USG Flex 200 URL Blocking log

Options
Vagabound
Vagabound Posts: 28  Freshman Member
10 Comments Friend Collector
Since a few days I have the following message in the FW logfiles: URL Blocking - > Botnet URL -> ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUr -> Threat Category -> Malicious Sites.
Once per day, do I need to worry that there is a botnet running or is this harmless?

Accepted Solution

«1

All Replies

  • smb_corp_user
    smb_corp_user Posts: 161  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited January 2023
    Options
    Looks like you have got a false positive there, at least as long as you can trust Google and the USA.

    IANA WHOIS Service: https://www.iana.org/whois?q=ocsp.pki.goog

    contact:                administrative
    name:                   TLD Admin
    organisation:        Google Inc
    address:               111 8th Avenue
    address:               New York NY 10011
    address:               United States of America (the)
    phone:                  +1 404 978 8419
    fax-no:                 +1 650 492 5631
    e-mail:                 iana-contact@google.com


    (Note: your URL contains the part "MFEwTzBNMEswSTAJBgUr" which is likely only an individual key for a specific event or computer access, not necessarily anything compromising.)
  • Vagabound
    Vagabound Posts: 28  Freshman Member
    10 Comments Friend Collector
    Options
    Thank you for your explanation, so that means I can ignore this message.
    Should this URL be whitelisted by the firewall or not change it?

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,464  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited January 2023
    Options
    Hi @Vagabound,
    The URL  ocsp.pki.goog(pki-goog.l.google.com) has been corrected to to Software/Hardware,Technical Information category.
    Please have a check. =)

  • Vagabound
    Vagabound Posts: 28  Freshman Member
    10 Comments Friend Collector
    Options
    Thank you for your feedback.

    The URL ocsp.pki.goog(pki-goog.l.google.com) no longer appears in the blocklist as far as I can see.

    But now a lot of these are in the log file:

    e1.o.lencr.org -> Phishing -> 77.109.138.73 -> ACCESS BLOCK
    x1.c.lencr.org -> Phishing ->104.79.24.135 -> ACCESS BLOCK

  • Vagabound
    Vagabound Posts: 28  Freshman Member
    10 Comments Friend Collector
    Options
    It seems that the problem with the URL ocsp.pki.goog(pki-goog.l.google.com) is not fixed after all. Just now another log message -> alert -> url-threat-filter -> ACCESS BLOCK -> ocsp.pki.goog: -> Malicious Sites.


  • raph_soc
    Options
    same as Vagabound
    lots of x1.c.lencr.org:Phishing the past few days
    destination IP: 23.217.185.252;104.108.45.242;104.93.207.219;104.82.150.7





  • Vagabound
    Vagabound Posts: 28  Freshman Member
    10 Comments Friend Collector
    Options
    Yes, I think Zyxel has a problem there.
    I am in contact with the support, but so far no solution. Maybe there is still something coming.


  • raph_soc
    Options
    Vagabound said:
    Yes, I think Zyxel has a problem there.
    I am in contact with the support, but so far no solution. Maybe there is still something coming.



    alright. can you please keep me posted if you have any news ?
  • Vagabound
    Vagabound Posts: 28  Freshman Member
    10 Comments Friend Collector
    Options
    I will do this as soon as I get a message from the support to solve the problem. Unfortunately, I have not read anything from support for three days. Seems to be a complex problem.

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,464  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited January 2023 Answer ✓
    Options
    Hi @Vagabound, and @raph_soc,
    Both URL https://e1.o.lencr.org  and https://ocsp.pki.goog/ are in correct category now.
    As for URL https://x1.c.lencr.org, it is still in Phishing category, we are working on it.
    It may need to take 3-5 business days, will update status once it is in correct category.

    https://ocsp.pki.goog/ 

    https://e1.o.lencr.org

Security Highlight