Avast WEBforum
Business Products => Archive (Legacy) => Avast Business => USA Education Products => Topic started by: REDACTED on October 29, 2013, 09:03:00 PM
-
Looking over my Lightspeed blocked reports, is see that there are lots of reports of blocked activity pointing to things like su.ff.avast.com/R/A04KIDFjNWEwYjRmMjdjNDQwZTQ4MzZmZWRjYzcwYjMxNjkyEgQBKBATGJwBIgH-KgcIBBD9t54bKgQIAxAAMgoIBBD9t54bGIAKONKLgEA=. The address changes slightly every time.
What is this and what effect is blocking these having on my system.
Thank you in advance.
-
Update: It appears as if each client is trying to reach this address, as I have 60,000 blocks on a 700+ client network, to this address in the past week. The clients are set to check the EAS server before connecting to the internet for updates and each machine is updating the virus definitions properly. I have nearly as many blocks to ui.ff.avast.com.
-
I can across this post researching an event on our web servers. The web servers (Apache) became unresponsive with these entries in the logs:
192.168.8.49 - - [28/Apr/2015:22:17:58 -0700] "GET /R/A0cKIDZENzdEMEFFRTVGNDUxMTlBQUUyMTdBMUVFRjkwNjdFEgQBIwIVGI0BIgECKgcIBBDKzcEvOICAnFBIgICAgPr_____AQ== HTTP/1.1" 404 45838 "-" "-"
192.168.8.49 - - [28/Apr/2015:22:17:58 -0700] "POST /R/A2MKIGFmNzdhZTU2NDgzODQ2MGRiZmNlNzhkNmEyZTczMWMyEgQAJgIVGKACIgH_KgcIBBCmqb4vOKCRgFBCIBocnnCAdnMjL-3u6DMt9g8Y0QVWKPqxpE_s7X49_4DASICDmAg= HTTP/1.1" 404 45889 "-" "-"
192.168.8.49 is our web proxy, but our web app reported an Chinanet IP as a referrer.
LOCATION: http://su.ff.avast.com/R/A2MKIGFmNzdhZTU2NDgzODQ2MGRiZmNlNzhkNmEyZTczMWMyEgQAJgIVGKACIgH_KgcIBBCmqb4vOKCRgFBCIBocnnCAdnMjL-3u6DMt9g8Y0QVWKPqxpE_s7X49_4DASICDmAg
HOSTNAME: 116.226.126.70
I'm guessing the DNS was hijacked and users were unknowingly redirected to our site for Avast updates...