Forums
Main Category
General (Technical,...
Not sure what to ma...
 
Notifications
Clear all

Not sure what to make of these URLs

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by Bunnysniper 11 years ago
7 Posts
5 Users
0 Reactions
1,524 Views
RSS
tracedf
 tracedf
(@tracedf)
Estimable Member
Joined: 11 years ago
Posts: 169
Topic starter 06/11/2015 3:41 am   [#13565]

I had a situation recently where our iBoss content filter was blocking and flagging some activity from one of our users. The URLs are mostly pornography and gambling websites, but they seem to have a GUID or other identifier after them

site1/?a2acc4f6-c3c3-49f8-a903-db179705669a
site2/?73b01b21-8607-432e-866c-fb0da0f7108f
site3/?f6e9d35a-235a-4ffb-9f9d-9c551e4fb63c
site4/?75becc24-4562-45dc-81cb-3fdb34af4c68
site5/?162b53f5-58c2-493d-9677-54f11f0d41a7
site6/?cdaf0f94-f75e-477d-800f-e8d2d5199e46

Has anyone seen this before? I pulled the machine but I did not find any corresponding entries in the user's browser history (he used IE 11 on Windows 7). I was able to corroborate other entries in his browser history with the logs from my content filter so I have the right user/machine. It's possible he simply cleared these entries from his browser history or was using private browsing mode but I don't think that's the case.

The reason that I'm concerned is that I did not find anything to indicate that the user was searching for pornographic or gambling sites or going to the sites directly and did not find any pornography on the computer or indicated by his various MRU entries. I tried opening the URLs in question and they take me to the home/landing page for the site so they are not links to specific images, videos or galleries. The other links that I've seen for these sites look like this

site1/video/search?search=something
site1/view_video.php?viewkey=1852258276

What I did find is that the user has been downloading a number of emulators for video game consoles (e.g. NES, SuperNintendo) and games for them. I haven't had time to run any of them to check their behavior–this was a quick look situation where I was not able to do a full analysis. The machine has Sophos AV installed and it did not flag any of the programs.

Any insight into what these links mean or where they might come from would be appreciated. Are these likely pop-ups from another site or adware program?



   
Quote
Chris_Ed
 Chris_Ed
(@chris_ed)
Reputable Member
Joined: 17 years ago
Posts: 314
06/11/2015 3:31 pm  

What sort of URLs are they? Most browsers should tell you a type (redirect) - could that provide more clues?

Also, what about cookies? They could be tracking GUIDs.. perhaps?



   
ReplyQuote
 Anonymous 6593
(@Anonymous 6593)
Joined: 18 years ago
Posts: 1158
07/11/2015 12:15 am  

Has anyone seen this before?

Not sure I understand the question. You can see just about any kind of query out there – why should a query with a GUID be any different?

Or are you assuming that queries must have a particular form? Like ?param1=value1&… ? (There are some source on the net that claim so, I see, but those are usually special cases.) Check RFC 3986 – which I think is the latest – for the real story.

Or … ?

Any insight into what these links mean or where they might come from would be appreciated. Are these likely pop-ups from another site or adware program?

URLs are URLs. As long as the conform to the URL specification, they work as specified (modulo bugs).

In this case, these particular URLs are relevant for this particular web server. Most likely they come from the server itself check JavaScript resources, or HTML resources or whatever other resources are present.

Or, wildly hypothetically, they could come from some kind of access application, distributed separately. That way, you can't just stumble over the web server or find its data in Google you need to have the access application. And if you have only the access application, but not the server, you may not be able to confirm that it contains what it claims to contain.

Or perhaps they're results of some kind of local proxy/cache setup?



   
ReplyQuote
tracedf
 tracedf
(@tracedf)
Estimable Member
Joined: 11 years ago
Posts: 169
Topic starter 07/11/2015 2:54 am  

Athulin,

I wasn't concerned about the queries being in the form http//site/?GUID vs http//site/?p=something. My confusion comes from the fact that the user will visit site.com/GUID and will only request that single URL from the site without any other visits to the site or any searches related to the site. The user usually hits two or three sites (gambling or porn) in within one second of each other all in the site.com/?GUID format. I'm sure he is not typing the addresses in, he doesn't appear to be searching for them, and he isn't on a pornography or gambling related website prior to or after hitting these URLs.

If the user did a Google search for some related terms or visited http//www.site.com then http//www.site.com/?GUID, that would provide the context I'm looking for.



   
ReplyQuote
 Anonymous 6593
(@Anonymous 6593)
Joined: 18 years ago
Posts: 1158
07/11/2015 5:58 pm  

My confusion comes from the fact that the user will visit site.com/GUID and will only request that single URL from the site without any other visits to the site or any searches related to the site.

That suggests that the URLs are delivered in another way.

If you're lucky you could find them in other cached web traffic (possibly encrypted), or an executable, or pagefile or unallocated areas, but I assume you have already covered that.

Removable storage – is there any correlation between the state of removable storage and the requests? A cell phone connected, perhaps?

Or … is there some malware installed that retrieves the UIDs from an external site, and then requests the URLs as they are received?

You presumably have a point in time when this started. What relevant things correlate with that? I'd look for startup programs or browser plugins installed around then.



   
ReplyQuote
keydet89
 keydet89
(@keydet89)
Famed Member
Joined: 22 years ago
Posts: 3568
12/11/2015 1:21 am  

My confusion comes from…

Based on what you've shared so far, I'd have to agree with Athulin…if you see URLs in logs that originate from the box in question, but find no indication that those URLs were the result of actions taken by the user, you should probably consider looking elsewhere…adware or malware, perhaps.



   
ReplyQuote
Bunnysniper
 Bunnysniper
(@bunnysniper)
Reputable Member
Joined: 14 years ago
Posts: 259
19/11/2015 7:07 pm  

…..
What I did find is that the user has been downloading a number of emulators for video game consoles (e.g. NES, SuperNintendo) and games for them. I haven't had time to run any of them to check their behavior….

Here is an analysis of a fake PS3 emulator, published in the german magazine "heise.de", one of the leading IT publishers in Germany
http//www.heise.de/security/artikel/Analysiert-PS3-Emulator-im-Schafspelz-2583457.html

To make a long story short and translated
- faked PS3 emulator promising playing games
- faked emulator software opens several "adult" and gaming websites
- developer of the faked emulator makes money using a "Affiliate Program", the connections to sites/advertisments are coming from infected computers

Does this sound familiar to you? D

best regards, Robin



   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: