Remove Malware http://realtime.services.disqus.com
Created: 19 Dec 2012 | Updated: 20 Dec 2012 | 9 comments
Dear All,
I use Symantec Endpoint Protection Version 12.x.x.x for my office, i have problem with trojan that acces url http://realtime.services.disqus.com/api/2/thread/, all computer user in my office access this URL and this high traffic. Because in log squid, access this URL continuously
This log my squid :
.....
.....
.....
1355980497.949 0 172.16.67.8 TCP_MEM_HIT/200 407 GET http://realtime.services.disqus.com/api/2/thread/4...? - NONE/- application/json
1355980497.951 0 172.16.64.131 TCP_MEM_HIT/200 407 GET http://realtime.services.disqus.com/api/2/thread/8...? - NONE/- application/json
1355980497.952 0 172.16.67.8 TCP_MEM_HIT/200 407 GET http://realtime.services.disqus.com/api/2/thread/4...? - NONE/- application/json
1355980497.955 0 172.16.64.131 TCP_MEM_HIT/200 407 GET http://realtime.services.disqus.com/api/2/thread/8...? - NONE/- application/json
1355980497.955 0 172.16.67.8 TCP_MEM_HIT/200 407 GET http://realtime.services.disqus.com/api/2/thread/4...? - NONE/- application/json
1355980497.956 1 172.16.64.143 TCP_IMS_HIT/304 288 GET http://www.gstatic.com/bg/vCt3jT-yDKiibCfPvg7VU88K... - NONE/- text/javascript
1355980497.959 0 172.16.64.131 TCP_MEM_HIT/200 407 GET http://realtime.services.disqus.com/api/2/thread/8...? - NONE/- application/json
1355980497.962 0 172.16.67.8 TCP_MEM_HIT/200 407 GET http://realtime.services.disqus.com/api/2/thread/4...? - NONE/- application/json
1355980497.963 0 172.16.64.131 TCP_MEM_HIT/200 407 GET http://realtime.services.disqus.com/api/2/thread/8...? - NONE/- application/json
1355980497.966 0 172.16.67.8 TCP_MEM_HIT/200 407 GET http://realtime.services.disqus.com/api/2/thread/4...? - NONE/- application/json
1355980497.968 0 172.16.64.131 TCP_MEM_HIT/200 407 GET http://realtime.services.disqus.com/api/2/thread/8...? - NONE/- application/json
1355980497.970 0 172.16.67.8 TCP_MEM_HIT/200 407 GET http://realtime.services.disqus.com/api/2/thread/4...? - NONE/- application/json
1355980497.971 0 172.16.64.131 TCP_MEM_HIT/200 407 GET http://realtime.services.disqus.com/api/2/thread/8...? - NONE/- application/json
....
....
....
Oke... Thank's
Discussion Filed Under:
Comments 9 Comments • Jump to latest comment
Hi,
Could you please confirm name of the Trojan?
SEP is detecting it? Do you see any action against it?
Make sure SEP clients are updated with latest definitions & machines are having latest microsoft patches and service packs.
Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |
Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.&
I don't know name of trojan, because SEP no detect this trojan. and SEP client use latest definitions & machines are having latest microsoft patches and service pack.
Hi Moh
If symantec antivirus not detect virus you can submit the file symantec
Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.
https://www-secure.symantec.com/connect/articles/using-symantec-support-tool-how-do-we-collect-suspicious-files-and-submit-same-symantec-sec
More information
https://www-secure.symantec.com/connect/forums/whats-process-submit
Run a full scan in safe mode with latest defs on one of the affected machines.
SEP Knowledge Base
Endpoint SWAT
Hi
I agree above comments.
you can try symantec tool
Is your system infected? Symantec tools to help clear an infection
https://www-secure.symantec.com/connect/forums/rem...
Thanks In Advance
Ashish Sharma
SEPM Knowledgebase Documents
You can download the latest Rapid defintion and after that scan the system in safe mode.
Link
http://www.symantec.com/security_response/definitions/download/detail.jsp?gid=rr
Disqus is used for commenting systems on many reputable websites. Is the traffic to this site the only thing that makes you think there's a trojan, or is there other suspicious behaviour? (Is it possible your end users are visiting and heavily commenting on one or more websites?)
sandra
Symantec, Information Development, IMDP
Symantec Endpoint Protection / Core Security Engineering Group
Don't forget to mark your thread as 'solved' with the answer that best helped you!
Never heard this... but have you checked the browser add-ons ?
It could be the unwanted one...
HI Moh
If any suspicious files symantec antivirus not detect you can submit file in symantec
Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.
https://www-secure.symantec.com/connect/articles/using-symantec-support-tool-how-do-we-collect-suspicious-files-and-submit-same-symantec-sec
Thanks In Advance
Ashish Sharma
SEPM Knowledgebase Documents
Would you like to reply?
Login or Register to post your comment.