Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Lots of nginx errors in logs after upgrade

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    41 Posts 11 Posters 88.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • mudmanc4M Offline
      mudmanc4
      last edited by

      First glance it appears there is a local script scanning for vulnerabilities. Do you have web panel running somewhere in the internal network?

      1 Reply Last reply Reply Quote 0
      • T Offline
        TheNarc
        last edited by

        So I have exactly the same issue with the exact same requests, but all from a link local IPv6 client IP:

        May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7232 open() "/usr/local/www/cgi-bin/click.cgi" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/click.cgi HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
        May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7233 open() "/usr/local/www/cgi-bin/clicks.cgi" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/clicks.cgi HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
        May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7234 open() "/usr/local/www/cgi-bin/crtr/out.cgi" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/crtr/out.cgi HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
        May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7235 open() "/usr/local/www/cgi-bin/fg.cgi" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/fg.cgi HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
        May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7236 open() "/usr/local/www/cgi-bin/findweather/getForecast" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/findweather/getForecast HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
        May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7237 open() "/usr/local/www/cgi-bin/findweather/hdfForecast" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/findweather/hdfForecast HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
        May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7238 open() "/usr/local/www/cgi-bin/frame_html" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/frame_html HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
        May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7239 open() "/usr/local/www/cgi-bin/getattach" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/getattach HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
        May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7240 open() "/usr/local/www/cgi-bin/hotspotlogin.cgi" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/hotspotlogin.cgi HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
        May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7241 open() "/usr/local/www/cgi-bin/hslogin.cgi" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/hslogin.cgi HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
        May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7242 open() "/usr/local/www/cgi-bin/ib/301_start.pl" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/ib/301_start.pl HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
        May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7243 open() "/usr/local/www/cgi-bin/index.cgi" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/index.cgi HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
        May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7244 open() "/usr/local/www/cgi-bin/index" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/index HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
        May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7245 open() "/usr/local/www/cgi-bin/krcgi" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/krcgi HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
        May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7246 open() "/usr/local/www/cgi-bin/krcgistart" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/krcgistart HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
        May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7247 open() "/usr/local/www/cgi-bin/link" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/link HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
        May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7248 open() "/usr/local/www/cgi-bin/login.cgi" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/login.cgi HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
        May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7249 open() "/usr/local/www/cgi-bin/login" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/login HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
        May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7250 open() "/usr/local/www/cgi-bin/logout" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/logout HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
        May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7251 open() "/usr/local/www/cgi-bin/logout" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/logout HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
        May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7252 open() "/usr/local/www/cgi-bin/mainmenu.cgi" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/mainmenu.cgi HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
        May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7253 open() "/usr/local/www/cgi-bin/mainsrch" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/mainsrch HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
        May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7254 open() "/usr/local/www/cgi-bin/msglist" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/msglist HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
        May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7255 open() "/usr/local/www/cgi-bin/navega" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/navega HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
        May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7256 open() "/usr/local/www/cgi-bin/openwebmail/openwebmail-main.pl" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/openwebmail/openwebmail-main.pl HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
        May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7257 open() "/usr/local/www/cgi-bin/out.cgi" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/out.cgi HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
        May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7258 open() "/usr/local/www/cgi-bin/passremind" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/passremind HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
        May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7259 open() "/usr/local/www/cgi-bin/rbaccess/rbcgi3m01" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/rbaccess/rbcgi3m01 HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
        May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7260 open() "/usr/local/www/cgi-bin/rbaccess/rbunxcgi" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/rbaccess/rbunxcgi HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
        May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7261 open() "/usr/local/www/cgi-bin/readmsg" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/readmsg HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
        May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7262 open() "/usr/local/www/cgi-bin/rshop.pl" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/rshop.pl HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
        May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7263 open() "/usr/local/www/cgi-bin/search.cgi" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/search.cgi HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
        May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7264 open() "/usr/local/www/cgi-bin/spcnweb" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/spcnweb HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
        May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7265 open() "/usr/local/www/cgi-bin/sse.dll" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/sse.dll HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
        May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7266 open() "/usr/local/www/cgi-bin/start" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/start HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
        May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7267 open() "/usr/local/www/cgi-bin/te/o.cgi" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/te/o.cgi HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
        May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7268 open() "/usr/local/www/cgi-bin/tjcgi1" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/tjcgi1 HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
        May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7269 open() "/usr/local/www/cgi-bin/top/out" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/top/out HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
        May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7270 open() "/usr/local/www/cgi-bin/traffic/process.fcgi" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/traffic/process.fcgi HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
        May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7271 open() "/usr/local/www/cgi-bin/verify.cgi" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/verify.cgi HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
        May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7272 open() "/usr/local/www/cgi-bin/webproc" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/webproc HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
        May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7273 open() "/usr/local/www/cgi-bin/webscr" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/webscr HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
        May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7274 open() "/usr/local/www/cgi-bin/wingame.pl" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/wingame.pl HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
        May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7275 open() "/usr/local/www/das/cgi-bin/session.cgi" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /das/cgi-bin/session.cgi HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
        May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7276 open() "/usr/local/www/fcgi-bin/dispatch.fcgi" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /fcgi-bin/dispatch.fcgi HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
        May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7277 open() "/usr/local/www/fcgi-bin/performance.fcgi" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /fcgi-bin/performance.fcgi HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
        May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7278 open() "/usr/local/www/redir/cgi-bin/ajaxmail" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /redir/cgi-bin/ajaxmail HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
        May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: 7281 open() "/usr/local/www/cgi-bin/webproc" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /cgi-bin/webproc?getpage=/../../etc/passwd&var:language=en_us&var:page= HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"
        May 9 13:05:46 pfsense.obfuscated nginx: 2016/05/09 13:05:46 [error] 75579#0: *7282 open() "/usr/local/www/rom-0" failed (2: No such file or directory), client: fe80::68fd:3b8c:e339:26bf, server: , request: "GET /rom-0 HTTP/1.1", host: "[fe80:0000:0000:0000:0000:0000:0001:0001]"

