Sign in
Follow

ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD IE Flash request to set non-standard filename (some overlap with 2021752)

 Similar Events:

  • ETPRO CURRENT_EVENTS Possible Evil Redirector Leading to EK EITest Jun 10 2016
  • ET CURRENT_EVENTS EITest Flash Redirect Aug 09 2016
  • ETPRO CURRENT_EVENTS Possible Evil Redirector Leading to EK EITest Feb 29
  • ET CURRENT_EVENTS SUSPICIOUS Likely Neutrino EK or other EK IE Flash request to DYNDNS set non-standard filename
  • ET CURRENT_EVENTS RIG Landing URI Struct March 20 2015
 IP AddressPortHostname
Source (local) 49247  
Destination 85.93.0.13 (Romania) http (80) vucid.xyz

 

Description:

 

False Positive:

  • NO
  • These events all indicate that someone walked into an Exploit Kit.
  • This can happen as part of regular browsing when one hits a compromised host.
  • Some checks are done to determine if the user is exploitable (flash in this case) and either delivers an exploit/payload or stops.
  • It looks like the user had the latest version of flash and wasn't exploited.

Action:

  • Some suspicious before and after behavior associated with this. While it doesn't look like it landed, this system should be scanned.
  • Alarm.

 

Comments

Powered by Zendesk