Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
833 Views 4 Replies Latest reply: Feb 1, 2013 8:33 AM by Regis RSS
iflyvfr Newcomer 3 posts since
Jan 31, 2013
Currently Being Moderated

Jan 31, 2013 10:55 AM

Blackhole Exploit Activity, how to determine culprit?

Our IPS reports a security threat  "we are seeing traffic indicating the exploitation and possible infection of the host at 192.168.1.34/192.168.1.34 by the Blackhole exploit kit being served by 129.121.201.163. The problem is that the internal IP is our webgateway and we don't cannot see or do not know how to see what client has the infection on it.  Any assistance would be greatly appreciated.

 

Should we call tech support?

 

Thank you.

  • eelsasser McAfee SME 842 posts since
    Mar 24, 2010
    Currently Being Moderated
    2. Jan 31, 2013 11:21 AM (in response to iflyvfr)
    Re: Blackhole Exploit Activity, how to determine culprit?

    By logging the destination IP address in the access logs, you could correlate that site with the IPS.

    by putting the property of this in the logs:

    + IP.ToString (URL.Destination.IP)

     

    And by adding the corresponding log header with src_ip, you would at least capture that data and track who went there.

     

    Since the IPs is between the firewall and MWG, There is also the likelyhood that MWG blocked it and it didn't make it to the client. you should see evidence of that in the access_denied logs or the found_viruses logs.

  • Regis Champion 457 posts since
    Oct 6, 2010

    iflyvfr wrote:

     

    Also, is there no way to see realtime activity on the web gateway?

     

    Thanks again!

     

    login to the gateway via ssh

    tail -f  /opt/mwg/log/user-defined-logs/access.log/access.log  | fgrep ip.address.from.your.ids

     

    But it does get a little wonky when access.log rolls.

     

    on 2/1/13 8:31:32 AM CST
  • Regis Champion 457 posts since
    Oct 6, 2010

    eelsasser wrote:

     

    By logging the destination IP address in the access logs, you could correlate that site with the IPS.

    by putting the property of this in the logs:

    + IP.ToString (URL.Destination.IP)

     

    And by adding the corresponding log header with src_ip, you would at least capture that data and track who went there.

     

    Since the IPs is between the firewall and MWG, There is also the likelyhood that MWG blocked it and it didn't make it to the client. you should see evidence of that in the access_denied logs or the found_viruses logs.

     

    Superb advice and had been on my to-do list for a while because the IPS will always report IP's and botnet lists provided by various sources are generally all IP related.       And scraping logs for target hostnames and iteratively forward resolving them and praying the resolution hasn't changed since the time the botnet incident occured ..... is icky and with how much fast flux dns is out there in the bot world... ineffective.  

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points