Security Incidents mailing list archives
RE: Weird Traffic from www.eyeblaster-bs.com
From: "Cushing, David" <David.Cushing () hitachisoftware com>
Date: Fri, 30 May 2003 11:39:28 -0400
Can't explain your traffic, but your description doesn't sit quite right. Did you really see a Syn to internal port 80 from these folks? Or did you just see traffic with port 80 as a destination? A client can use port 80 to initiate a connection. I'm betting that's all you saw. Logs? Eyeblaster is an ad server... http://www.eyeblaster.com/WebSite/default.htm I guess bs (in this case) stands for Burst Server.
From google:
http://www.ufoot.org/misc/plague/ads.php3 http://ssmedia.com/Utilities/hosts/ Doesn't sound like something to get worked up over. Why not block them and save your users a few ads, heh heh. -David
-----Original Message----- From: Jeremy Junginger [mailto:jj () act com] Sent: Thursday, May 29, 2003 5:45 PM To: incidents () securityfocus com Subject: Weird Traffic from www.eyeblaster-bs.com Good Afternoon, I am seeing some strange traffic from www.eyeblaster-bs.com on both network and host based IDS. More specifically, I'm seeing TCP port 80 (http) traffic from multiple internal clients to http://www.eyeblaster-bs.com/BurstingPipe and http://www.eyeblastrer-bs.com/BurstingPipe.asp?param=% . So far, it looks like normal surfing....well...almost. The strange thing is that I have seen traffic that appears to be sourced from this server to clients (dest port 80) on the Internal Network (which should be relatively protected as they use Port Address Translation, not to mention that port 80 is not allowed to those client machines). I've seen this URL mentioned on several usage reports, but have not seen any explanations about what it is. Let me know what you think. Here are some of the other networks that have seen traffic TO this server: http://www.olc.edu/~bbump/usage/ns1/7th/url_200211.html http://network.ci.seekonk.ma.us/WebUsage/Library/url_200212.html http://www.bsafehome.com/historyreport.asp -Jeremy These are not the packets you're looking for...You can go about your business.....Move along.... :-) -------------------------------------------------------------- -------------- -------------------------------------------------------------- --------------
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Weird Traffic from www.eyeblaster-bs.com Jeremy Junginger (May 30)
- <Possible follow-ups>
- RE: Weird Traffic from www.eyeblaster-bs.com Cushing, David (May 30)