malware??

Reply
Highlighted
L2 Linker

Re: malware??

from the CLI

@PA-5020-P(active)> test url www.googletagservices.com/tag/js/gpt.js

www.googletagservices.com/tag/js/gpt.js search-engines (Base db) expires in 0 seconds

www.googletagservices.com/tag/js/gpt.js search-engines (Cloud db)

i'll get the URL/threat log in a few...

Highlighted
L2 Linker

Re: malware??

misCats.jpg

Highlighted
L7 Applicator

Re: malware??

Hello VSU_ITSEC,

It seems currently the PAN firewall is categorized properly. The above mentioned logs is for 09/22/14. As i said before, we had an issue with prior version and that has been fixed now. That is why, you don't have logs for current date ( 09/23/14-Block-URL).

Hope this helps.

Thanks

Highlighted
L6 Presenter

Re: malware??

HI VSU,

Thanks for providing URL Logs, its confirmed now that its yesterdays log.I agree with HULK. Today classification looks good. Let us know if issue still appears.

Regards,

Hardik Shah

Highlighted
L2 Linker

Re: malware??

Have a new site in today's list with the same issue: g.symcd.com.  This is new for us (so is the device); how often does this happen?

Untitled3.jpgUntitled4.jpg

Highlighted
L7 Applicator

Re: malware??

What output you are getting for this new URL from ">test url " command ..?

Thanks

Highlighted
L6 Presenter

Re: malware??

For us its comp&Internet.

admin@85-PA-VM-300> test url-info-cloud g.symcd.com

BM:

symcd.com,9,5,computer-and-internet-info

Please provide us output for

test url-info-cloud g.symcd.com

show system info

Regards,

Hardik Shah

Highlighted
L2 Linker

Re: malware??

@PA-5020-P(active)> test url g.symcd.com

g.symcd.com computer-and-internet-info (Base db) expires in 0 seconds

g.symcd.com computer-and-internet-info (Cloud db)

I see where you are going w/this….  So…

Am I to verify each entry on my botnet report prior to taking action?

Am I getting URL updates soon enough, an if not, where do I adjust?

Am I placing too much ‘faith’ in the botnet report?

From the botnet report:


confidence    Virtual System    description

4    vsys1    Repeatedly visited (42) the same malicious URL g.symcd.com/

4    vsys1    Repeatedly visited (441) the same malicious URL g.symcd.com/

4    vsys1    Repeatedly visited (65) the same malicious URL g.symcd.com/

4    vsys1    Repeatedly visited (59) the same malicious URL acuityplatform.com/Adserver/cmds?cm_dsp_id=10&cm_callback_url=http:/dsum.casalemedia.com/rum&cm_user_id=VCK7KMAoI08AAGfwI84AAACi

4    vsys1    Repeatedly visited (40) the same malicious URL acuityplatform.com/Adserver/exds?xuid=8f02281c60d856473aab5158f5ac729c

4    vsys1    Repeatedly visited (123) the same malicious URL g.symcd.com/

4    vsys1    Repeatedly visited (190) the same malicious URL g.symcd.com/

4    vsys1    Repeatedly visited (63) the same malicious URL acuityplatform.com/Adserver/cmds?cm_dsp_id=10&cm_callback_url=http:/dsum.casalemedia.com/rum&cm_user_id=VCLtJMAoI0gAAHjWIP0AAABR

4    vsys1    Repeatedly visited (68) the same malicious URL g.symcd.com/

4    vsys1    Repeatedly visited (65) the same malicious URL acuityplatform.com/Adserver/exds?xuid=ef8c5c814844f7f359896d10d97045dd

4    vsys1    Repeatedly visited (100) the same malicious URL cache.dtmpub.com/js/ncg6/0/optinrt_0.js?cgver=36931

4    vsys1    Repeatedly visited (51) the same malicious URL acuityplatform.com/Adserver/cmds?cm_dsp_id=10&cm_callback_url=http:/dsum.casalemedia.com/rum&cm_user_id=VCLVhsAoI0YAACmlXH8AAACE

4    vsys1    Repeatedly visited (198) the same malicious URL g.symcd.com/MEkwR6ADAgEAMEAwPjA8MAkGBSsOAwIaBQAEFLG0OReQFreXeVAR8WC51KI82+3uBBQA+SrDQZG2ycK4PlXywJcRE6AHIAIDAjp2

4    vsys1    Repeatedly visited (39) the same malicious URL acuityplatform.com/Adserver/cmds?cm_dsp_id=10&cm_callback_url=http:/dsum.casalemedia.com/rum&cm_user_id=VCLTtsAoIz0AAAZPA.MAAACV

4    vsys1    Repeatedly visited (45) the same malicious URL cache.dtmpub.com/js/ncg6/0/optinrt_0.js?cgver=36931

4    vsys1    Repeatedly visited (73) the same malicious URL acuityplatform.com/Adserver/atds?getuserid=http://ums.adtechus.com/mapuser?providerid=1027;userid=$UID

