Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Unauthorized outgoing connect caught by ZA

From: j nickson <jnickson () TOGETHER NET>
Date: Sun, 15 Oct 2000 10:08:22 -0400
Case History:  Unauthorized request from workstation to connect to Akamai.

I saw some unusual activity so I stopped *all* net programs  and put Zone
Alarm (2.1.25) into LOCK.

A few *minutes* later I was rewarded with:

--------------------------
The firewall has blocked Internet access to a388.g.akamai.net
(63.160.183.233) (HTTP) from your computer.

Time: 10/15/00 8:13:08
----------------------------------


From me (!!!) to Akamai and NOTHING WAS RUNNING.


Another REALLY odd thing about this is that ZA listed no program....

This struck me as odd, so for comparison I then tried to netscape out and
got the following message

NOTE the additional program indentification material at the bottom.
----------------------------------------
Netscape Navigator application file tried to connect to the Internet
(209.198.87.40), but was denied access by the Internet Lock.

User: ***********
Program: Netscape Navigator application file
Time: 10/15/00 8:18:32
----------------------------------------------

So who was sending what to Akamai?

It was unauthorized, was it illegal?  Actionable?

I have explicitly added akamai to reject host lists in various filters and
suggest others do likewise, however if it is sneaking below radar for
"program name" it is further worrisome from infosec and infopriv concerns.

If it is corporate sleazeware, what are the implications for previously
secured workstations?

I looked for akamai in clear text in all my files and only found logs of
the event.

Can anyone else replicate the event or shed more light on this?  Win 98 SE, ZA

J
-------------------------------------------------
James Nickson, CDP  voice: 603-256-8055
10 Merrifield, W. Chesterfield, NH, 03466-3131
Previous By Date Next
Previous By Thread Next

Current thread: