Re: Does this look familiar?

["S. Jonah Pressman" <jonah () istar ca>]

Brad:

1) The IP address you specified points to a host called "ADS2".  The
traceroute, indeed, does point to a client of exodus.net.

2) As for the traffic on tcp/17027, you may be interested in a
partenership that exists between Conducent Technologies and the PKWARE
(PK-Zip) people.  It's a parnership by which unregistered software can
be subsidized with the inclusion of advertizing banners.  In short,
certain versions of PKZIP contain an "ad server" that downloads
advertising to your host... click counts on the advertizing banners are
sent back to Conducent.

For a summary, see http://www.pkware.com/sponsors.html

My advice is to deny the traffic on tcp/17027 and not even log it.

Securely Yours,
Jonah



> I have two interesting traffic patterns showing up on my firewall logs..
>
> 1.  A few inside machines trying to intiate connections to IP addresses
> (216.33.199.78 for example) administered by somebody called Exodus.com on
> port 17027.
>
> 2.  A number of external IP addresses trying to connect to my firewall on
> port 113 (Authentication Service?)
>
> I would like to know if anyone else has seen this and has any explanation.
> The firewall is blocking the 17027 connects and notifying me of the
> starngeness, but that is because we recently changed firewalls and
> significantly tightened the rules on outbound connections.  I'm half
> tempted to open the service and sniff the traffic that happens over the
> connection.
>
> Any advice/insight would be greatly appreciated.
>
> Brad MacQuarrie