Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 4 subscribers
  • Views 11914 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Strange Source IP in Web Protection Report

Chiprock

I am getting log entries in the web report when I filter by users that point to a source of a public IP and destination of a public IP.  Not sure how this is happening... below is an example of one of the log entries.  So the source is 178.32.144.166 and destination is 208.93.105.173.  So its like that IP (178.32.144.166) which is located in france is trying to do a yellow page lookup (208.93.105.173).  Furthermore the source IP resolves to Darknetwiki.com.  I am part of a botnet?  wth is going on here?

Note - My internal network is 192.168.0.0/24

2017:06:04-19:13:50 sophosutm httpproxy[5560]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="178.32.144.166" dstip="208.93.105.173" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="131063" request="0x8aa8400" url="https://www.yellowpages.com/" referer="" error="" authtime="0" dnstime="24578" cattime="133" avscantime="0" fullreqtime="2745288" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36" exceptions="" category="108" reputation="trusted" categoryname="Public Information"



This thread was automatically locked due to age.
  • 0

    I should also note that when I take a look at my firewall log and search for 178.32.144.166 or 208.93.105.173 I don't seem to find any corresponding entries and I believe I have it logging all traffic.

  • 0

    Hi Chiprock,

    looks like you're a public proxy :)

    Have you added "Any" or "Any IPv4 address" to the allowed networks of your proxy settings?

     

    Jas Man

  • 0 in reply to Jas Man

    Haha, yeah I like to help the hackers out but that may be a bridge too far.  I don't believe I have any "Any" rules in my proxy settings but to make sure we are talking about the same settings, how do I find the "proxy settings" in UTM 9?  I one simple allow internal rule and block all others in the firewall and am using masquering for firewalls.  I am pretty familiar with Cisco, CP, and Fortinet devices but this is my first time using a Sophos device.

  • +1 in reply to Chiprock

    :-)

    You find the default proxy settings under Web Protection -> Web Filtering. There's an "Allowed Networks" area where you can define the networks and/or hosts which are allowed to use the proxy.

    If you have more than one web proxy profil, you will find the other ones under "Web Filter Profiles". Every profile has its own "Allowed Networks" section.

     

    I'm not sure how the UTM behaves when you define "Any" as allowed networks in the proxy settings. In my opinion it should not allow the access from external. But your logs look like it do. Very strange...

     

     

  • 0 in reply to Jas Man

    Oh....a hidden hint in your screenshot: darknetwiki.com. You've mention it, but this domain is not resolveable with normal DNS servers.

    Are you using a Tor client/server in your network? Then this could be the connections from other Tor clients which use your Internet connection as exit from within your LAN.

     

    Jas

  • 0 in reply to Jas Man

    So I did in fact have "any" listed under allowed networks at Web Protection -> Web Filtering.  I used to have this device setup in a bridge mode, and just converted it over to natting/firewall.  I changed this to only list the internal networks as being allowed and will monitor. 

    I also spent some additional time digging thru the firewall logs and don't believe I had any actual transfer of data.  Meaning I think the web filtering blade was logging the traffic however the firewall was dropping it.  Very strange.  You would think it would be the opposite (firewall acts on it first before it gets to the web filtering).  Either way I don't think I was compromised.

    Lastly... the short answer is I wasn't operating any tor/dark data that I am aware of.  This utility is great, in that it gives visibility into your network without having to dig thru packets.

    @JasMan Thanks for the help.  I will keep you posted but I have a very good feeling about this.

Unfiltered HTML