I should have included it in my first message. The IP for emeksensin.com is
78.46.82.212
Sorry for the dump of data below. It is just a GET to database.clamav.net that
is redirected and then the 404 response from emeksensin.com.
Here is the redirect:
{
dest_ip: 78.46.84.244
dest_port: 80
event_type: http
flow_id: 139820056902992
http: { [-]
hostname: database.clamav.net
http_method: GET
http_user_agent: Wget/1.14 (linux-gnu)
length: 0
protocol: HTTP/1.1
redirect: http://emeksensin.com/safebrowsing.cvd
status: 301
tx_id: 0
url: /safebrowsing.cvd
}
in_iface: eth2
proto: TCP
src_ip: _X_
src_port: 60435
timestamp: 2015-11-06T09:08:59.585958-0600
vlan: 101
}
A request is then made to emeksensin:
{ [-]
dest_ip: 78.46.82.212
dest_port: 80
event_type: http
flow_id: 139820052238112
http: { [-]
hostname: emeksensin.com
http_content_type: text/html
http_method: GET
http_user_agent: Wget/1.14 (linux-gnu)
length: 846
protocol: HTTP/1.1
status: 404
tx_id: 0
url: /safebrowsing.cvd
}
in_iface: eth2
proto: TCP
src_ip:_X_
src_port: 40262
timestamp: 2015-11-06T09:08:59.932296-0600
vlan: 101
}
And the response from emeksensin. Looking at the pcap it is just a 404 page
with Turkish writing saying something about the page not being found.
{
dest_ip: _X_
dest_port: 40262
event_type: fileinfo
fileinfo: {
filename: /safebrowsing.cvd
magic: HTML document text
size: 836
state: CLOSED
stored: false
tx_id: 0
}
flow_id: 139820052238112
http: {
hostname: emeksensin.com
http_user_agent: Wget/1.14 (linux-gnu)
url: /safebrowsing.cvd
}
in_iface: eth2
proto: TCP
src_ip: 78.46.82.212
src_port: 80
timestamp: 2015-11-06T09:09:00.070391-0600
vlan: 101
}
Thank you,
smithd
-----Original Message-----
From: clamav-users [mailto:[email protected]] On Behalf Of
Al Varnell
Sent: Tuesday, November 10, 2015 3:58 PM
To: ClamAV users ML <[email protected]>
Subject: Re: [clamav-users] Mirror redirect to emeksensin.com
It has not been brought up, but they will need the IP address to even begin to
look into this.
-Al-
On Tue, Nov 10, 2015 at 11:53 AM, Derek Smith wrote:
>
> Hello,
>
> I am new to ClamAV and was playing with the URL's used to fetch updates,
> database.clamav.net and db.us.clamav.net. I typed one of them into my
> browser and was redirected to emeksensin.com, which appears to be a Turkish
> Arts and Crafts site. Looking at the last 30 days of network traffic it
> appears that this began on Thursday, October 29th and has been happening once
> every four days or so. Freshclam works fine the rest of the time, but on
> these occasions will be redirected to emeksensin, requesting main.cvd or
> safebrowsing.cvd, and luckily only receive a 404 in return.
>
> I searched the clamav-users list archive for each month of 2015 and did not
> find any mention of this. Has anyone encountered this issue, or has it
> already been brought up?
>
> Thank you,
> smithd
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
