Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 4 subscribers
  • Views 11919 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Strange Source IP in Web Protection Report

Chiprock

I am getting log entries in the web report when I filter by users that point to a source of a public IP and destination of a public IP.  Not sure how this is happening... below is an example of one of the log entries.  So the source is 178.32.144.166 and destination is 208.93.105.173.  So its like that IP (178.32.144.166) which is located in france is trying to do a yellow page lookup (208.93.105.173).  Furthermore the source IP resolves to Darknetwiki.com.  I am part of a botnet?  wth is going on here?

Note - My internal network is 192.168.0.0/24

2017:06:04-19:13:50 sophosutm httpproxy[5560]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="178.32.144.166" dstip="208.93.105.173" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="131063" request="0x8aa8400" url="https://www.yellowpages.com/" referer="" error="" authtime="0" dnstime="24578" cattime="133" avscantime="0" fullreqtime="2745288" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36" exceptions="" category="108" reputation="trusted" categoryname="Public Information"



This thread was automatically locked due to age.
Parents
  • 0

    Hi Chiprock,

    looks like you're a public proxy :)

    Have you added "Any" or "Any IPv4 address" to the allowed networks of your proxy settings?

     

    Jas Man

  • 0 in reply to Jas Man

    Haha, yeah I like to help the hackers out but that may be a bridge too far.  I don't believe I have any "Any" rules in my proxy settings but to make sure we are talking about the same settings, how do I find the "proxy settings" in UTM 9?  I one simple allow internal rule and block all others in the firewall and am using masquering for firewalls.  I am pretty familiar with Cisco, CP, and Fortinet devices but this is my first time using a Sophos device.

  • +1 in reply to Chiprock

    :-)

    You find the default proxy settings under Web Protection -> Web Filtering. There's an "Allowed Networks" area where you can define the networks and/or hosts which are allowed to use the proxy.

    If you have more than one web proxy profil, you will find the other ones under "Web Filter Profiles". Every profile has its own "Allowed Networks" section.

     

    I'm not sure how the UTM behaves when you define "Any" as allowed networks in the proxy settings. In my opinion it should not allow the access from external. But your logs look like it do. Very strange...

     

     

  • 0 in reply to Jas Man

    Oh....a hidden hint in your screenshot: darknetwiki.com. You've mention it, but this domain is not resolveable with normal DNS servers.

    Are you using a Tor client/server in your network? Then this could be the connections from other Tor clients which use your Internet connection as exit from within your LAN.

     

    Jas

Reply
  • 0 in reply to Jas Man

    Oh....a hidden hint in your screenshot: darknetwiki.com. You've mention it, but this domain is not resolveable with normal DNS servers.

    Are you using a Tor client/server in your network? Then this could be the connections from other Tor clients which use your Internet connection as exit from within your LAN.

     

    Jas

Children
No Data
Unfiltered HTML