Firewall Wizards mailing list archives

Re: Does this look familiar?

From: Bill_Royds () pch gc ca
Date: Fri, 10 Dec 1999 17:46:11 -0500

You users have "advertiser supported software", most likely aureate mail. That
is the software calling home with information about programs being run. The
exodus address belong to  DialTone Internet as servers for Conducent
corporation. The IP block is from 216.33.198.0 to 216.33.199.0. Connect to your
sample IP with

(use
rwhois -s whois.exodus.com -p 14321  216.33.199.78
  to find out details).

#rwhois -s rwhois.exodus.net -p 4321 216.33.199.78
Auth-Area: 216.33.0.0/16
Class-Name: network
Network-Name: 216.33.198.0
IP-Network: 216.33.198.0/23
Organization: <see-also>DIALTONE INTERNET
Address-1: <see-also>18331 Pines Blvd
Address-2: <see-also>Pembroke Pines, FL 33029
Admin-Contact: <see-also>DNS () DIALTONEINTERNET NET
Tech-Contact: <see-also>DNS () DIALTONEINTERNET NET
Created: 99-MAY-20
Updated-By: dave

I once did a snoop on that range and got some packets with HTTP request for
ads.conducent.com
which has IP lookup
Canonical name: ads.conducent.com
Addresses:
  216.33.199.81
  216.33.199.80
  216.33.199.79
  216.33.199.78
  216.33.199.77
  216.33.210.40
  216.33.210.41

This includes your sample IP.






"Brad MacQuarrie" <Brad_MacQuarrie () maritimelife ca> on 09/12/99 08:26:48 AM

Please respond to "Brad MacQuarrie" <Brad_MacQuarrie () maritimelife ca>

To:   firewall-wizards () nfr net
cc:    (bcc: Bill Royds/HullOttawa/PCH/CA)
Subject:  Does this look familiar?





Hi,

I have two interesting traffic patterns showing up on my firewall logs..

1.  A few inside machines trying to intiate connections to IP addresses
(216.33.199.78 for example) administered by somebody called Exodus.com on
port 17027.

2.  A number of external IP addresses trying to connect to my firewall on
port 113 (Authentication Service?)

I would like to know if anyone else has seen this and has any explanation.
The firewall is blocking the 17027 connects and notifying me of the
starngeness, but that is because we recently changed firewalls and
significantly tightened the rules on outbound connections.  I'm half
tempted to open the service and sniff the traffic that happens over the
connection.


Any advice/insight would be greatly appreciated.


Brad MacQuarrie

Attachment: att1.eml
Description:

Current thread:

Does this look familiar? Brad MacQuarrie (Dec 10)
- Re: Does this look familiar? S. Jonah Pressman (Dec 12)
- <Possible follow-ups>
- Re: Does this look familiar? Robert Graham (Dec 12)
- Re: Does this look familiar? Bill_Royds (Dec 12)
- Re: Does this look familiar? Bill_Royds (Dec 13)