help with an intrusion...

Answered Question
Nov 24th, 2007
User Badges:


I syslog to a Kiwi syslog server, and rotate the PIX log files every day. I discovered that the daily log file size is now averaging 10 times what it was in June.

After looking around, I found a lot of these type of entries:

304001: Accessed URL

304001: Accessed URL

304001: Accessed URL

304001: Accessed URL

304001: Accessed URL

304001: Accessed URL

304001: Accessed URL

304001: Accessed URL

304001: Accessed URL

The source IP varies, although currently it's 99.999%, as does end IP & port in the accessed URL. doesn't resolve to a specific name, but resides in Beijing. is an address of our web server. I don't understand the… construction, but it seems clear we're being used for something we'd rather not (to put it mildly…).

Looking at the log file from 6/13 and the log file from today, there are 149 times as many occurrences of “:http:” today.

I also note, however, that “:http:” occurs in what seems likely to be legitimate traffic, w/ log entries like this: Accessed URL

The ACE for is access-list acl_outside permit tcp any host eq www.

I've added an entry to block IP from, but that doesn't stop the next source…

Anyone care to advise as to what is going on, and what I can do to stop it? (IPS? NAC? CSA? Non-Cisco tools?)


Correct Answer by bauer.juergen about 9 years 6 months ago 80 high anonymity United States 2007-11-25 Whois

but it seems you have fixed it already :-)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)


What details do you have on the address.

If you have an acl applied for the web server out, it maybe worthwile restricting access from this server further(inside to outside).

Do a check the IP WHOIS info for the and block the allocated range if the addresses are coming from the same range.

bauer.juergen Mon, 11/26/2007 - 02:24
User Badges:

check if your webserver acts as a reverse proxy. to me it seems that someone is using your webserver as proxy to hide his ip.



mhellman Mon, 11/26/2007 - 06:39
User Badges:
  • Blue, 1500 points or more

That appears to be an attempt to use as an open web proxy. Unfortunately, scans for open proxies are pretty much a constant thing. You really need to figure out if they were successful (the scans will occur whether successful or not). I would suggest:

1) evaluate the actual web server logs to determine whether they were successful.

2) setup a browser on an external host with that IP address as a proxy. does it work(if you request, does it return

doh! just saw that you got some answers already. must have gotten a cached page.


This Discussion