Look for outbound HTTP POST requests from clients in your networks with the User-Agent string "Googlebot" ...
Zscaler has a network of forward web-proxies that provides security and policy enforcement for its customers. We use authentication and a number of other techniques to prevent abuse of non-paying customers forwarding traffic through our cloud. That is not to say that the attackers don't continually try.
I've noticed a large number of attempted web transactions from infected hosts out on the Internet attempting to brute-force file sharing accounts by attempting to forward their login attempts through Internet proxies to mask their origin and prevent being blacklisted.
For example I noticed almost 1000 unique client IPs from the month of August attempting such transactions, including client IPs from Fortune 100 companies. Because of the types and volume of IPs used, it can be assumed that this campaign is leveraging compromised systems within a botnet. There were almost 300 unique URLs accessed in the brute-forcing attempts for the month of August - for example,
174.140.154.20/?c=login
174.140.154.23/?c=login
174.140.154.47/?c=login
46.105.112.181/login.html
82.192.86.129/login.html
203.113.132.156/
...
I'll plan to put together a small portal to query to see if we have seen brute-forcing from your IP.
Posts
0 comments:
Post a Comment