[pfSense] General question
In my fw proxy logs I'm seeing a periodic connection form one of my PCs to facebook, flickr, and youtube around the same time, and it's happening every about 10 minutes, I have checked browser plugins, search for rouge software's, and scanned the pc to no avail. I was wondering if one of the members has a clue on what's going on. Here is an example of the log: [Fri Mar 22 22:06:44 2013].978 92 10.168.255.70 TCP_MISS/302 0 GET http://www.facebook.com 10.168.255.70 DEFAULT_PARENT/127.0.0.1 - [Fri Mar 22 22:06:45 2013].295409 10.168.255.70 TCP_HIT/200 210140 GET http://www.flickr.com 10.168.255.70 DEFAULT_PARENT/127.0.0.1 text/html [Fri Mar 22 22:06:45 2013].309424 10.168.255.70 TCP_MISS/200 111388 GET http://www.youtube.com 10.168.255.70 DEFAULT_PARENT/127.0.0.1 text/html [Fri Mar 22 22:21:06 2013].802145 10.168.255.70 TCP_HIT/200 210140 GET http://www.flickr.com 10.168.255.70 DEFAULT_PARENT/127.0.0.1 text/html [Fri Mar 22 22:21:06 2013].821165 10.168.255.70 TCP_MISS/302 0 GET http://www.facebook.com 10.168.255.70 DEFAULT_PARENT/127.0.0.1 - [Fri Mar 22 22:21:07 2013].071415 10.168.255.70 TCP_HIT/200 111359 GET http://www.youtube.com 10.168.255.70 DEFAULT_PARENT/127.0.0.1 text/html [Fri Mar 22 22:21:44 2013].928 92 10.168.255.70 TCP_MISS/302 0 GET http://www.facebook.com 10.168.255.70 DEFAULT_PARENT/127.0.0.1 - [Fri Mar 22 22:21:44 2013].968131 10.168.255.70 TCP_MISS/200 210140 GET http://www.flickr.com 10.168.255.70 DEFAULT_PARENT/127.0.0.1 text/html [Fri Mar 22 22:21:45 2013].232396 10.168.255.70 TCP_HIT/200 62 GET http://www.youtube.com 10.168.255.70 DEFAULT_PARENT/127.0.0.1 text/html [Fri Mar 22 22:36:06 2013].779167 10.168.255.70 TCP_MISS/302 0 GET http://www.facebook.com 10.168.255.70 DEFAULT_PARENT/127.0.0.1 - [Fri Mar 22 22:36:06 2013].961349 10.168.255.70 TCP_HIT/200 210140 GET http://www.flickr.com 10.168.255.70 DEFAULT_PARENT/127.0.0.1 text/html [Fri Mar 22 22:36:07 2013].166555 10.168.255.70 TCP_MISS/200 110520 GET http://www.youtube.com 10.168.255.70 DEFAULT_PARENT/127.0.0.1 text/html [Fri Mar 22 22:36:44 2013].901 92 10.168.255.70 TCP_MISS/302 0 GET http://www.facebook.com 10.168.255.70 DEFAULT_PARENT/127.0.0.1 - [Fri Mar 22 22:36:45 2013].135326 10.168.255.70 TCP_HIT/200 111352 GET http://www.youtube.com 10.168.255.70 DEFAULT_PARENT/127.0.0.1 text/html [Fri Mar 22 22:36:45 2013].168360 10.168.255.70 TCP_HIT/200 210140 GET http://www.flickr.com 10.168.255.70 DEFAULT_PARENT/127.0.0.1 text/html [Fri Mar 22 22:51:06 2013].732166 10.168.255.70 TCP_MISS/302 0 GET http://www.facebook.com 10.168.255.70 DEFAULT_PARENT/127.0.0.1 - [Fri Mar 22 22:51:06 2013].814248 10.168.255.70 TCP_MISS/200 210140 GET http://www.flickr.com 10.168.255.70 DEFAULT_PARENT/127.0.0.1 text/html [Fri Mar 22 22:51:07 2013].032466 10.168.255.70 TCP_HIT/200 106375 GET http://www.youtube.com 10.168.255.70 DEFAULT_PARENT/127.0.0.1 text/html [Fri Mar 22 22:51:44 2013].838 93 10.168.255.70 TCP_MISS/302 0 GET http://www.facebook.com 10.168.255.70 DEFAULT_PARENT/127.0.0.1 - ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] General question
Just hazarding a guess here, but based on it being those three sites, could it be all of those Share on Facebook! Post to Flickr! buttons that every page nowadays likes to put on the bottom? Alan Worstell A1 Networks - Systems Administrator VTSP, dCAA, LPIC-1, Linux+, CLA, DCTS (707)570-2021 x204 For support issues please email supp...@a-1networks.com or call 707-703-1050 On 3/25/13 8:38 AM, kol wrote: In my fw proxy logs I'm seeing a periodic connection form one of my PCs to facebook, flickr, and youtube around the same time, and it's happening every about 10 minutes, I have checked browser plugins, search for rouge software's, and scanned the pc to no avail. I was wondering if one of the members has a clue on what's going on. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] General question
