Vulnerability Development mailing list archives

Re: Unauthorized outgoing connect caught by ZA

From: Christopher Palow <palow () CMU EDU>
Date: Sun, 15 Oct 2000 19:38:57 -0400

Since akamai delivers web content for a good deal of popular sites,
including yahoo.com, blocking akamai might not be advisable.  Why don't you
check their client's list and see if you had visited one of their clients
recently.  Maybe that'd help you in your investigation.

Christopher Palow
Junior Electrical and Computer Engineering
Carnegie Mellon Univeristy
At 10:08 AM 10/15/2000 -0400, you wrote:

Case History:  Unauthorized request from workstation to connect to Akamai.

I saw some unusual activity so I stopped *all* net programs  and put Zone
Alarm (2.1.25) into LOCK.

A few *minutes* later I was rewarded with:

--------------------------
The firewall has blocked Internet access to a388.g.akamai.net
(63.160.183.233) (HTTP) from your computer.

Time: 10/15/00 8:13:08
----------------------------------

>From me (!!!) to Akamai and NOTHING WAS RUNNING.

Another REALLY odd thing about this is that ZA listed no program....

This struck me as odd, so for comparison I then tried to netscape out and
got the following message

NOTE the additional program indentification material at the bottom.
----------------------------------------
Netscape Navigator application file tried to connect to the Internet
(209.198.87.40), but was denied access by the Internet Lock.

User: ***********
Program: Netscape Navigator application file
Time: 10/15/00 8:18:32
----------------------------------------------

So who was sending what to Akamai?

It was unauthorized, was it illegal?  Actionable?

I have explicitly added akamai to reject host lists in various filters and
suggest others do likewise, however if it is sneaking below radar for
"program name" it is further worrisome from infosec and infopriv concerns.

If it is corporate sleazeware, what are the implications for previously
secured workstations?

I looked for akamai in clear text in all my files and only found logs of
the event.

Can anyone else replicate the event or shed more light on this?  Win 98 SE, ZA

J
-------------------------------------------------
James Nickson, CDP  voice: 603-256-8055
10 Merrifield, W. Chesterfield, NH, 03466-3131

Current thread:

Unauthorized outgoing connect caught by ZA j nickson (Oct 15)
- Re: Unauthorized outgoing connect caught by ZA Vitaly McLain (Oct 16)
- Re: Unauthorized outgoing connect caught by ZA Leonardo Serni (Oct 16)
- Re: Unauthorized outgoing connect caught by ZA Christopher Palow (Oct 16)
- Re: Unauthorized outgoing connect caught by ZA Joe (Oct 16)
  - Re: Unauthorized outgoing connect caught by ZA Scott D. Yelich (Oct 19)
  - Re: Unauthorized outgoing connect caught by ZA Jonathan Rickman (Oct 20)