Hosting Provided By

Weird Traffic from www.eyeblaster-bs.com

From: Jeremy Junginger <jj(at)act.com>
Date: Thu May 29 2003 - 17:44:59 EDT

Good Afternoon,

I am seeing some strange traffic from www.eyeblaster-bs.com on both network and host based IDS. More specifically, I'm seeing TCP port 80
(http) traffic from multiple internal clients to
http://www.eyeblaster-bs.com/BurstingPipe and http://www.eyeblastrer-bs.com/BurstingPipe.asp?param=% . So far, it looks like normal surfing....well...almost. The strange thing is that I have seen traffic that appears to be sourced from this server to clients
(dest port 80) on the Internal Network (which should be relatively
protected as they use Port Address Translation, not to mention that port 80 is not allowed to those client machines). I've seen this URL mentioned on several usage reports, but have not seen any explanations about what it is. Let me know what you think.

Here are some of the other networks that have seen traffic TO this server:

http://www.olc.edu/~bbump/usage/ns1/7th/url_200211.htmlhttp://network.ci.seekonk.ma.us/WebUsage/Library/url_200212.htmlhttp://www.bsafehome.com/historyreport.asp

-Jeremy

These are not the packets you're looking for...You can go about your business.....Move along....
:-)

Received on Fri May 30 11:18:31 2003

This message: [ Message body ]
Next message: James C. Slora, Jr.: "RE: strange cmd.exe access"
Previous message: Justin Pryzby: "Whois updates, Was: [Re: Possible Intrusion Attempt?]"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:06 EDT