From: Alan Worstell [mailto:aworst...@a-1networks.com] Sent: Monday, March 25, 2013 12:04 PM To: k_...@hotmail.com; pfSense support and discussion Subject: Re: [pfSense] General question Just hazarding a guess here, but based on it being those three sites, could it be all of those Share on Facebook! Post to Flickr! buttons that every page nowadays likes to put on the bottom? Alan Worstell A1 Networks - Systems Administrator VTSP, dCAA, LPIC-1, Linux+, CLA, DCTS (707)570-2021 x204 For support issues please email supp...@a-1networks.com or call 707-703-1050 On 3/25/13 8:38 AM, kol wrote: In my fw proxy logs I'm seeing a periodic connection form one of my PCs to facebook, flickr, and youtube around the same time, and it's happening every about 10 minutes, I have checked browser plugins, search for rouge software's, and scanned the pc to no avail. I was wondering if one of the members has a clue on what's going on. -Original Message- I see the issue even when all browser are shut down. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] General question
On 25.03.2013 19:30 k_o_l wrote: I see the issue even when all browser are shut down. netstat -ano (Win) or -nlp on the source PC can bring you the solution. bye Christoph ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] General question
From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of Christoph Hanle Sent: Monday, March 25, 2013 2:45 PM To: list@lists.pfsense.org Subject: Re: [pfSense] General question On 25.03.2013 19:30 k_o_l wrote: I see the issue even when all browser are shut down. netstat -ano (Win) or -nlp on the source PC can bring you the solution. bye Christoph -Original Message- Nothing there, wireshark captures http sessions, but not sure what doing it since all my browsers are off. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] General question
-Original Message- From: list-boun...@lists.pfsense.org [mailto:list- boun...@lists.pfsense.org] On Behalf Of k_o_l Sent: Monday, March 25, 2013 3:53 PM To: 'pfSense support and discussion' Subject: Re: [pfSense] General question From: list-boun...@lists.pfsense.org [mailto:list- boun...@lists.pfsense.org] On Behalf Of Christoph Hanle Sent: Monday, March 25, 2013 2:45 PM To: list@lists.pfsense.org Subject: Re: [pfSense] General question On 25.03.2013 19:30 k_o_l wrote: I see the issue even when all browser are shut down. netstat -ano (Win) or -nlp on the source PC can bring you the solution. bye Christoph -Original Message- Nothing there, wireshark captures http sessions, but not sure what doing it since all my browsers are off. Perhaps some windows gadget that is in use. Does it show what PC you are having the problems with? Unplug the network from that PC and see if it still persist. It could be any number of apps they have installed. I have even seen some of the browsers open http sessions. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] General question
