Strange Beahviour

#1
Hi All
I had a weird behaviour opening a xls.
I have on my webserver a repository with some xls (no macro, no formulas etc, just plain text), thoise xls are accessible without loogin to all visitors.
I have a web firewall before web.
It happen that waf spam alert message as LOIC attack, i checked and i see 3 microsoft IP's, direction was on webserver and especially to my xls!
I checked if somebody open try to update or download something, nothing.
Still i try to figure pout what's happened, any suggestion?

Regards
 


bochane

Honorable Member
#2
Another interesting problem.

What do you mean with a 'weird behaviour on opening'? Did you see any messages?
Could you show us the screen dumps with those spam alerts and IP's?
How did you figure out that they where microsoft IP's?
How did you figure out that nobody was downloading, because you have thse xls files accessable without login?
Are there log file antries on your webserver explaining more?
 


#3
Hello Bochane and thanks for your reply

1) Sorry for my english :) I mean a user open xls on remote repository and then IPS record a call from that webserver to 1 IP (according with whois owned by microsoft Ireland and i checked they are in the Microsoft range of Ip's). Call was a GET.
And till this point everything is ok
The problem is when the remote reply came (another GET), WAF detect LOIC attack from called IP and other 2 in the same subnet, spamming message (i will post monday, thanks god im not in the office on weekend :)
2) If somebody download from our webserver why i receive a GET from remote IP?
3) I request webserver login but still on the way (big company big time to get things)
Monday i will be more specific, thanks for now
 


bochane

Honorable Member
#4
OK, we will see next Monday.

And for now, have a nice weekend. :)

Henk
 


#5
Hello, delay for burocracy,
Still no webserver log, so i add waf log:

WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.95 Safari/537.11
User-Agent: Mozilla/5.0 (Windows NT 6.1
Host: www.XXXX.it
,Server: AkamaiGHost
Mime-Version: 1.0
Content-Type: text/html
Content-Length: 424
Expires: Fri, 27 Nov 2015 18:15:00 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 27 Nov 2015 18:15:00 GMT
Connection: close

Path:
/export/sites/2015/bilancio_201511-IT.xls

1.1 GET 40.127.141.237 ---> x.x.x.x IE xxxx_12523 8075 403 DUBLIN microsoft hosted a477f0f 3000010 AKAMAI/WEB_ATTACK/LOIC1.1
Header order detected: Accept:User-Agent:Host
LOIC 1.1 DoS Detection Warn
GET /export/sites/2015/bilancio_201511-IT.xls
HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml
status 403

IP
40.127.131.221
40.127.136.132
40.127.141.237

XLS File
Automatic flow
 


Last edited:

bochane

Honorable Member
#6
I am not that expert, sorry, but it looks to me like some user hosted by Microsoft has an infected PC and that PC tried to attack your server.

But again this goes further than my knowledge.
Anybody else?
 


#7
Update.
nothign from webserver/application log.
I contact the user opened xls..... nothing more than opena nad read happened.
Start to be a trial :)
 


#8
Well Can be, but then are 3 different pc.... and behaviour is not of a malware, request GET are not so fast that a WAF can read as LOIC.
 


Neemobeer

Windows Forum Team
Staff member
#9
Could somehow be related to Excel, Office applications connect to Microsoft for various reasons. You can try and disable "Allow Office to Connect to the Internet" under privacy settings and then test opening one of the xls files.
 


#10
Hello Neemobeer, thanks for answer.
I checked also that, but i saw 1 year of repository behaviour in archive and never happened before and "allow office etc" is off.
 


Neemobeer

Windows Forum Team
Staff member
#11
Well I'd say your next steps if you can reproduce the connections from a Windows system you have control of, run wireshark and procmon and see if those connections are originating from the client side. If they are you should be able to see in procmon which process is creating the connections to narrow down the DOS false positives.
 


#12
Hi
Did already.... i put some people did everything on that xls...... put under monitoring, procs, wireshark, and every monitoring tool availabile, also sent to malwr to check if inside something was hide....
nothing... i start to become frustrated :)
 


Neemobeer

Windows Forum Team
Staff member
#13
Have you captured on the server side as well? If you have an still no luck, you may want to consult with the WAF vendor.
 


#14
Server and client side, to check if something weird start.... nothing.
I asked WAF vendor, was a high speed rate request and behaviour like Loic. the problems is only one:
I want be sure there's nothing wrong and what happened was just a mistake before pu in whitelist those xls. But seem no clue (i also posted that on tech microsoft forum, no clue from them too).
 


Neemobeer

Windows Forum Team
Staff member
#15
Well if you can get me a wireshark capture from the web server, the WAF, a client and a procmon capture and some sample waf logs during the alert then maybe I can help you. Beyond that we're just shooting blind on here I'm afraid.
 


#16
I see now what i can do changing all the "private" stuff. then i wil lcontact you to send all things.
Thanks anyway you spent time on that very kind from you.

Talk you soon
 


This website is not affiliated, owned, or endorsed by Microsoft Corporation. It is a member of the Microsoft Partner Program.