SARG funnies

[The_Unbeliever]

Hi

I picked up an anomaly on our SARG logs.

Quite a few PC's have this in.

What happens is that random sites are visited, but the only thing that remains constant, is the port number, which is 443.

For example :

134.50.38.66:443
69.159.0.78:443

These sites have been visited only once.

For most of these accesses no data has been transferred, only 0 bytes total, almost as if something did a quick scan of something on port 443.

Others have 243 bytes or more transferred, but not more than 1024 bytes.

An example of what I'm blabbering on about is :

I'm pondering to block port 443, but then Internet banking won't work....

Anybody got some Clue?

TIA

Libs

 

[ivusi]

Libs, as its coming from inside your network and going out on 443 - could be one of a couple of things, and what I think is most likely the case is that there is some type of IC (MSN etc)
This usually hunts open ports ( in your case 80, 443 etc) the software chose 443.

Have a look on the users machines to see what software is installed.

Otherwise the ususal malware checks could prove beneficial. I use Hitman Pro to check out Trojans and Malwarebytes for the others.
HTH

 

[HavocXphere]

Def looks like malware doing port scans. Not sure why it would hit 443 though...I don't think theres any real exploitable vulnerability there.

Ideally you'd want to catch a PC in the act so that you can trace it to a .exe.

You can't block it...too much stuff uses https.

 

[The_Unbeliever]

Now it's gone

Will monitor the logs to see if it'll come up again.

 

[daffy]

Could be Skype...