[Dshield] unknown port

John Sage jsage at finchhaven.com
Wed Jun 4 23:27:39 GMT 2003

Let me see if I've got this straight:

On Wed, Jun 04, 2003 at 03:30:52PM -0500, Rick Leske wrote:
> I have been seeing a lot of outbound traffic port 80 to port 3154 to
> ip address

You're seeing *outbound* traffic from *your* source port 80 -- you
running a webserver?

jsage at tweedle /storage/virii] $ host domain name pointer

[jsage at tweedle /storage/virii] $ lynx -head -dump
HTTP/1.0 400 Bad Request
Server: AkamaiGHost
Mime-Version: 1.0
Content-Type: text/html
Content-Length: 132
Expires: Wed, 04 Jun 2003 23:19:16 GMT
Date: Wed, 04 Jun 2003 23:19:16 GMT
Connection: close

[jsage at tweedle /storage/virii] $ lynx -source
<H1>Invalid URL</H1>
The requested URL "&#47;index&#46;html", is invalid.<p>

Smells to me like this is one of Akamai's content servers; you sure
you're sending stuff *out* to this host?

> Does anyone know what could be causing this?
> Outbound traffic is encrypted data caputered via packet sniffer.  I
> have yet to decode it. 

Post a packet dump.

"Encrypted"? It'll still have IP and TCP headers...

- John
"You are in a twisty maze of weblogs, all alike."

See the all new look! http://www.finchhaven.com/index.html

More information about the list mailing list