        I also have similar xinetd entries.

        I also don't know what's causing this, and I did seem to start noticing it around when I upgraded to 2.3.  Searching for some of the more distinctive entries (e.g. "cgi-bin/ib/301_start.pl") has yielded more than a few hits referring to potential malware.  I haven't been able to locate any on my network so far, but it's a small home network so I'll scan all the Windows hosts on it.

        To mudman4c's point, I'm certainly not aware of any local scripts scanning for vulnerabilities, but I can't categorically rule that out yet either.  If I figure anything out I'll provide updates.  Whatever it is, we seem to have exactly the same issue .

        1 Reply Last reply Reply Quote 0
        • mudmanc4M Offline
          mudmanc4
          last edited by

          Curious what browser the two of you which are showing these logs are using. And they are windows machines yes?

          1 Reply Last reply Reply Quote 0
          • T Offline
            TheNarc
            last edited by

            In my case yes, these anomalous log entries correspond to LAN IPs belonging to two different Windows machines on the network.  I'll need to check with the individual users, but I'm fairly certain they both use Firefox almost exclusively.  The most interesting external resource I've located that references all of these URLs is this:  http://www.network-builders.com/anyone-recognise-malware-causing-please-t111617.html  Unfortunately, it's not conclusive as to a cause or if it's really malware or something benign.  Nevertheless, I have gotten in touch with the user of one of the two implicated machines on my network and he is currently running a full virus scan and Malwarebytes scan.

            1 Reply Last reply Reply Quote 0
            • C Offline
              cshy0024
              last edited by

              after upgrading to pfsense 2.3, i also got same http errors in my log. By searching Google it looks like Avast antivirus is the cause of this kind of scanning.

              http://nazarenolatella.myblog.it/2015/12/27/avast-free-lo-scan-che-ti-aspetti/  , an Italian page

              i also checked /var/log/nginx.log ans see some strings related to Avast.

              1 Reply Last reply Reply Quote 0
              • T Offline
                TheNarc
                last edited by

                Thanks for that information cshy, it's much appreciated.  I will get in contact with the users of the two offending machines on my network to see whether I can confirm that they are both running Avast.  If my memory serves, it seems quite likely.  I'll provide an update either way when I find out.

                1 Reply Last reply Reply Quote 0
                • mudmanc4M Offline
                  mudmanc4
                  last edited by

                  Why would Avast be scanning within specific port ranges for specific pages? This makes no sense to me.

                  1 Reply Last reply Reply Quote 0
                  • T Offline
                    TheNarc
                    last edited by

                    I agree, it definitely makes no sense to me either.  But it does seem to be Avast that's behind it.  I've confirmed with 1 of my 2 users that they run Avast.  And here's another thread that seems to implicate it, although again it's frustratingly inconclusive:  https://www.reddit.com/r/techsupport/comments/40v5go/weird_traces_in_firewall_coming_from_my_machine/  Could it be trying to scan the LAN for known web server vulnerabilities?  That would seem outside the purview of free consumer grade AV software.

                    1 Reply Last reply Reply Quote 0
                    • M Offline
                      ms
                      last edited by

                      I got the exact same errors, also being generated by workstations running Avast. From their sales blurb: "Home Network Security: Is your router set up properly? We’ll tell you. Otherwise, anyone can break into your network and anything connected to it (like your computer, phone, or printer)." FYI, ESET Internet Security 10 also scans your router. I ran it for giggles and it told me my router was probably compromised as it had ports like 443 open lol.

                      1 Reply Last reply Reply Quote 0
                      • mudmanc4M Offline
                        mudmanc4
                        last edited by

                        If Avast is searching port 8443 for multiples of pages at random, which is most recently well known for plesk panel, which can assist with the hosting of multiples of VM / CT's,  I'll eat a live crocodile. Now this may somehow be, so I'll make sure I have my spork ready. But I doubt I'll need it.

                        This is a clear sign there is 'something' even a local webserver (even if one was never intentionally installed locally) which has found it's way into 'something' on the local network or machine, and is looking for something to exploit, buy the known exploitable pages, which have already or should be already downloaded by a script, in many cases.

                        These very much the same logs can be found in almost any apache server logs, showing a remote attacker attempting to find something.

