Author Topic: Lightspeed Rocket blocking su.ff.avast.com  (Read 5880 times)

0 Members and 1 Guest are viewing this topic.

Offline MadZymurgist

  • Jr. Member
  • **
  • Posts: 22
Lightspeed Rocket blocking su.ff.avast.com
« on: October 29, 2013, 09:03:00 PM »
Looking over my Lightspeed blocked reports, is see that there are lots of reports of blocked activity pointing to things like su.ff.avast.com/R/A04KIDFjNWEwYjRmMjdjNDQwZTQ4MzZmZWRjYzcwYjMxNjkyEgQBKBATGJwBIgH-KgcIBBD9t54bKgQIAxAAMgoIBBD9t54bGIAKONKLgEA=. The address changes slightly every time.
What is this and what effect is blocking these having on my system.
Thank you in advance.

Offline MadZymurgist

  • Jr. Member
  • **
  • Posts: 22
Re: Lightspeed Rocket blocking su.ff.avast.com
« Reply #1 on: October 31, 2013, 04:46:32 PM »
Update: It appears as if each client is trying to reach this address, as I have 60,000 blocks on a 700+ client network, to this address in the past week. The clients are set to check the EAS server before connecting to the internet for updates and each machine is updating the virus definitions properly. I have nearly as many blocks to ui.ff.avast.com.

Offline Mr. T

  • Newbie
  • *
  • Posts: 1
Re: Lightspeed Rocket blocking su.ff.avast.com
« Reply #2 on: April 29, 2015, 10:18:24 PM »
I can across this post researching an event on our web servers. The web servers (Apache) became unresponsive with these entries in the logs:

192.168.8.49 - - [28/Apr/2015:22:17:58 -0700] "GET /R/A0cKIDZENzdEMEFFRTVGNDUxMTlBQUUyMTdBMUVFRjkwNjdFEgQBIwIVGI0BIgECKgcIBBDKzcEvOICAnFBIgICAgPr_____AQ== HTTP/1.1" 404 45838 "-" "-"
192.168.8.49 - - [28/Apr/2015:22:17:58 -0700] "POST /R/A2MKIGFmNzdhZTU2NDgzODQ2MGRiZmNlNzhkNmEyZTczMWMyEgQAJgIVGKACIgH_KgcIBBCmqb4vOKCRgFBCIBocnnCAdnMjL-3u6DMt9g8Y0QVWKPqxpE_s7X49_4DASICDmAg= HTTP/1.1" 404 45889 "-" "-"

192.168.8.49 is our web proxy, but our web app reported an Chinanet IP as a referrer.
LOCATION: http://su.ff.avast.com/R/A2MKIGFmNzdhZTU2NDgzODQ2MGRiZmNlNzhkNmEyZTczMWMyEgQAJgIVGKACIgH_KgcIBBCmqb4vOKCRgFBCIBocnnCAdnMjL-3u6DMt9g8Y0QVWKPqxpE_s7X49_4DASICDmAg
HOSTNAME: 116.226.126.70

I'm guessing the DNS was hijacked and users were unknowingly redirected to our site for Avast updates...