[Dshield] Has anyone seen this before?

John Sage jsage at finchhaven.com
Sat Mar 6 16:28:02 GMT 2004


Ernest:

The firewall logs you show have some familiar aspects, and some that
are unfamiliar.

On Sat, Mar 06, 2004 at 12:53:21AM -0500, Ernest Eustace wrote:
> From: Ernest Eustace <e.eustace at bringit.ca>
> To: "'list at dshield.org'" <list at dshield.org>
> Date: Sat, 6 Mar 2004 00:53:21 -0500 
> Subject: [Dshield] Has anyone seen this before?
> 
> I have noticed a few PCs in our network trying to send out what
> appears to be .com files, with names that make them appear to be web
> sites, pasted below are a few edited examples from our gateway
> firewall's logs:
> 
> 2004-03-05 15:40:25 ... src=10.b.c.d dst=207.61.136.8 service=http
> msg="The file www.oldnavy.com is blocked."
> 2004-03-05 15:40:12 ... src=10.b.c.d dst=207.61.136.8 service=http
> msg="The file www.oldnavy.com is blocked."
> 2004-03-05 15:40:02 ... src=10.b.c.d dst=207.61.136.8 service=http
> msg="The file www.oldnavy.com is blocked."
> 2004-03-05 15:38:25 ... src=10.b.c.d dst=207.61.136.8 service=http
> msg="The file www.oldnavy.com is blocked."
> 2004-03-05 15:38:14 ... src=10.b.c.d dst=207.61.136.8 service=http
> msg="The file www.oldnavy.com is blocked."
> 2004-03-05 13:22:30 ... src=10.b.c.d2 dst=64.124.201.183
> service=http msg="The file www.theweathernetwork.com is blocked."

"service=http" Is this the source service (i.e. on your network) or
the destination service (i.e. on their networks)?

msg="The file www.[oldnavy|theweathernetwork].com is blocked." is quite
specific, and yet is not a phrase that comes up in any google search I
can contrive.

Exactly what program/service/whatever is generating this?


On quick inspection it looks as though something is firing on a
fragment of the URL www.oldnavy.com or www.theweathernetwork.com...

...but what, and why?



- John
-- 
"Mad cow? You'd be mad too, if someone was trying to eat you."




More information about the list mailing list