                        The firewall, pfSense, is now showing you the attempts.

                        Again, I'll keep the spork ready to run if I'm proven wrong.

                        1 Reply Last reply Reply Quote 0
                        • T Offline
                          TheNarc
                          last edited by

                          Whatever it is, I don't like it.  I'll see if I can switch my users off Avast and determine whether that makes a difference.  I believe they also both use the same VPN service, but I don't know which one offhand.  I'll ask them about that too.  Does anyone else seeing these log entries use a VPN service?

                          1 Reply Last reply Reply Quote 0
                          • T Offline
                            TheNarc
                            last edited by

                            My VPN comment was a red herring; I don't want to waste anyone's time.  I can confirm that both of the machines exhibiting this behavior on my network were running Avast.  Whatever it is, Avast seems to be somehow responsible.

                            1 Reply Last reply Reply Quote 0
                            • mudmanc4M Offline
                              mudmanc4
                              last edited by

                              @TheNarc:

                              My VPN comment was a red herring; I don't want to waste anyone's time.  I can confirm that both of the machines exhibiting this behavior on my network were running Avast.  Whatever it is, Avast seems to be somehow responsible.

                              At the same time , users who run such things as Avast, generally require them for a reason, in other words the workstation might encounter objects which are specifically designed to create havok, in one way or another.

                              The type of behavior in the above logs, could be easily reconciled with destructive behavior, and as well more than likely, would flag many different means of intrusion prevention.

                              Just think of the chatter this is clogging the network up with alone.

                              /spork on standby

                              1 Reply Last reply Reply Quote 0
                              • R Offline
                                robi
                                last edited by

                                Avast has lots of modules, you can enable/disable them one by one. Moreover, when you install Avast (free edition), you can choose during setup, which modules you want to instal. I always use only the "File protection" module, I don't even install the rest…

                                1 Reply Last reply Reply Quote 0
                                • T Offline
                                  TheNarc
                                  last edited by

                                  Here's another crumb of information explicitly linking Avast to nefarious-looking activity logged in pfSense:  https://www.reddit.com/r/PFSENSE/comments/2s40uz/pfsense_ca/cnm4x87  Specifically:

                                  Turns out my gf's laptop has Avast and its "home network security" module runs exploit tests against your network, which can look bad

                                  I should also clarify that this activity is far from constant.  Rather, it seems to occur periodically at roughly 24 hour intervals.  I'm going to see if I can have my users disable Avast's "Home Network Security" module and will report back whether the activity still occurs.

                                  1 Reply Last reply Reply Quote 0
                                  • T Offline
                                    TheNarc
                                    last edited by

                                    Just wanted to report back that it's definitely Avast.  Disabling the Home Network Security module eliminates the log entries in pfSense.

                                    1 Reply Last reply Reply Quote 0
                                    • C Offline
                                      cmb
                                      last edited by

                                      Interesting, thanks for the feedback. What a dumb feature.. Like scanning your gateway IP daily for old versions of openwebmail among a variety of other things you'll almost certainly never find on a gateway is doing anything useful.

                                      1 Reply Last reply Reply Quote 0
                                      • P Offline
                                        phil.davis
                                        last edited by

                                        @cmb:

                                        Interesting, thanks for the feedback. What a dumb feature.. Like scanning your gateway IP daily for old versions of openwebmail among a variety of other things you'll almost certainly never find on a gateway is doing anything useful.

                                        I guess they are attempting to find potential vulnerabilities on typical home routers, where people would have their TP-Link, D-Link, NetGear… home device with old firmware and never realize that it is now open to some (external or internal) attack vector. Of course then there is the question "what can the home user do about it?" - after a couple of [months|years] the manufacturers stop putting out new firmware to close security holes. So the home user is stuck with their perfectly good hardware but out-of-date firmware, and AVAST will tell them about it every week.

                                        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                                        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                                        1 Reply Last reply Reply Quote 0
                                        • C Offline
                                          cmb
                                          last edited by

                                          @phil.davis:

                                          I guess they are attempting to find potential vulnerabilities on typical home routers, where people would have their TP-Link, D-Link, NetGear… home device with old firmware and never realize that it is now open to some (external or internal) attack vector. Of course then there is the question "what can the home user do about it?" - after a couple of [months|years] the manufacturers stop putting out new firmware to close security holes. So the home user is stuck with their perfectly good hardware but out-of-date firmware, and AVAST will tell them about it every week.

                                          True, if it were doing something that looked like it was trying to identify a vulnerable router, I'd understand. That might be a useful feature for typical home users (though yeah, as you noted, they probably wouldn't have any idea what to do if it detected a problem). But I don't think it's looking for anything you'd find on any router. Looks like things that are specific to web servers only, and a short list of uncommon things at that.

                                          1 Reply Last reply Reply Quote 0
                                          • K Offline
                                            kpa
                                            last edited by

                                            They haven't really thought trough the value and practicality of that feature. Instead of helping to find any real threats it is going to cause more people freak out because there's an unknown scanner probing at multiple hosts on the local network for seemingly random web pages just like a real malware would be.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.