PaulDotCom mailing list archives
Anybody See This Before?
From: brianwgray at gmail.com (Brian Gray)
Date: Mon, 2 Feb 2009 09:02:35 -0500
looks like streaming media to me. Probably a flash video stream. I would assume the changing ip's are due to them either not being related streams or being load balanced. The fact that this address belongs to akamai would confirm this for me. The /open/ and /idle/ Post connections are a huge give away for it being a flash stream. On Sun, Feb 1, 2009 at 11:11 PM, Brice Smith <bsmith2301 at gmail.com> wrote:
The address entered was hxxp://206.132.122.135/open/1 On Sun, Feb 1, 2009 at 3:50 PM, <byte.bucket at 4a44.com> wrote:Looks to me like something front-ended by Akamai's CDN. $ dig -x 70.183.191.93 +short a-70-183-191-93.deploy.akamaitechnologies.com It would be helpful if we knew the host name (as opposed to the IP) intherequests as I believe this is how Akamai determines what is actuallybeingrequested. It would also be useful to know if these are HTTP GETs or POSTs. -- byte_bucketThese are logs we pull from our reporting tool that monitors user's web surfing. This particular report are where employees are accessing the Internet via IP address. Also to answer the other question, no we do not have security suite of tools from Cox Communications. I was looking at another IP (206.132.122.135) which is associated with Global Crossing. Haven't used TCPView yet either but will be taking a closer look at some of these workstations. 2009/2/1 Arch Angel <arch3angel at gmail.com>:How are you pulling these logs? On Sun, Feb 1, 2009 at 1:51 AM, Brice Smith <bsmith2301 at gmail.com> wrote:Anybody seen this before? Appears that it might be malware connecting out. The structure is the same but seeing it on multiple machines. Always different IP but the /idle, /open, /send are constant. hxxp://70.183.191.93/idle/whamyd8r+xi+25kr/0 hxxp://70.183.191.93/idle/whamyd8r+xi+25kr/0 hxxp://70.183.191.93/idle/whamyd8r+xi+25kr/0 hxxp://70.183.191.93/idle/whamyd8r+xi+25kr/0 hxxp://70.183.191.93/idle/whamyd8r+xi+25kr/0 hxxp://70.183.191.93/idle/whamyd8r+xi+25kr/0 hxxp://70.183.191.93/open/1 hxxp://70.183.191.93/open/1 hxxp://70.183.191.93/open/1 hxxp://70.183.191.93/open/1 hxxp://70.183.191.93/open/1 hxxp://70.183.191.93/open/1 hxxp://70.183.191.93/send/whamyd8r+xi+25kr/1 hxxp://70.183.191.93/send/whamyd8r+xi+25kr/1 hxxp://70.183.191.93/send/whamyd8r+xi+25kr/1 hxxp://70.183.191.93/send/whamyd8r+xi+25kr/1 hxxp://70.183.191.93/send/whamyd8r+xi+25kr/1 hxxp://70.183.191.93/send/whamyd8r+xi+25kr/1 hxxp://70.183.191.93/send/whamyd8r+xi+25kr/2 hxxp://70.183.191.93/send/whamyd8r+xi+25kr/2 hxxp://70.183.191.93/idle/whamyd8r+xi+25kr/3 hxxp://70.183.191.93/idle/whamyd8r+xi+25kr/3 hxxp://70.183.191.93/send/whamyd8r+xi+25kr/2 hxxp://70.183.191.93/send/whamyd8r+xi+25kr/2 hxxp://70.183.191.93/send/whamyd8r+xi+25kr/2 hxxp://70.183.191.93/send/whamyd8r+xi+25kr/2 hxxp://70.183.191.93/idle/whamyd8r+xi+25kr/3 hxxp://70.183.191.93/idle/whamyd8r+xi+25kr/3 hxxp://70.183.191.93/idle/whamyd8r+xi+25kr/3 hxxp://70.183.191.93/idle/whamyd8r+xi+25kr/3 hxxp://70.183.191.93/send/whamyd8r+xi+25kr/4 hxxp://70.183.191.93/send/whamyd8r+xi+25kr/4 hxxp://70.183.191.93/send/whamyd8r+xi+25kr/4 hxxp://70.183.191.93/send/whamyd8r+xi+25kr/4 hxxp://70.183.191.93/send/whamyd8r+xi+25kr/4 hxxp://70.183.191.93/send/whamyd8r+xi+25kr/4 _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-- -Brian W. Gray -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090202/c111b7c5/attachment.htm
Current thread:
- Anybody See This Before? Brice Smith (Jan 31)
- Anybody See This Before? Adsquaired (Feb 01)
- Anybody See This Before? Arch Angel (Feb 01)
- Anybody See This Before? Brice Smith (Feb 01)
- Anybody See This Before? byte.bucket at 4a44.com (Feb 01)
- Anybody See This Before? Brice Smith (Feb 01)
- Anybody See This Before? Brian Gray (Feb 02)
- Anybody See This Before? Brice Smith (Feb 01)