March 23, 20215 yr my firewall informed me that my server attempted to connect to a malware site: System: Untangle [Verv.Nunya.com] Event: WebFilterEvent Event Time: 2021-03-23 01:36:06.975. Event Summary: Web Filter blocked http:/boaform/admin/formLogin?username=user&psd=user (Malware Sites) Event Details: app name = web_filter blocked = true category = Malware Sites category id = 56 flagged = true reason = BLOCK_CATEGORY request line = GET http:/boaform/admin/formLogin?username=user&psd=user rule id = 56 session event bypassed = false c client addr = 112.72.231.35 c client port = 2728 c server addr = redacted - my ip c server port = 80 client country = KR client intf = 1 client latitude = 36.6353 client longitude = 127.4678 entitled = true hostname = Tower local addr = 192.168.1.253 policy id = 1 policy rule id = 0 protocol = 6 protocol name = TCP remote addr = 112.72.231.35 s client addr = 112.72.231.35 s client port = 2728 s server addr = 192.168.1.253 s server port = 180 server country = XL server intf = 3 session id = 105907154162496 tags string = time stamp = 2021-03-23 01:36:05.741 time stamp = 2021-03-23 01:36:06.975 This is an automated message sent because this event matched Alerts Rule "Malware Sites website visit blocked". Fortunately it appears blocked. trying to find out more about what's going on though, and if it originated internally or was something like a malformed header sent to the server, which then tried to respond? I'm a bit out of my depth on this. The latitude and longitude logged shows South Korea...where I am defiantly not located. My server is running 6.9.1, and I use the nginx proxy manager for routing to a nextcoud installation. so only ports 80 and 443 are forwarded through my firewall. I think I'm going to start running a Clam AV instance but I have about 21 TB it has to go through. I don't download any movies or other files from the internet. Assistance is greatly appreciated! Edited March 23, 20215 yr by 1812
Archived
This topic is now archived and is closed to further replies.