RE: Weird Traffic from www.eyeblaster-bs.com
From: Cushing, David (David.Cushing_at_hitachisoftware.com)
Date: 05/30/03
- Previous message: Michele Chubirka: "RE: Whois updates, Was: [Re: Possible Intrusion Attempt?]"
- Maybe in reply to: Jeremy Junginger: "Weird Traffic from www.eyeblaster-bs.com"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 30 May 2003 11:39:28 -0400 To: "Jeremy Junginger" <jj@act.com>, <incidents@securityfocus.com>
Can't explain your traffic, but your description doesn't sit quite right. Did you really see a Syn to internal port 80 from these folks? Or did you just see traffic with port 80 as a destination? A client can use port 80 to initiate a connection. I'm betting that's all you saw. Logs?
Eyeblaster is an ad server...
http://www.eyeblaster.com/WebSite/default.htm
I guess bs (in this case) stands for Burst Server.
From google:
http://www.ufoot.org/misc/plague/ads.php3
http://ssmedia.com/Utilities/hosts/
Doesn't sound like something to get worked up over. Why not block them and save your users a few ads, heh heh.
-David
> -----Original Message-----
> From: Jeremy Junginger [mailto:jj@act.com]
> Sent: Thursday, May 29, 2003 5:45 PM
> To: incidents@securityfocus.com
> Subject: Weird Traffic from www.eyeblaster-bs.com
>
>
> Good Afternoon,
>
> I am seeing some strange traffic from www.eyeblaster-bs.com on both
> network and host based IDS. More specifically, I'm seeing TCP port 80
> (http) traffic from multiple internal clients to
> http://www.eyeblaster-bs.com/BurstingPipe and
> http://www.eyeblastrer-bs.com/BurstingPipe.asp?param=% . So far, it
> looks like normal surfing....well...almost. The strange
> thing is that I
> have seen traffic that appears to be sourced from this server
> to clients
> (dest port 80) on the Internal Network (which should be relatively
> protected as they use Port Address Translation, not to
> mention that port
> 80 is not allowed to those client machines). I've seen this URL
> mentioned on several usage reports, but have not seen any explanations
> about what it is. Let me know what you think.
>
> Here are some of the other networks that have seen traffic TO this
> server:
> http://www.olc.edu/~bbump/usage/ns1/7th/url_200211.html
> http://network.ci.seekonk.ma.us/WebUsage/Library/url_200212.html
> http://www.bsafehome.com/historyreport.asp
>
>
> -Jeremy
>
> These are not the packets you're looking for...You can go about your
> business.....Move along....
> :-)
>
> --------------------------------------------------------------
> --------------
> --------------------------------------------------------------
> --------------
>
>
----------------------------------------------------------------------------
----------------------------------------------------------------------------
- Previous message: Michele Chubirka: "RE: Whois updates, Was: [Re: Possible Intrusion Attempt?]"
- Maybe in reply to: Jeremy Junginger: "Weird Traffic from www.eyeblaster-bs.com"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
