[Dshield] unknown port

John Sage jsage at finchhaven.com
Wed Jun 4 23:27:39 GMT 2003


Let me see if I've got this straight:

On Wed, Jun 04, 2003 at 03:30:52PM -0500, Rick Leske wrote:
> I have been seeing a lot of outbound traffic port 80 to port 3154 to
> ip address 64.124.82.21

You're seeing *outbound* traffic from *your* source port 80 -- you
running a webserver?

jsage at tweedle /storage/virii] $ host 64.124.82.21
21.82.124.64.in-addr.arpa domain name pointer 64.124.82.21.akamai.com.

[jsage at tweedle /storage/virii] $ lynx -head -dump http://64.124.82.21/
HTTP/1.0 400 Bad Request
Server: AkamaiGHost
Mime-Version: 1.0
Content-Type: text/html
Content-Length: 132
Expires: Wed, 04 Jun 2003 23:19:16 GMT
Date: Wed, 04 Jun 2003 23:19:16 GMT
Connection: close

[jsage at tweedle /storage/virii] $ lynx -source http://64.124.82.21/index.html
<HTML><HEAD>
<TITLE>Invalid URL</TITLE>
</HEAD><BODY>
<H1>Invalid URL</H1>
The requested URL "&#47;index&#46;html", is invalid.<p>
</BODY></HTML>

Smells to me like this is one of Akamai's content servers; you sure
you're sending stuff *out* to this host?

> Does anyone know what could be causing this?
> 
> Outbound traffic is encrypted data caputered via packet sniffer.  I
> have yet to decode it. 

Post a packet dump.

"Encrypted"? It'll still have IP and TCP headers...


- John
-- 
"You are in a twisty maze of weblogs, all alike."

See the all new look! http://www.finchhaven.com/index.html




More information about the list mailing list