4 Replies Latest reply: Feb 1, 2013 8:33 AM by Regis RSS

    Blackhole Exploit Activity, how to determine culprit?

    iflyvfr

      Our IPS reports a security threat  "we are seeing traffic indicating the exploitation and possible infection of the host at 192.168.1.34/192.168.1.34 by the Blackhole exploit kit being served by 129.121.201.163. The problem is that the internal IP is our webgateway and we don't cannot see or do not know how to see what client has the infection on it.  Any assistance would be greatly appreciated.

       

      Should we call tech support?

       

      Thank you.

        • 1. Re: Blackhole Exploit Activity, how to determine culprit?
          iflyvfr

          Also, is there no way to see realtime activity on the web gateway?

           

          Thanks again!

          • 2. Re: Blackhole Exploit Activity, how to determine culprit?
            eelsasser

            By logging the destination IP address in the access logs, you could correlate that site with the IPS.

            by putting the property of this in the logs:

            + IP.ToString (URL.Destination.IP)

             

            And by adding the corresponding log header with src_ip, you would at least capture that data and track who went there.

             

            Since the IPs is between the firewall and MWG, There is also the likelyhood that MWG blocked it and it didn't make it to the client. you should see evidence of that in the access_denied logs or the found_viruses logs.

            • 3. Re: Blackhole Exploit Activity, how to determine culprit?
              Regis

              iflyvfr wrote:

               

              Also, is there no way to see realtime activity on the web gateway?

               

              Thanks again!

               

              login to the gateway via ssh

              tail -f  /opt/mwg/log/user-defined-logs/access.log/access.log  | fgrep ip.address.from.your.ids

               

              But it does get a little wonky when access.log rolls.

               

              on 2/1/13 8:31:32 AM CST
              • 4. Re: Blackhole Exploit Activity, how to determine culprit?
                Regis

                eelsasser wrote:

                 

                By logging the destination IP address in the access logs, you could correlate that site with the IPS.

                by putting the property of this in the logs:

                + IP.ToString (URL.Destination.IP)

                 

                And by adding the corresponding log header with src_ip, you would at least capture that data and track who went there.

                 

                Since the IPs is between the firewall and MWG, There is also the likelyhood that MWG blocked it and it didn't make it to the client. you should see evidence of that in the access_denied logs or the found_viruses logs.

                 

                Superb advice and had been on my to-do list for a while because the IPS will always report IP's and botnet lists provided by various sources are generally all IP related.       And scraping logs for target hostnames and iteratively forward resolving them and praying the resolution hasn't changed since the time the botnet incident occured ..... is icky and with how much fast flux dns is out there in the bot world... ineffective.