Security Incidents mailing list archives

RE: Weird Traffic from www.eyeblaster-bs.com

From: "Cushing, David" <David.Cushing () hitachisoftware com>
Date: Fri, 30 May 2003 11:39:28 -0400

Can't explain your traffic, but your description doesn't sit quite right.  Did you really see a Syn to internal port 80 
from these folks?  Or did you just see traffic with port 80 as a destination?  A client can use port 80 to initiate a 
connection.  I'm betting that's all you saw.  Logs?

Eyeblaster is an ad server...
http://www.eyeblaster.com/WebSite/default.htm

I guess bs (in this case) stands for Burst Server.

From google:

http://www.ufoot.org/misc/plague/ads.php3
http://ssmedia.com/Utilities/hosts/

Doesn't sound like something to get worked up over.  Why not block them and save your users a few ads, heh heh.

-David

-----Original Message-----
From: Jeremy Junginger [mailto:jj () act com]
Sent: Thursday, May 29, 2003 5:45 PM
To: incidents () securityfocus com
Subject: Weird Traffic from www.eyeblaster-bs.com

Good Afternoon,

I am seeing some strange traffic from www.eyeblaster-bs.com on both
network and host based IDS.  More specifically, I'm seeing TCP port 80
(http) traffic from multiple internal clients to
http://www.eyeblaster-bs.com/BurstingPipe and
http://www.eyeblastrer-bs.com/BurstingPipe.asp?param=% .  So far, it
looks like normal surfing....well...almost.  The strange 
thing is that I
have seen traffic that appears to be sourced from this server 
to clients
(dest port 80) on the Internal Network (which should be relatively
protected as they use Port Address Translation, not to 
mention that port
80 is not allowed to those client machines).  I've seen this URL
mentioned on several usage reports, but have not seen any explanations
about what it is.  Let me know what you think.

Here are some of the other networks that have seen traffic TO this
server:
http://www.olc.edu/~bbump/usage/ns1/7th/url_200211.html
http://network.ci.seekonk.ma.us/WebUsage/Library/url_200212.html
http://www.bsafehome.com/historyreport.asp

-Jeremy

These are not the packets you're looking for...You can go about your
business.....Move along....
:-)

--------------------------------------------------------------
--------------
--------------------------------------------------------------
--------------


----------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Weird Traffic from www.eyeblaster-bs.com Jeremy Junginger (May 30)
- <Possible follow-ups>
- RE: Weird Traffic from www.eyeblaster-bs.com Cushing, David (May 30)