4    vsys1    Repeatedly visited (157) the same malicious URL acuityplatform.com/Adserver/atds?getuserid=http://ums.adtechus.com/mapuser?providerid=1027;userid=$UID

4    vsys1    Repeatedly visited (47) the same malicious URL acuityplatform.com/Adserver/cmds?cm_dsp_id=10&cm_callback_url=http:/dsum.casalemedia.com/rum&cm_user_id=VCLeicAoI0YAAD4Vd2cAAAAD

4    vsys1    Repeatedly visited (121) the same malicious URL acuityplatform.com/Adserver/cmds?cm_dsp_id=10&cm_callback_url=http:/dsum.casalemedia.com/rum&cm_user_id=VCMOwMAoI0oAAEKePowAAADV

4    vsys1    Repeatedly visited (45) the same malicious URL acuityplatform.com/Adserver/atds?getuserid=http://ums.adtechus.com/mapuser?providerid=1027;userid=$UID

4    vsys1    Repeatedly visited (36) the same malicious URL assets.tumblr.com/fonts/gibson/stylesheet.css?v=3

4    vsys1    Repeatedly visited (575) the same malicious URL g.symcd.com/

4    vsys1    Repeatedly visited (43) the same malicious URL acuityplatform.com/Adserver/exds?xuid=41ed950b4ac8a2da0effdb75f6b13fe2

4    vsys1    Repeatedly visited (45) the same malicious URL cache.dtmpub.com/js/ncg6/0/optinrt_0.js?cgver=36953

4    vsys1    Repeatedly visited (127) the same malicious URL acuityplatform.com/Adserver/cmds?cm_dsp_id=10&cm_callback_url=http:/dsum.casalemedia.com/rum&cm_user_id=VCLQicAoIzcAAIBXHTwAAAD7

4    vsys1    Repeatedly visited (133) the same malicious URL g.symcd.com/

4    vsys1    Repeatedly visited (107) the same malicious URL cache.dtmpub.com/js/ncg6/0/optinrt_0.js?cgver=36939

4    vsys1    Repeatedly visited (38) the same malicious URL acuityplatform.com/Adserver/cmds?cm_dsp_id=10&cm_callback_url=http:/dsum.casalemedia.com/rum&cm_user_id=VCLi5cAoI0oAAJ2eaAIAAAAD

4    vsys1    Repeatedly visited (150) the same malicious URL g.symcd.com/

4    vsys1    Repeatedly visited (38) the same malicious URL acuityplatform.com/Adserver/cmds?cm_dsp_id=10&cm_callback_url=http:/dsum.casalemedia.com/rum&cm_user_id=VCLwVMAoIzsAABrw-C0AAAE8

4    vsys1    Repeatedly visited (42) the same malicious URL cdn.mxpnl.com/libs/mixpanel-2.2.min.js

4    vsys1    Repeatedly visited (187) the same malicious URL g.symcd.com/

4    vsys1    Repeatedly visited (58) the same malicious URL acuityplatform.com/Adserver/cmds?cm_dsp_id=10&cm_callback_url=http:/dsum.casalemedia.com/rum&cm_user_id=VCL9o8AoIzMAABBzJg0AAABO

4    vsys1    Repeatedly visited (51) the same malicious URL g.symcd.com/

4    vsys1    Repeatedly visited (85) the same malicious URL g.symcd.com/

4    vsys1    Repeatedly visited (54) the same malicious URL g.symcd.com/MEkwR6ADAgEAMEAwPjA8MAkGBSsOAwIaBQAEFLG0OReQFreXeVAR8WC51KI82+3uBBQA+SrDQZG2ycK4PlXywJcRE6AHIAIDAjp2

4    vsys1    Repeatedly visited (163) the same malicious URL acuityplatform.com/Adserver/atds?getuserid=http://ums.adtechus.com/mapuser?providerid=1027;userid=$UID

4    vsys1    Repeatedly visited (70) the same malicious URL ortc-ws6-useast1-s0003.realtime.co/

4    vsys1    Repeatedly visited (555) the same malicious URL g.symcd.com/MEkwR6ADAgEAMEAwPjA8MAkGBSsOAwIaBQAEFLG0OReQFreXeVAR8WC51KI82+3uBBQA+SrDQZG2ycK4PlXywJcRE6AHIAIDAjp2

L4 Transporter

Re: malware??

I'm seeing the same behaviour in our botnet report. Mulitiple users repeatedly visiting supposedly malicious URLs. All URLs seem to be related to advertisement or cnd. Running pan-db 2014.09.25.451.

We have a open case with TAC  regarding this. Will let you know how it goes.

Highlighted
L6 Presenter

Re: malware??

Hi VSU,

I just resolved one similar issue. follow bellow steps.

1. Download latest PAN-DB

2. Clear ur-cache googletagservices.com/tag/js/gpt.js

3. Now access, it will work.

regards,

HArdik Shah

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!