[clamav-users] Mirror redirect to emeksensin.com

Derek Smith smithd at arlut.utexas.edu
Tue Nov 10 22:14:49 UTC 2015 

I should have included it in my first message. The IP for emeksensin.com is 78.46.82.212
Sorry for the dump of data below. It is just a GET to database.clamav.net that is redirected and then the 404 response from emeksensin.com.

Here is the redirect:
{
dest_ip: 78.46.84.244
   dest_port: 80
   event_type: http
   flow_id: 139820056902992
   http: { [-]
     hostname: database.clamav.net
     http_method: GET
     http_user_agent: Wget/1.14 (linux-gnu)
     length: 0
     protocol: HTTP/1.1
     redirect: http://emeksensin.com/safebrowsing.cvd
     status: 301
     tx_id: 0
     url: /safebrowsing.cvd
   }
   in_iface: eth2
   proto: TCP
   src_ip: _X_
   src_port: 60435
   timestamp: 2015-11-06T09:08:59.585958-0600
   vlan: 101
}

A request is then made to emeksensin:
{ [-]
   dest_ip: 78.46.82.212
   dest_port: 80
   event_type: http
   flow_id: 139820052238112
   http: { [-]
     hostname: emeksensin.com
     http_content_type: text/html
     http_method: GET
     http_user_agent: Wget/1.14 (linux-gnu)
     length: 846
     protocol: HTTP/1.1
     status: 404
     tx_id: 0
     url: /safebrowsing.cvd
   }
   in_iface: eth2
   proto: TCP
   src_ip:_X_
   src_port: 40262
   timestamp: 2015-11-06T09:08:59.932296-0600
   vlan: 101
}

And the response from emeksensin. Looking at the pcap it is just a 404 page with Turkish writing saying something about the page not being found.
{ 
   dest_ip: _X_
   dest_port: 40262
   event_type: fileinfo
   fileinfo: { 
     filename: /safebrowsing.cvd
     magic: HTML document text
     size: 836
     state: CLOSED
     stored: false
     tx_id: 0
   }
   flow_id: 139820052238112
   http: { 
     hostname: emeksensin.com
     http_user_agent: Wget/1.14 (linux-gnu)
     url: /safebrowsing.cvd
   }
   in_iface: eth2
   proto: TCP
   src_ip: 78.46.82.212
   src_port: 80
   timestamp: 2015-11-06T09:09:00.070391-0600
   vlan: 101
}

Thank you,
smithd

-----Original Message-----
From: clamav-users [mailto:clamav-users-bounces at lists.clamav.net] On Behalf Of Al Varnell
Sent: Tuesday, November 10, 2015 3:58 PM
To: ClamAV users ML <clamav-users at lists.clamav.net>
Subject: Re: [clamav-users] Mirror redirect to emeksensin.com

It has not been brought up, but they will need the IP address to even begin to look into this.

-Al-

On Tue, Nov 10, 2015 at 11:53 AM, Derek Smith wrote:
> 
> Hello,
> 
> I am new to ClamAV and was playing with the URL's used to fetch updates, database.clamav.net and db.us.clamav.net.  I typed one of them into my browser and was redirected to emeksensin.com, which appears to be a Turkish Arts and Crafts site. Looking at the last 30 days of network traffic it appears that this began on Thursday, October 29th and has been happening once every four days or so. Freshclam works fine the rest of the time, but on these occasions will be redirected to emeksensin, requesting main.cvd or safebrowsing.cvd, and luckily only receive a 404 in return. 
> 
> I searched the clamav-users list archive for each month of 2015 and did not find any mention of this. Has anyone encountered this issue, or has it already been brought up? 
> 
> Thank you,
> smithd

More information about the clamav-users mailing list