SARG funnies

The_Unbeliever

Honorary Master
Joined
Apr 19, 2005
Messages
103,196
Hi

I picked up an anomaly on our SARG logs.

Quite a few PC's have this in.

What happens is that random sites are visited, but the only thing that remains constant, is the port number, which is 443.

For example :

Code:
134.50.38.66:443
69.159.0.78:443

These sites have been visited only once.

For most of these accesses no data has been transferred, only 0 bytes total, almost as if something did a quick scan of something on port 443.

Others have 243 bytes or more transferred, but not more than 1024 bytes.

An example of what I'm blabbering on about is :

sarg1.jpg


I'm pondering to block port 443, but then Internet banking won't work....

Anybody got some Clue?

TIA

Libs
 

ivusi

Active Member
Joined
Mar 23, 2010
Messages
69
Libs, as its coming from inside your network and going out on 443 - could be one of a couple of things, and what I think is most likely the case is that there is some type of IC (MSN etc)
This usually hunts open ports ( in your case 80, 443 etc) the software chose 443.

Have a look on the users machines to see what software is installed.

Otherwise the ususal malware checks could prove beneficial. I use Hitman Pro to check out Trojans and Malwarebytes for the others.
HTH
 

HavocXphere

Honorary Master
Joined
Oct 19, 2007
Messages
33,155
Def looks like malware doing port scans. Not sure why it would hit 443 though...I don't think theres any real exploitable vulnerability there.

Ideally you'd want to catch a PC in the act so that you can trace it to a .exe.

You can't block it...too much stuff uses https.
 
Top