Reported malware on server? (http:/boaform/admin/formLogin?username=user&psd=user)

1812

By 1812
in General Support

Recommended Posts

1812 Proficient

1812

Posted
Posted (edited)

my firewall informed me that my server attempted to connect to a malware site:

  

System: Untangle [Verv.Nunya.com]

Event: WebFilterEvent

Event Time: 2021-03-23 01:36:06.975.

Event Summary:
Web Filter blocked http:/boaform/admin/formLogin?username=user&psd=user (Malware Sites)

Event Details:
app name                          = web_filter
blocked                           = true
category                          = Malware Sites
category id                       = 56
flagged                           = true
reason                            = BLOCK_CATEGORY
request line                      = GET http:/boaform/admin/formLogin?username=user&psd=user
rule id                           = 56
session event                    
bypassed                         = false
c client addr                    = 112.72.231.35
c client port                    = 2728
c server addr                    = redacted - my ip
c server port                    = 80
client country                   = KR
client intf                      = 1
client latitude                  = 36.6353
client longitude                 = 127.4678
entitled                         = true
hostname                         = Tower
local addr                       = 192.168.1.253
policy id                        = 1
policy rule id                   = 0
protocol                         = 6
protocol name                    = TCP
remote addr                      = 112.72.231.35
s client addr                    = 112.72.231.35
s client port                    = 2728
s server addr                    = 192.168.1.253
s server port                    = 180
server country                   = XL
server intf                      = 3
session id                       = 105907154162496
tags string                      = 
time stamp                       = 2021-03-23 01:36:05.741
time stamp                        = 2021-03-23 01:36:06.975

This is an automated message sent because this event matched Alerts Rule "Malware Sites website visit blocked".

 

 

Fortunately it appears blocked.  trying to find out more about what's going on though, and if it originated internally or was something like a malformed header sent to the server, which then tried to respond? I'm a bit out of my depth on this. The latitude and longitude logged shows South Korea...where I am defiantly not located.

 

My server is running 6.9.1, and I use the nginx proxy manager for routing to a nextcoud installation.  so only ports 80 and 443 are forwarded through my firewall.  I think I'm going to start running a Clam AV instance but I have about 21 TB it has to go through. I don't download any movies or other files from the internet.

 

Assistance is greatly appreciated!

 

 

Edited by 1812
Link to comment
  • 1812 changed the title to Reported malware on server? (http:/boaform/admin/formLogin?username=user&psd=user)

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing