Re: Does this look familiar?

[Robert Graham <robert_david_graham () yahoo com>]

Incoming port 113 requests are normal, and described at:
http://www.robertgraham.com/pubs/firewall-seen.html#port113

Exodus is one of the big website hosting companies, so this means simply that
the website in question is hosted by Exodus. Exodus hosts lots of big sites of
the size of Yahoo or Microsoft, as well as lots of smaller sites. In this case,
the site is by "Conducent", which is sending advertising at your users via
shareware programs (it is a good port to block :-):

http://www.robertgraham.com/pubs/firewall-seen.html#port17027


Regards,
Rob.




--- Brad MacQuarrie <Brad_MacQuarrie () maritimelife ca> wrote:
> Hi,
>
> I have two interesting traffic patterns showing up on my firewall logs..
>
> 1.  A few inside machines trying to intiate connections to IP addresses
> (216.33.199.78 for example) administered by somebody called Exodus.com on
> port 17027.
>
> 2.  A number of external IP addresses trying to connect to my firewall on
> port 113 (Authentication Service?)
>
> I would like to know if anyone else has seen this and has any explanation.
> The firewall is blocking the 17027 connects and notifying me of the
> starngeness, but that is because we recently changed firewalls and
> significantly tightened the rules on outbound connections.  I'm half
> tempted to open the service and sniff the traffic that happens over the
> connection.
>
>
> Any advice/insight would be greatly appreciated.
>
>
> Brad MacQuarrie


=====
Robert Graham
"Anxiously awaiting the millenium so I can start programming
dates with 2-digits again."
__________________________________________________
Do You Yahoo!?
Thousands of Stores.  Millions of Products.  All in one place.
Yahoo! Shopping: http://shopping.yahoo.com