-Original Message- From: list-boun...@lists.pfsense.org [mailto:list- boun...@lists.pfsense.org] On Behalf Of Ryan Rodrigue Sent: Monday, March 25, 2013 4:18 PM To: k_...@hotmail.com; 'pfSense support and discussion' Subject: Re: [pfSense] General question -Original Message- From: list-boun...@lists.pfsense.org [mailto:list- boun...@lists.pfsense.org] On Behalf Of k_o_l Sent: Monday, March 25, 2013 3:53 PM To: 'pfSense support and discussion' Subject: Re: [pfSense] General question From: list-boun...@lists.pfsense.org [mailto:list- boun...@lists.pfsense.org] On Behalf Of Christoph Hanle Sent: Monday, March 25, 2013 2:45 PM To: list@lists.pfsense.org Subject: Re: [pfSense] General question On 25.03.2013 19:30 k_o_l wrote: I see the issue even when all browser are shut down. netstat -ano (Win) or -nlp on the source PC can bring you the solution. bye Christoph -Original Message- Nothing there, wireshark captures http sessions, but not sure what doing it since all my browsers are off. Perhaps some windows gadget that is in use. Does it show what PC you are having the problems with? Unplug the network from that PC and see if it still persist. It could be any number of apps they have installed. I have even seen some of the browsers open http sessions. Sorry. I have seen some antiviruses open HTTP sessions. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] General question
2013/3/25 kol k_...@hotmail.com -Original Message- From: list-boun...@lists.pfsense.org [mailto:list- boun...@lists.pfsense.org] On Behalf Of Ryan Rodrigue Sent: Monday, March 25, 2013 4:18 PM To: k_...@hotmail.com; 'pfSense support and discussion' Subject: Re: [pfSense] General question -Original Message- From: list-boun...@lists.pfsense.org [mailto:list- boun...@lists.pfsense.org] On Behalf Of k_o_l Sent: Monday, March 25, 2013 3:53 PM To: 'pfSense support and discussion' Subject: Re: [pfSense] General question From: list-boun...@lists.pfsense.org [mailto:list- boun...@lists.pfsense.org] On Behalf Of Christoph Hanle Sent: Monday, March 25, 2013 2:45 PM To: list@lists.pfsense.org Subject: Re: [pfSense] General question On 25.03.2013 19:30 k_o_l wrote: I see the issue even when all browser are shut down. netstat -ano (Win) or -nlp on the source PC can bring you the solution. bye Christoph -Original Message- Nothing there, wireshark captures http sessions, but not sure what doing it since all my browsers are off. Perhaps some windows gadget that is in use. Does it show what PC you are having the problems with? Unplug the network from that PC and see if it still persist. It could be any number of apps they have installed. I have even seen some of the browsers open http sessions. Sorry. I have seen some antiviruses open HTTP sessions. -Original Message- From: list-boun...@lists.pfsense.org [mailto: list-boun...@lists.pfsense.org] On Behalf Of Ryan Rodrigue Sent: Monday, March 25, 2013 5:24 PM To: 'pfSense support and discussion' Subject: Re: [pfSense] General question No gadget not the antivirus, it's from one PC so yeah when the cable is unplugged no connection is made Something that is running in the background? Try to check your Browser for Toolbars etc. Some have explicit processes that run outside the browsers as single process or service. The most worst Toolbar i ever saw and had to remove was the ask.com toolbar. came with an update from java. For getting a clue whats going, download the systinternals.com suite. open tcpview ( i think that was the tools name) and watch which process opens the http-sessions. if that doesn't help, download a antivirus/malware-detection rescue-cd and make a full check of your system. in the latter case your system may be infected with a bot/trojan/malware, p. e. that trys to hack accounts on those platforms or does comminucation over them. Sometihing similar action. hth regards michael -- = = = http://michael-schuh.net/ = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = = ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list