Anybody See This Before?

[brianwgray at gmail.com (Brian Gray)]

looks like streaming media to me. Probably a flash video stream. I would
assume the changing ip's are due to them either not being related streams or
being load balanced. The fact that this address belongs to akamai would
confirm this for me.
The /open/ and /idle/ Post connections are a huge give away for it being a
flash stream.


On Sun, Feb 1, 2009 at 11:11 PM, Brice Smith <bsmith2301 at gmail.com> wrote:

> The address entered was hxxp://206.132.122.135/open/1
>
> On Sun, Feb 1, 2009 at 3:50 PM,  <byte.bucket at 4a44.com> wrote:
> > Looks to me like something front-ended by Akamai's CDN.
> >
> > $ dig -x 70.183.191.93 +short
> > a-70-183-191-93.deploy.akamaitechnologies.com
> >
> > It would be helpful if we knew the host name (as opposed to the IP) in
> the
> > requests as I believe this is how Akamai determines what is actually
> being
> > requested.  It would also be useful to know if these are HTTP GETs or
> > POSTs.
> >
> > --
> > byte_bucket
> >
> > > These are logs we pull from our reporting tool that monitors user's
> > > web surfing.  This particular report are where employees are accessing
> > > the Internet via IP address.   Also to answer the other question, no
> > > we do not have security suite of tools from Cox Communications.  I was
> > > looking at another IP (206.132.122.135) which is associated with
> > > Global Crossing.  Haven't used TCPView yet either but will be taking a
> > > closer look at some of these workstations.
> > >
> > > 2009/2/1 Arch Angel <arch3angel at gmail.com>:
> > > > How are you pulling these logs?
> > > >
> > > > On Sun, Feb 1, 2009 at 1:51 AM, Brice Smith <bsmith2301 at gmail.com>
> > > > wrote:
> > > > > Anybody seen this before?  Appears that it might be malware connecting
> > > > > out.  The structure is the same but seeing it on multiple machines.
> > > > > Always different IP but the /idle, /open, /send are constant.
> > > > >
> > > > > hxxp://70.183.191.93/idle/whamyd8r+xi+25kr/0
> > > > > hxxp://70.183.191.93/idle/whamyd8r+xi+25kr/0
> > > > > hxxp://70.183.191.93/idle/whamyd8r+xi+25kr/0
> > > > > hxxp://70.183.191.93/idle/whamyd8r+xi+25kr/0
> > > > > hxxp://70.183.191.93/idle/whamyd8r+xi+25kr/0
> > > > > hxxp://70.183.191.93/idle/whamyd8r+xi+25kr/0
> > > > > hxxp://70.183.191.93/open/1
> > > > > hxxp://70.183.191.93/open/1
> > > > > hxxp://70.183.191.93/open/1
> > > > > hxxp://70.183.191.93/open/1
> > > > > hxxp://70.183.191.93/open/1
> > > > > hxxp://70.183.191.93/open/1
> > > > > hxxp://70.183.191.93/send/whamyd8r+xi+25kr/1
> > > > > hxxp://70.183.191.93/send/whamyd8r+xi+25kr/1
> > > > > hxxp://70.183.191.93/send/whamyd8r+xi+25kr/1
> > > > > hxxp://70.183.191.93/send/whamyd8r+xi+25kr/1
> > > > > hxxp://70.183.191.93/send/whamyd8r+xi+25kr/1
> > > > > hxxp://70.183.191.93/send/whamyd8r+xi+25kr/1
> > > > > hxxp://70.183.191.93/send/whamyd8r+xi+25kr/2
> > > > > hxxp://70.183.191.93/send/whamyd8r+xi+25kr/2
> > > > > hxxp://70.183.191.93/idle/whamyd8r+xi+25kr/3
> > > > > hxxp://70.183.191.93/idle/whamyd8r+xi+25kr/3
> > > > > hxxp://70.183.191.93/send/whamyd8r+xi+25kr/2
> > > > > hxxp://70.183.191.93/send/whamyd8r+xi+25kr/2
> > > > > hxxp://70.183.191.93/send/whamyd8r+xi+25kr/2
> > > > > hxxp://70.183.191.93/send/whamyd8r+xi+25kr/2
> > > > > hxxp://70.183.191.93/idle/whamyd8r+xi+25kr/3
> > > > > hxxp://70.183.191.93/idle/whamyd8r+xi+25kr/3
> > > > > hxxp://70.183.191.93/idle/whamyd8r+xi+25kr/3
> > > > > hxxp://70.183.191.93/idle/whamyd8r+xi+25kr/3
> > > > > hxxp://70.183.191.93/send/whamyd8r+xi+25kr/4
> > > > > hxxp://70.183.191.93/send/whamyd8r+xi+25kr/4
> > > > > hxxp://70.183.191.93/send/whamyd8r+xi+25kr/4
> > > > > hxxp://70.183.191.93/send/whamyd8r+xi+25kr/4
> > > > > hxxp://70.183.191.93/send/whamyd8r+xi+25kr/4
> > > > > hxxp://70.183.191.93/send/whamyd8r+xi+25kr/4
> > > > > _______________________________________________
> > > > > Pauldotcom mailing list
> > > > > Pauldotcom at mail.pauldotcom.com
> > > > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > > > Main Web Site: http://pauldotcom.com
> > > >
> > > >
> > > > _______________________________________________
> > > > Pauldotcom mailing list
> > > > Pauldotcom at mail.pauldotcom.com
> > > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > > Main Web Site: http://pauldotcom.com
> > > _______________________________________________
> > > Pauldotcom mailing list
> > > Pauldotcom at mail.pauldotcom.com
> > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > Main Web Site: http://pauldotcom.com
> >
> >
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom at mail.pauldotcom.com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com



-- 
-Brian W. Gray
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090202/c111b7c5/attachment.htm