, Mar 06, 2004 at 12:53:21AM -0500, Ernest Eustace wrote:
> From: Ernest Eustace <e.eustace at bringit.ca>
> To: "'list at dshield.org'" <list at dshield.org>
> Date: Sat, 6 Mar 2004 00:53:21 -0500 
> Subject: [Dshield] Has anyone seen this before?
> 
> I have noticed a few PCs in our network trying to send out what
> appears to be .com files, with names that make them appear to be web
> sites, pasted below are a few edited examples from our gateway
> firewall's logs:
> 
> 2004-03-05 15:40:25 ... src=10.b.c.d dst=207.61.136.8 service=http
> msg="The file www.oldnavy.com is blocked."
> 2004-03-05 15:40:12 ... src=10.b.c.d dst=207.61.136.8 service=http
> msg="The file www.oldnavy.com is blocked."
> 2004-03-05 15:40:02 ... src=10.b.c.d dst=207.61.136.8 service=http
> msg="The file www.oldnavy.com is blocked."
> 2004-03-05 15:38:25 ... src=10.b.c.d dst=207.61.136.8 service=http
> msg="The file www.oldnavy.com is blocked."
> 2004-03-05 15:38:14 ... src=10.b.c.d dst=207.61.136.8 service=http
> msg="The file www.oldnavy.com is blocked."
> 2004-03-05 13:22:30 ... src=10.b.c.d2 dst=64.124.201.183
> service=http msg="The file www.theweathernetwork.com is blocked."

"service=http" Is this the source service (i.e. on your network) or
the destination service (i.e. on their networks)?

msg="The file www.[oldnavy|theweathernetwork].com is blocked." is quite
specific, and yet is not a phrase that comes up in any google search I
can contrive.

Exactly what program/service/whatever is generating this?


On quick inspection it looks as though something is firing on a
fragment of the URL www.oldnavy.com or www.theweathernetwork.com...

...but what, and why?



- John
-- 
"Mad cow? You'd be mad too, if someone was trying to eat you."




More information about the list mailing list