Firewall Wizards mailing list archives
Re: Does this look familiar?
From: Bill_Royds () pch gc ca
Date: Fri, 10 Dec 1999 17:46:11 -0500
You users have "advertiser supported software", most likely aureate mail. That is the software calling home with information about programs being run. The exodus address belong to DialTone Internet as servers for Conducent corporation. The IP block is from 216.33.198.0 to 216.33.199.0. Connect to your sample IP with (use rwhois -s whois.exodus.com -p 14321 216.33.199.78 to find out details). #rwhois -s rwhois.exodus.net -p 4321 216.33.199.78 Auth-Area: 216.33.0.0/16 Class-Name: network Network-Name: 216.33.198.0 IP-Network: 216.33.198.0/23 Organization: <see-also>DIALTONE INTERNET Address-1: <see-also>18331 Pines Blvd Address-2: <see-also>Pembroke Pines, FL 33029 Admin-Contact: <see-also>DNS () DIALTONEINTERNET NET Tech-Contact: <see-also>DNS () DIALTONEINTERNET NET Created: 99-MAY-20 Updated-By: dave I once did a snoop on that range and got some packets with HTTP request for ads.conducent.com which has IP lookup Canonical name: ads.conducent.com Addresses: 216.33.199.81 216.33.199.80 216.33.199.79 216.33.199.78 216.33.199.77 216.33.210.40 216.33.210.41 This includes your sample IP. "Brad MacQuarrie" <Brad_MacQuarrie () maritimelife ca> on 09/12/99 08:26:48 AM Please respond to "Brad MacQuarrie" <Brad_MacQuarrie () maritimelife ca> To: firewall-wizards () nfr net cc: (bcc: Bill Royds/HullOttawa/PCH/CA) Subject: Does this look familiar? Hi, I have two interesting traffic patterns showing up on my firewall logs.. 1. A few inside machines trying to intiate connections to IP addresses (216.33.199.78 for example) administered by somebody called Exodus.com on port 17027. 2. A number of external IP addresses trying to connect to my firewall on port 113 (Authentication Service?) I would like to know if anyone else has seen this and has any explanation. The firewall is blocking the 17027 connects and notifying me of the starngeness, but that is because we recently changed firewalls and significantly tightened the rules on outbound connections. I'm half tempted to open the service and sniff the traffic that happens over the connection. Any advice/insight would be greatly appreciated. Brad MacQuarrie
Attachment:
att1.eml
Description:
Current thread:
- Does this look familiar? Brad MacQuarrie (Dec 10)
- Re: Does this look familiar? S. Jonah Pressman (Dec 12)
- <Possible follow-ups>
- Re: Does this look familiar? Robert Graham (Dec 12)
- Re: Does this look familiar? Bill_Royds (Dec 12)
- Re: Does this look familiar? Bill_Royds (Dec 13)