3 Replies Latest reply on May 1, 2014 9:00 PM by eelsasser

    Unusual web activity?

    bkirk

      I from time to time I see 10's of thousands of web hits for a site: 1.sic.33across.com

       

      The specific post I see in my proxy logs looks like this:

      http://1.sic.33across.com/session/632/udp__qd_/xhr?t=1398275999463

       

      33across is suppose to be some type of marketing or ads on the Internet but when I see close to 50k successful web hits in an hour time for one user to this one site it is alarming. On a side note I have also seen from time to time other URL's that do this but instead of successful "200" codes I see "302" codes for these urls, or "204", and closing the user's browser seems to resolve the issues.  I want to say it is an IE glitch but I don't know, and thought maybe the proxy is doing something bizzare from time to time. 

       

      Please let me know if anyone else has seen simalar problems with the 33across or other pages?

       

      Thank you,

      Brian 

        • 1. Re: Unusual web activity?

          Interesting.

          I don't know anything suspicious about 33across, but i wonder if...

           

          Are you logging the referrer to see if 33across is embedded into some other site's page as an obect?

           

          Is it from one particular Client.IP?

           

          Sometimes I have an open proxy at home for testing. When i do, i invariably get some bots finding the proxy and using it to initiate advertising click attacks. I don't know what is driving these clients, but it could be some sort of spyware/adware/malware.

          • 2. Re: Unusual web activity?
            bkirk

            Here is the first entry that referenced 33across:

            [23/Apr/2014:13:20:41 -0400] "WebGateway" "userABC"!!!! 10.10.10.10 10.10.10.10 69.31.28.240 "sic-akamai.33across.com" 200 "text/plain" 617 0 "103" "16" "HTTP" "GET" "http://sic-akamai.33across.com/1/javascripts/sic.js"!==! "HTTP/1.1" "GET http://sic-akamai.33across.com/1/javascripts/sic.js HTTP/1.1"==!= "Business" "Minimal Risk" "8" "Gateway Anti-Malware" "Block" 0 "-" false "-" false "-" "-" "80" "http" "http://www.latimes.com/sports/hockey/la-sp-kings-sharks-game-3-pictures-20140422,0,5331382.photogallery?index=lat-sharks-la0017085315-20140422" "IE8.0-6.1"!=!=! "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; GTB7.5; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)"

             

            There are only 2-3 entries per minute to follow for the next few minutes then 700-800 entries per minutes for the next few hours there was 5 minute break where it went back down to only 2-3 entries also, and here is what they look like:

             

            [23/Apr/2014:13:26:00 -0400] "WebGateway" "userABC"!!!! 10.10.10.10 10.10.10.10 67.202.66.189 "1.sic.33across.com" 200 "text/plain" 642 393 "23879" "19" "HTTP" "POST" "http://1.sic.33across.com/session/632/udp__qd_/xhr?t=1398273936371"!==! "HTTP/1.1" "POST http://1.sic.33across.com/session/632/udp__qd_/xhr?t=1398273936371 HTTP/1.1"==!= "Business" "Minimal Risk" "8" "Gateway Anti-Malware" "Block" 0 "-" false "-" false "-" "-" "80" "http" "http://1.sic.33across.com/session/iframe.html#_im2x397" "IE8.0-6.1"!=!=! "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; GTB7.5; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)"

             

            Thank you,

            Brian

            • 3. Re: Unusual web activity?

              I had a client sitting on that page from the time i read this post this morning to now...all day.

               

              These are the longest run of 33across that came out all day:

              capture.png

              capture2.png

               

              I had a lot more ping.chartbeat.net hits than i did with 33across .

               

              But none of them where outragus like you see.