[Dshield] unknown port
jsage at finchhaven.com
Wed Jun 4 23:27:39 GMT 2003
Let me see if I've got this straight:
On Wed, Jun 04, 2003 at 03:30:52PM -0500, Rick Leske wrote:
> I have been seeing a lot of outbound traffic port 80 to port 3154 to
> ip address 220.127.116.11
You're seeing *outbound* traffic from *your* source port 80 -- you
running a webserver?
jsage at tweedle /storage/virii] $ host 18.104.22.168
22.214.171.124.in-addr.arpa domain name pointer 126.96.36.199.akamai.com.
[jsage at tweedle /storage/virii] $ lynx -head -dump http://188.8.131.52/
HTTP/1.0 400 Bad Request
Expires: Wed, 04 Jun 2003 23:19:16 GMT
Date: Wed, 04 Jun 2003 23:19:16 GMT
[jsage at tweedle /storage/virii] $ lynx -source http://184.108.40.206/index.html
The requested URL "/index.html", is invalid.<p>
Smells to me like this is one of Akamai's content servers; you sure
you're sending stuff *out* to this host?
> Does anyone know what could be causing this?
> Outbound traffic is encrypted data caputered via packet sniffer. I
> have yet to decode it.
Post a packet dump.
"Encrypted"? It'll still have IP and TCP headers...
"You are in a twisty maze of weblogs, all alike."
See the all new look! http://www.finchhaven.com/index.html
More information about the list