Results 1 to 5 of 5
  1. #1
    Untangler
    Join Date
    Dec 2007
    Posts
    79

    Default Strange Phishing event?

    I was just installing a new CentOS 7 server, minimal install and went to install policycoreutils-python. Almost immediately after installation of the packages via Yum I get a notification from my Untangle 13 firewall that there was a phishing/fraud event:

    The following event occurred on the Untangle Server @ 2018-03-09 11:27:27.923

    Phishing/Fraud website visit detected:
    Web Monitor flagged http://mirrors.unifiedlayer.com/cent...el7.x86_64.rpm (Phishing/Fraud)

    Causal Event: WebFilterEvent
    {
    "timeStamp": "2018-03-09 11:27:27.923",
    "reason": "BLOCK_CATEGORY",
    "flagged": true,
    "blocked": false,
    "appName": "web_monitor",
    "requestLine": "GET http://mirrors.unifiedlayer.com/centos/7.4.1708/os/x86_64/Packages/libsemanage-python-2.5-8.el7.x86_64.rpm",
    "category": "Phishing/Fraud",
    "sessionEvent": {
    "entitled": true,
    "hostname": "X.X.X.X",
    "CServerPort": 80,
    "protocol": 6,
    "protocolName": "TCP",
    "serverLatitude": 40.2181,
    "localAddr": "/X.X.X.X",
    "SServerAddr": "/69.195.127.230",
    "remoteAddr": "/69.195.127.230",
    "serverIntf": 4,
    "CClientAddr": "/X.X.X.X",
    "serverCountry": "US",
    "sessionId": 99556283477409,
    "SClientAddr": "/X.X.X.X",
    "clientCountry": "XL",
    "CClientPort": 53092,
    "policyRuleId": 0,
    "timeStamp": "2018-03-09 11:27:27.748",
    "serverLongitude": -111.6133,
    "clientIntf": 2,
    "policyId": 1,
    "SClientPort": 13267,
    "bypassed": false,
    "SServerPort": 80,
    "CServerAddr": "/69.195.127.230",
    "tagsString": ""
    }
    }

    This is an automated message sent because the event matched the configured Event Rules.



    This is a little alarming to me considering this is obviously a dedicated CentOS7 repo. Can anyone elaborate on the meaning of this notice? Is this a warning about the domain or the file itself?

  2. #2
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,368

    Default

    It means that url was blocked as malicious.

    If you believe this to be an error, you can submit a recategorization request through the UI using the button an the bottom and in the meantime add it to the pass list.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Untangler
    Join Date
    Dec 2007
    Posts
    79

    Default

    It wasn't actually blocked. It was a warning. I don't know for certain as I have no association with that site. I also don't know how it would have arrived on the flag/block list which is why I am asking.

  4. #4
    Master Untangler
    Join Date
    Feb 2016
    Location
    Michigan
    Posts
    472

    Default

    To my knowledge, there is no way to know how that URL arrived on the phishing/fraud list. Untangle uses a third party service for the Web Filter lists (https://zvelo.com/), so the report of that URL could have come from a variety of sources.

    Unless I'm mistaken, that URL is no longer categorized as phishing/fraud.

    EDIT: Sorry, I'm wrong, sort of. It is listed as spyware/malware now.
    Last edited by Sam Graf; 03-09-2018 at 12:41 PM.

  5. #5
    Untangler
    Join Date
    Dec 2007
    Posts
    79

    Default

    Thanks for all the help. Because it made me nervous I wiped this VM clean and started fresh. Didn't get the same warning the second time around. I paid more attention to what servers Yum was attaching to and that URL never came up.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2