[Dshield] Has anyone seen this before?

Ernest Eustace e.eustace at bringit.ca
Sat Mar 6 05:53:21 GMT 2004


I have noticed a few PCs in our network trying to send out what appears to
be .com files, with names that make them appear to be web sites, pasted
below are a few edited examples from our gateway firewall's logs:

2004-03-05 15:40:25 ... src=10.b.c.d dst=207.61.136.8 service=http msg="The
file www.oldnavy.com is blocked."  
2004-03-05 15:40:12 ... src=10.b.c.d dst=207.61.136.8 service=http msg="The
file www.oldnavy.com is blocked."  
2004-03-05 15:40:02 ... src=10.b.c.d dst=207.61.136.8 service=http msg="The
file www.oldnavy.com is blocked."  
2004-03-05 15:38:25 ... src=10.b.c.d dst=207.61.136.8 service=http msg="The
file www.oldnavy.com is blocked."  
2004-03-05 15:38:14 ... src=10.b.c.d dst=207.61.136.8 service=http msg="The
file www.oldnavy.com is blocked." 

2004-03-05 13:22:30 ... src=10.b.c.d2 dst=64.124.201.183 service=http
msg="The file www.theweathernetwork.com is blocked." 

We have scanned these machines for both viruses and spyware, a few of them
had hotbar, but others did not, and all of them came clean for viruses. We
used both Adaware and Spybot, because I have seen one catch some things the
other didn't. A/V scan used was latest Trend coporate edition at that time.

Obviously our firewall is stopping them since we allow no downloads or
uploads by our users, but I would very much like to get to the bottom of
this.

A look up of the destination ips 207.61.136.8 and 64.124.201.183 in Dshield
reports tells me they belongs to Akamai. Since they provide services to so
many businesses this isn't much of a clue.

If this is not malicious could it be part of Akamai's efforts to locate the
closest host server (DNS methods etc) for whatever particular page a user
was trying to reach?

Any input is appreciated :)

Ernest Eustace FCSE GCIA CCNP MCSE 
Networking & Security 
BringIT 
www.bringit.ca 




More information about the list mailing list