cancel
Showing results for 
Search instead for 
Did you mean: 
iflyvfr
Level 7

Blackhole Exploit Activity, how to determine culprit?

Our IPS reports a security threat  "we are seeing traffic indicating the exploitation and possible infection of the host at 192.168.1.34/192.168.1.34 by the Blackhole exploit kit being served by 129.121.201.163. The problem is that the internal IP is our webgateway and we don't cannot see or do not know how to see what client has the infection on it.  Any assistance would be greatly appreciated.

Should we call tech support?

Thank you.

0 Kudos
4 Replies
iflyvfr
Level 7

Re: Blackhole Exploit Activity, how to determine culprit?

Also, is there no way to see realtime activity on the web gateway?

Thanks again!

0 Kudos
eelsasser
Level 15

Re: Blackhole Exploit Activity, how to determine culprit?

By logging the destination IP address in the access logs, you could correlate that site with the IPS.

by putting the property of this in the logs:

+ IP.ToString (URL.Destination.IP)

And by adding the corresponding log header with src_ip, you would at least capture that data and track who went there.

Since the IPs is between the firewall and MWG, There is also the likelyhood that MWG blocked it and it didn't make it to the client. you should see evidence of that in the access_denied logs or the found_viruses logs.

Regis
Level 12

Re: Blackhole Exploit Activity, how to determine culprit?

eelsasser wrote:

By logging the destination IP address in the access logs, you could correlate that site with the IPS.

by putting the property of this in the logs:

+ IP.ToString (URL.Destination.IP)

And by adding the corresponding log header with src_ip, you would at least capture that data and track who went there.

Since the IPs is between the firewall and MWG, There is also the likelyhood that MWG blocked it and it didn't make it to the client. you should see evidence of that in the access_denied logs or the found_viruses logs.

Superb advice and had been on my to-do list for a while because the IPS will always report IP's and botnet lists provided by various sources are generally all IP related.       And scraping logs for target hostnames and iteratively forward resolving them and praying the resolution hasn't changed since the time the botnet incident occured ..... is icky and with how much fast flux dns is out there in the bot world... ineffective.  

0 Kudos
Regis
Level 12

Re: Blackhole Exploit Activity, how to determine culprit?

iflyvfr wrote:

Also, is there no way to see realtime activity on the web gateway?

Thanks again!

login to the gateway via ssh

tail -f  /opt/mwg/log/user-defined-logs/access.log/access.log  | fgrep ip.address.from.your.ids

But it does get a little wonky when access.log rolls.

on 2/1/13 8:31:32 AM CST
0 Kudos