help with an intrusion...

Answered Question
Nov 24th, 2007

Hi,

I syslog to a Kiwi syslog server, and rotate the PIX log files every day. I discovered that the daily log file size is now averaging 10 times what it was in June.

After looking around, I found a lot of these type of entries:

304001: 211.100.29.104 Accessed URL 209.129.192.52:http://121.205.88.229:1985

304001: 211.100.29.104 Accessed URL 209.129.192.50:http://121.205.88.229:1985

304001: 211.100.29.104 Accessed URL 209.129.192.52:http://121.205.88.229:1985

304001: 211.100.29.104 Accessed URL 209.129.192.50:http://121.205.88.229:1985

304001: 211.100.29.104 Accessed URL 209.129.192.52:http://121.205.88.229:1985

304001: 211.100.29.104 Accessed URL 209.129.192.52:http://121.205.88.229:1985

304001: 211.100.29.104 Accessed URL 209.129.192.52:http://121.205.88.229:1985

304001: 211.100.29.104 Accessed URL 209.129.192.50:http://121.205.88.229:1985

304001: 211.100.29.104 Accessed URL 209.129.192.52:http://121.205.88.229:1985

The source IP varies, although currently it's 99.999% 211.100.29.104, as does end IP & port in the accessed URL.

211.100.29.104 doesn't resolve to a specific name, but resides in Beijing.

209.129.192.52 is an address of our web server. I don't understand the 209.129.192.52:http://… construction, but it seems clear we're being used for something we'd rather not (to put it mildly…).

Looking at the log file from 6/13 and the log file from today, there are 149 times as many occurrences of “:http:” today.

I also note, however, that “:http:” occurs in what seems likely to be legitimate traffic, w/ log entries like this:

65.119.214.9 Accessed URL 209.129.192.52:http://search.yahoo.com/search?ei=UTF-8&fr=sfp&p=teenlist&n=40

The ACE for 209.129.192.52 is access-list acl_outside permit tcp any host 209.129.192.52 eq www.

I've added an entry to block IP from 211.100.29.104, but that doesn't stop the next source…

Anyone care to advise as to what is going on, and what I can do to stop it? (IPS? NAC? CSA? Non-Cisco tools?)

Thx…

I have this problem too.
0 votes
Correct Answer by bauer.juergen about 9 years 1 week ago

209.129.192.52 80 high anonymity United States 2007-11-25 Whois

http://www.publicproxyservers.com/page2.html

but it seems you have fixed it already :-)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.

Hello.

What details do you have on the 121.205.88.229 address.

If you have an acl applied for the web server out, it maybe worthwile restricting access from this server further(inside to outside).

Do a check the IP WHOIS info for the 211.100.29.104 and block the allocated range if the addresses are coming from the same range.

bauer.juergen Mon, 11/26/2007 - 02:24

check if your webserver acts as a reverse proxy. to me it seems that someone is using your webserver as proxy to hide his ip.

regards,

juergen

mhellman Mon, 11/26/2007 - 06:39

That appears to be an attempt to use 209.129.192.52 as an open web proxy. Unfortunately, scans for open proxies are pretty much a constant thing. You really need to figure out if they were successful (the scans will occur whether successful or not). I would suggest:

1) evaluate the actual web server logs to determine whether they were successful.

2) setup a browser on an external host with that IP address as a proxy. does it work(if you request yahoo.com, does it return yahoo.com)?

doh! just saw that you got some answers already. must have gotten a cached page.

Actions

This Discussion