Help identify this host

[Gixxer]

We have an internal host on our network trying to access the ip 80.67.76.26 over port 80 a couple thousand times a day. The traffic increases to during offhours time, which makes me think its some sort of spyware or other rouge app trying to call "home". This user is usually one of the top "talkers" on our network. Can anyone help to identify this host?

[SirDice]

80.67.76.26 belongs to Akamai..

Akamai is a worldwide server network that mirrors downloads for big companies (like Microsoft).

Try tracing it the other way around.. Find the (one) client(s) that generate this traffic and see what's running.

[roswell1329]

Hmm...well, from a quick couple of tests, I found that they do not have reverse lookup enabled for their IP, they have ssh running, but it's in key authentication mode, and they have a webserver running. With that kind of setup, I think you hit the nail on the head about it being some kind of spyware or trojan trying to connect to its home system.

[SirDice]

Originally posted here by roswell1329
Hmm...well, from a quick couple of tests, I found that they do not have reverse lookup enabled for their IP, they have ssh running, but it's in key authentication mode, and they have a webserver running. With that kind of setup, I think you hit the nail on the head about it being some kind of spyware or trojan trying to connect to its home system.

Try whois

% This is the RIPE Whois query server #2.
% The objects are in RPSL format.
%
% Note: the default output of the RIPE Whois server
% is changed. Your tools may need to be adjusted. See
% http://www.ripe.net/db/news/abuse-pr...-20050331.html
% for more details.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag

% Information related to '80.67.75.0 - 80.67.77.255'

inetnum: 80.67.75.0 - 80.67.77.255
netname: AKAMAI-BOS-1
descr: Boston Colo
country: US
admin-c: NF1714-RIPE
tech-c: NF1714-RIPE
status: ASSIGNED PA
mnt-by: AKAM1-RIPE-MNT
mnt-lower: AKAM1-RIPE-MNT
source: RIPE # Filtered

person: Noam Freedman
address: Akamai Technologies
address: 8 Cambridge Center
address: Cambridge, MA 02142
phone: +1-617-938-3130
e-mail: noam+ripe@akamai.com
nic-hdl: NF1714-RIPE
mnt-by: AKAM1-RIPE-MNT
source: RIPE # Filtered

[roswell1329]

D'OH! Dirty, SirDice! Outdone me again...

Damn. I didn't even know you could run a whois query on an IP address rather than the actual name.

I guess you learn something new everyday.

[warl0ck7]

Try to get us a dump of the traffic you are monitoring, this could really get
interesting .

[Gixxer]

Thanks guys, I sent Mr. Noam Freedman and little email, lets see if I get a response. I'm going up to the user's machine now to ring his neck. First, I'm going to that segment to do a little sniffing. Once my "nose" gets full, I'll report back.

I'll keep you posted.

[Gixxer]

Here is a small ( 100 or so packets ) capture of the traffic to and from his system using ethereal.

Does it tell you guys anything? I see alot of remarks about a "radio", maybe Akamai is hosting\mirroring a streaming audio site?

[jinxy]

MSN radio, new age, top 40, city radio.

maybe Akamai is hosting\mirroring a streaming audio site?

Akamai host alot of stuff for microsoft

[warl0ck7]

I see alot of remarks about a "radio", maybe Akamai is hosting\mirroring a streaming audio site?

Seems somebody is just trying to browse http://radio.msn.com