cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 7
Report Inappropriate Content
Message 1 of 4

Unusual web activity?

I from time to time I see 10's of thousands of web hits for a site: 1.sic.33across.com

The specific post I see in my proxy logs looks like this:

http://1.sic.33across.com/session/632/udp__qd_/xhr?t=1398275999463

33across is suppose to be some type of marketing or ads on the Internet but when I see close to 50k successful web hits in an hour time for one user to this one site it is alarming. On a side note I have also seen from time to time other URL's that do this but instead of successful "200" codes I see "302" codes for these urls, or "204", and closing the user's browser seems to resolve the issues.  I want to say it is an IE glitch but I don't know, and thought maybe the proxy is doing something bizzare from time to time. 

Please let me know if anyone else has seen simalar problems with the 33across or other pages?

Thank you,

Brian 

3 Replies
Highlighted

Re: Unusual web activity?

Interesting.

I don't know anything suspicious about 33across, but i wonder if...

Are you logging the referrer to see if 33across is embedded into some other site's page as an obect?

Is it from one particular Client.IP?

Sometimes I have an open proxy at home for testing. When i do, i invariably get some bots finding the proxy and using it to initiate advertising click attacks. I don't know what is driving these clients, but it could be some sort of spyware/adware/malware.

Highlighted
Level 7
Report Inappropriate Content
Message 3 of 4

Re: Unusual web activity?

Here is the first entry that referenced 33across:

[23/Apr/2014:13:20:41 -0400] "WebGateway" "userABC"!!!! 10.10.10.10 10.10.10.10 69.31.28.240 "sic-akamai.33across.com" 200 "text/plain" 617 0 "103" "16" "HTTP" "GET" "http://sic-akamai.33across.com/1/javascripts/sic.js"!==! "HTTP/1.1" "GET http://sic-akamai.33across.com/1/javascripts/sic.js HTTP/1.1"==!= "Business" "Minimal Risk" "8" "Gateway Anti-Malware" "Block" 0 "-" false "-" false "-" "-" "80" "http" "http://www.latimes.com/sports/hockey/la-sp-kings-sharks-game-3-pictures-20140422,0,5331382.photogallery?index=lat-sharks-la0017085315-20140422" "IE8.0-6.1"!=!=! "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; GTB7.5; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)"

There are only 2-3 entries per minute to follow for the next few minutes then 700-800 entries per minutes for the next few hours there was 5 minute break where it went back down to only 2-3 entries also, and here is what they look like:

 

[23/Apr/2014:13:26:00 -0400] "WebGateway" "userABC"!!!! 10.10.10.10 10.10.10.10 67.202.66.189 "1.sic.33across.com" 200 "text/plain" 642 393 "23879" "19" "HTTP" "POST" "http://1.sic.33across.com/session/632/udp__qd_/xhr?t=1398273936371"!==! "HTTP/1.1" "POST http://1.sic.33across.com/session/632/udp__qd_/xhr?t=1398273936371 HTTP/1.1"==!= "Business" "Minimal Risk" "8" "Gateway Anti-Malware" "Block" 0 "-" false "-" false "-" "-" "80" "http" "http://1.sic.33across.com/session/iframe.html#_im2x397" "IE8.0-6.1"!=!=! "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; GTB7.5; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)"

Thank you,

Brian

Highlighted

Re: Unusual web activity?

I had a client sitting on that page from the time i read this post this morning to now...all day.

These are the longest run of 33across that came out all day:

capture.png

capture2.png

I had a lot more ping.chartbeat.net hits than i did with 33across .

But none of them where outragus like you see.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community