cancel
Showing results for 
Search instead for 
Did you mean: 
bkirk
Level 7

Unusual web activity?

I from time to time I see 10's of thousands of web hits for a site: 1.sic.33across.com

The specific post I see in my proxy logs looks like this:

http://1.sic.33across.com/session/632/udp__qd_/xhr?t=1398275999463

33across is suppose to be some type of marketing or ads on the Internet but when I see close to 50k successful web hits in an hour time for one user to this one site it is alarming. On a side note I have also seen from time to time other URL's that do this but instead of successful "200" codes I see "302" codes for these urls, or "204", and closing the user's browser seems to resolve the issues.  I want to say it is an IE glitch but I don't know, and thought maybe the proxy is doing something bizzare from time to time. 

Please let me know if anyone else has seen simalar problems with the 33across or other pages?

Thank you,

Brian 

0 Kudos
3 Replies
eelsasser
Level 15

Re: Unusual web activity?

Interesting.

I don't know anything suspicious about 33across, but i wonder if...

Are you logging the referrer to see if 33across is embedded into some other site's page as an obect?

Is it from one particular Client.IP?

Sometimes I have an open proxy at home for testing. When i do, i invariably get some bots finding the proxy and using it to initiate advertising click attacks. I don't know what is driving these clients, but it could be some sort of spyware/adware/malware.

0 Kudos
bkirk
Level 7

Re: Unusual web activity?

Here is the first entry that referenced 33across:

[23/Apr/2014:13:20:41 -0400] "WebGateway" "userABC"!!!! 10.10.10.10 10.10.10.10 69.31.28.240 "sic-akamai.33across.com" 200 "text/plain" 617 0 "103" "16" "HTTP" "GET" "http://sic-akamai.33across.com/1/javascripts/sic.js"!==! "HTTP/1.1" "GET http://sic-akamai.33across.com/1/javascripts/sic.js HTTP/1.1"==!= "Business" "Minimal Risk" "8" "Gateway Anti-Malware" "Block" 0 "-" false "-" false "-" "-" "80" "http" "http://www.latimes.com/sports/hockey/la-sp-kings-sharks-game-3-pictures-20140422,0,5331382.photogallery?index=lat-sharks-la0017085315-20140422" "IE8.0-6.1"!=!=! "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; GTB7.5; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)"

There are only 2-3 entries per minute to follow for the next few minutes then 700-800 entries per minutes for the next few hours there was 5 minute break where it went back down to only 2-3 entries also, and here is what they look like:

 

[23/Apr/2014:13:26:00 -0400] "WebGateway" "userABC"!!!! 10.10.10.10 10.10.10.10 67.202.66.189 "1.sic.33across.com" 200 "text/plain" 642 393 "23879" "19" "HTTP" "POST" "http://1.sic.33across.com/session/632/udp__qd_/xhr?t=1398273936371"!==! "HTTP/1.1" "POST http://1.sic.33across.com/session/632/udp__qd_/xhr?t=1398273936371 HTTP/1.1"==!= "Business" "Minimal Risk" "8" "Gateway Anti-Malware" "Block" 0 "-" false "-" false "-" "-" "80" "http" "http://1.sic.33across.com/session/iframe.html#_im2x397" "IE8.0-6.1"!=!=! "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; GTB7.5; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)"

Thank you,

Brian

0 Kudos
eelsasser
Level 15

Re: Unusual web activity?

I had a client sitting on that page from the time i read this post this morning to now...all day.

These are the longest run of 33across that came out all day:

capture.png

capture2.png

I had a lot more ping.chartbeat.net hits than i did with 33across .

But none of them where outragus like you see.

0 Kudos