11-24-2007 11:34 AM - edited 03-09-2019 07:28 PM
Hi,
I syslog to a Kiwi syslog server, and rotate the PIX log files every day. I discovered that the daily log file size is now averaging 10 times what it was in June.
After looking around, I found a lot of these type of entries:
304001: 211.100.29.104 Accessed URL 209.129.192.52:http://121.205.88.229:1985
304001: 211.100.29.104 Accessed URL 209.129.192.50:http://121.205.88.229:1985
304001: 211.100.29.104 Accessed URL 209.129.192.52:http://121.205.88.229:1985
304001: 211.100.29.104 Accessed URL 209.129.192.50:http://121.205.88.229:1985
304001: 211.100.29.104 Accessed URL 209.129.192.52:http://121.205.88.229:1985
304001: 211.100.29.104 Accessed URL 209.129.192.52:http://121.205.88.229:1985
304001: 211.100.29.104 Accessed URL 209.129.192.52:http://121.205.88.229:1985
304001: 211.100.29.104 Accessed URL 209.129.192.50:http://121.205.88.229:1985
304001: 211.100.29.104 Accessed URL 209.129.192.52:http://121.205.88.229:1985
The source IP varies, although currently it's 99.999% 211.100.29.104, as does end IP & port in the accessed URL.
211.100.29.104 doesn't resolve to a specific name, but resides in Beijing.
209.129.192.52 is an address of our web server. I don't understand the 209.129.192.52:http://⦠construction, but it seems clear we're being used for something we'd rather not (to put it mildlyâ¦).
Looking at the log file from 6/13 and the log file from today, there are 149 times as many occurrences of â:http:â today.
I also note, however, that â:http:â occurs in what seems likely to be legitimate traffic, w/ log entries like this:
65.119.214.9 Accessed URL 209.129.192.52:http://search.yahoo.com/search?ei=UTF-8&fr=sfp&p=teenlist&n=40
The ACE for 209.129.192.52 is access-list acl_outside permit tcp any host 209.129.192.52 eq www.
I've added an entry to block IP from 211.100.29.104, but that doesn't stop the next sourceâ¦
Anyone care to advise as to what is going on, and what I can do to stop it? (IPS? NAC? CSA? Non-Cisco tools?)
Thxâ¦
Solved! Go to Solution.
11-26-2007 02:34 AM
209.129.192.52 80 high anonymity United States 2007-11-25 Whois
http://www.publicproxyservers.com/page2.html
but it seems you have fixed it already :-)
11-25-2007 10:01 PM
Hello.
What details do you have on the 121.205.88.229 address.
If you have an acl applied for the web server out, it maybe worthwile restricting access from this server further(inside to outside).
Do a check the IP WHOIS info for the 211.100.29.104 and block the allocated range if the addresses are coming from the same range.
11-26-2007 02:24 AM
check if your webserver acts as a reverse proxy. to me it seems that someone is using your webserver as proxy to hide his ip.
regards,
juergen
11-26-2007 02:34 AM
209.129.192.52 80 high anonymity United States 2007-11-25 Whois
http://www.publicproxyservers.com/page2.html
but it seems you have fixed it already :-)
11-26-2007 06:39 AM
That appears to be an attempt to use 209.129.192.52 as an open web proxy. Unfortunately, scans for open proxies are pretty much a constant thing. You really need to figure out if they were successful (the scans will occur whether successful or not). I would suggest:
1) evaluate the actual web server logs to determine whether they were successful.
2) setup a browser on an external host with that IP address as a proxy. does it work(if you request yahoo.com, does it return yahoo.com)?
doh! just saw that you got some answers already. must have gotten a cached page.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: