-
September 20th, 2005, 04:59 PM
#1
Member
Help identify this host
We have an internal host on our network trying to access the ip 80.67.76.26 over port 80 a couple thousand times a day. The traffic increases to during offhours time, which makes me think its some sort of spyware or other rouge app trying to call "home". This user is usually one of the top "talkers" on our network. Can anyone help to identify this host?
-
September 20th, 2005, 05:04 PM
#2
80.67.76.26 belongs to Akamai..
Akamai is a worldwide server network that mirrors downloads for big companies (like Microsoft).
Try tracing it the other way around.. Find the (one) client(s) that generate this traffic and see what's running.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
September 20th, 2005, 05:05 PM
#3
Hmm...well, from a quick couple of tests, I found that they do not have reverse lookup enabled for their IP, they have ssh running, but it's in key authentication mode, and they have a webserver running. With that kind of setup, I think you hit the nail on the head about it being some kind of spyware or trojan trying to connect to its home system.
/* You are not expected to understand this. */
-
September 20th, 2005, 05:07 PM
#4
Originally posted here by roswell1329
Hmm...well, from a quick couple of tests, I found that they do not have reverse lookup enabled for their IP, they have ssh running, but it's in key authentication mode, and they have a webserver running. With that kind of setup, I think you hit the nail on the head about it being some kind of spyware or trojan trying to connect to its home system.
Try whois
% This is the RIPE Whois query server #2.
% The objects are in RPSL format.
%
% Note: the default output of the RIPE Whois server
% is changed. Your tools may need to be adjusted. See
% http://www.ripe.net/db/news/abuse-pr...-20050331.html
% for more details.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html
% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag
% Information related to '80.67.75.0 - 80.67.77.255'
inetnum: 80.67.75.0 - 80.67.77.255
netname: AKAMAI-BOS-1
descr: Boston Colo
country: US
admin-c: NF1714-RIPE
tech-c: NF1714-RIPE
status: ASSIGNED PA
mnt-by: AKAM1-RIPE-MNT
mnt-lower: AKAM1-RIPE-MNT
source: RIPE # Filtered
person: Noam Freedman
address: Akamai Technologies
address: 8 Cambridge Center
address: Cambridge, MA 02142
phone: +1-617-938-3130
e-mail: noam+ripe@akamai.com
nic-hdl: NF1714-RIPE
mnt-by: AKAM1-RIPE-MNT
source: RIPE # Filtered
Oliver's Law:
Experience is something you don't get until just after you need it.
-
September 20th, 2005, 05:11 PM
#5
D'OH! Dirty, SirDice! Outdone me again...
Damn. I didn't even know you could run a whois query on an IP address rather than the actual name.
I guess you learn something new everyday.
/* You are not expected to understand this. */
-
September 20th, 2005, 06:16 PM
#6
Try to get us a dump of the traffic you are monitoring, this could really get
interesting .
-
September 20th, 2005, 07:22 PM
#7
Member
Thanks guys, I sent Mr. Noam Freedman and little email, lets see if I get a response. I'm going up to the user's machine now to ring his neck. First, I'm going to that segment to do a little sniffing. Once my "nose" gets full, I'll report back.
I'll keep you posted.
-
September 20th, 2005, 08:41 PM
#8
Member
Here is a small ( 100 or so packets ) capture of the traffic to and from his system using ethereal.
Does it tell you guys anything? I see alot of remarks about a "radio", maybe Akamai is hosting\mirroring a streaming audio site?
-
September 20th, 2005, 10:05 PM
#9
MSN radio, new age, top 40, city radio.
maybe Akamai is hosting\mirroring a streaming audio site?
Akamai host alot of stuff for microsoft
What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry
-
September 21st, 2005, 04:13 AM
#10
I see alot of remarks about a "radio", maybe Akamai is hosting\mirroring a streaming audio site?
Seems somebody is just trying to browse http://radio.msn.com
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|