Strange Beahviour

Discussion in 'Windows 10 Networking' started by Giovanni73, Nov 27, 2015.

  1. Giovanni73

    Giovanni73 New Member

    Joined:
    Nov 27, 2015
    Messages:
    9
    Likes Received:
    0
    Hi All
    I had a weird behaviour opening a xls.
    I have on my webserver a repository with some xls (no macro, no formulas etc, just plain text), thoise xls are accessible without loogin to all visitors.
    I have a web firewall before web.
    It happen that waf spam alert message as LOIC attack, i checked and i see 3 microsoft IP's, direction was on webserver and especially to my xls!
    I checked if somebody open try to update or download something, nothing.
    Still i try to figure pout what's happened, any suggestion?

    Regards
     
  2. bochane

    bochane Honorable Member

    Joined:
    Oct 18, 2012
    Messages:
    643
    Likes Received:
    47
    Another interesting problem.

    What do you mean with a 'weird behaviour on opening'? Did you see any messages?
    Could you show us the screen dumps with those spam alerts and IP's?
    How did you figure out that they where microsoft IP's?
    How did you figure out that nobody was downloading, because you have thse xls files accessable without login?
    Are there log file antries on your webserver explaining more?
     
  3. Giovanni73

    Giovanni73 New Member

    Joined:
    Nov 27, 2015
    Messages:
    9
    Likes Received:
    0
    Hello Bochane and thanks for your reply

    1) Sorry for my english :) I mean a user open xls on remote repository and then IPS record a call from that webserver to 1 IP (according with whois owned by microsoft Ireland and i checked they are in the Microsoft range of Ip's). Call was a GET.
    And till this point everything is ok
    The problem is when the remote reply came (another GET), WAF detect LOIC attack from called IP and other 2 in the same subnet, spamming message (i will post monday, thanks god im not in the office on weekend :)
    2) If somebody download from our webserver why i receive a GET from remote IP?
    3) I request webserver login but still on the way (big company big time to get things)
    Monday i will be more specific, thanks for now
     
  4. bochane

    bochane Honorable Member

    Joined:
    Oct 18, 2012
    Messages:
    643
    Likes Received:
    47
    OK, we will see next Monday.

    And for now, have a nice weekend. :)

    Henk
     
  5. Giovanni73

    Giovanni73 New Member

    Joined:
    Nov 27, 2015
    Messages:
    9
    Likes Received:
    0
    Hello, delay for burocracy,
    Still no webserver log, so i add waf log:

    WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.95 Safari/537.11
    User-Agent: Mozilla/5.0 (Windows NT 6.1
    Host: www.XXXX.it
    ,Server: AkamaiGHost
    Mime-Version: 1.0
    Content-Type: text/html
    Content-Length: 424
    Expires: Fri, 27 Nov 2015 18:15:00 GMT
    Cache-Control: max-age=0, no-cache, no-store
    Pragma: no-cache
    Date: Fri, 27 Nov 2015 18:15:00 GMT
    Connection: close

    Path:
    /export/sites/2015/bilancio_201511-IT.xls

    1.1 GET 40.127.141.237 ---> x.x.x.x IE xxxx_12523 8075 403 DUBLIN microsoft hosted a477f0f 3000010 AKAMAI/WEB_ATTACK/LOIC1.1
    Header order detected: Accept:User-Agent:Host
    LOIC 1.1 DoS Detection Warn
    GET /export/sites/2015/bilancio_201511-IT.xls
    HTTP/1.1
    Accept: text/html,application/xhtml xml,application/xml
    status 403

    IP
    40.127.131.221
    40.127.136.132
    40.127.141.237

    XLS File
    Automatic flow
     
    #5 Giovanni73, Dec 2, 2015
    Last edited: Dec 2, 2015
  6. bochane

    bochane Honorable Member

    Joined:
    Oct 18, 2012
    Messages:
    643
    Likes Received:
    47
    I am not that expert, sorry, but it looks to me like some user hosted by Microsoft has an infected PC and that PC tried to attack your server.

    But again this goes further than my knowledge.
    Anybody else?
     
  7. Giovanni73

    Giovanni73 New Member

    Joined:
    Nov 27, 2015
    Messages:
    9
    Likes Received:
    0
    Update.
    nothign from webserver/application log.
    I contact the user opened xls..... nothing more than opena nad read happened.
    Start to be a trial :)
     
  8. Giovanni73

    Giovanni73 New Member

    Joined:
    Nov 27, 2015
    Messages:
    9
    Likes Received:
    0
    Well Can be, but then are 3 different pc.... and behaviour is not of a malware, request GET are not so fast that a WAF can read as LOIC.
     
  9. Neemobeer

    Neemobeer Windows Forum Team
    Staff Member

    Joined:
    Jul 4, 2015
    Messages:
    2,410
    Likes Received:
    364
    Could somehow be related to Excel, Office applications connect to Microsoft for various reasons. You can try and disable "Allow Office to Connect to the Internet" under privacy settings and then test opening one of the xls files.
     
  10. Giovanni73

    Giovanni73 New Member

    Joined:
    Nov 27, 2015
    Messages:
    9
    Likes Received:
    0
    Hello Neemobeer, thanks for answer.
    I checked also that, but i saw 1 year of repository behaviour in archive and never happened before and "allow office etc" is off.
     
  11. Neemobeer

    Neemobeer Windows Forum Team
    Staff Member

    Joined:
    Jul 4, 2015
    Messages:
    2,410
    Likes Received:
    364
    Well I'd say your next steps if you can reproduce the connections from a Windows system you have control of, run wireshark and procmon and see if those connections are originating from the client side. If they are you should be able to see in procmon which process is creating the connections to narrow down the DOS false positives.
     
  12. Giovanni73

    Giovanni73 New Member

    Joined:
    Nov 27, 2015
    Messages:
    9
    Likes Received:
    0
    Hi
    Did already.... i put some people did everything on that xls...... put under monitoring, procs, wireshark, and every monitoring tool availabile, also sent to malwr to check if inside something was hide....
    nothing... i start to become frustrated :)
     
  13. Neemobeer

    Neemobeer Windows Forum Team
    Staff Member

    Joined:
    Jul 4, 2015
    Messages:
    2,410
    Likes Received:
    364
    Have you captured on the server side as well? If you have an still no luck, you may want to consult with the WAF vendor.
     
  14. Giovanni73

    Giovanni73 New Member

    Joined:
    Nov 27, 2015
    Messages:
    9
    Likes Received:
    0
    Server and client side, to check if something weird start.... nothing.
    I asked WAF vendor, was a high speed rate request and behaviour like Loic. the problems is only one:
    I want be sure there's nothing wrong and what happened was just a mistake before pu in whitelist those xls. But seem no clue (i also posted that on tech microsoft forum, no clue from them too).
     
  15. Neemobeer

    Neemobeer Windows Forum Team
    Staff Member

    Joined:
    Jul 4, 2015
    Messages:
    2,410
    Likes Received:
    364
    Well if you can get me a wireshark capture from the web server, the WAF, a client and a procmon capture and some sample waf logs during the alert then maybe I can help you. Beyond that we're just shooting blind on here I'm afraid.
     
  16. Giovanni73

    Giovanni73 New Member

    Joined:
    Nov 27, 2015
    Messages:
    9
    Likes Received:
    0
    I see now what i can do changing all the "private" stuff. then i wil lcontact you to send all things.
    Thanks anyway you spent time on that very kind from you.

    Talk you soon
     

Share This Page

Loading...