Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
KirillEPM
Explorer

Source substitution

Good day! I will try to describe the situation. So I am making an https request for the malware page - migtime.xyz

KirillEPM_0-1640068930194.png

CP successfully blocks

 KirillEPM_1-1640068975295.png

Which is confirmed in the CP logs

KirillEPM_2-1640069004681.png

But if you go into the event, you can see that I was accessing another resource

KirillEPM_3-1640069055223.png

I am trying to contact 1abcnews.xyz

KirillEPM_4-1640069091772.png

CP is blocking me

KirillEPM_5-1640069150327.png

But in the logs

KirillEPM_6-1640069170851.png

And in the details, again, it is no coincidence.

KirillEPM_7-1640069242329.png

I will try to continue

KirillEPM_8-1640069266508.png

KirillEPM_9-1640069275857.png

KirillEPM_10-1640069289264.png

KirillEPM_11-1640069311286.png

0 Kudos
1 Reply
_Val_
Admin
Admin

How do all those domain resolve with DNS? It might be, they are sitting on the same IP

0 Kudos