RE: Weird Traffic from www.eyeblaster-bs.com

From: Cushing, David (David.Cushingat_private)
Date: Fri May 30 2003 - 08:39:28 PDT

Next message: Jeff Adams: "RE: strange cmd.exe access"

Previous message: Michele Chubirka: "RE: Whois updates, Was: [Re: Possible Intrusion Attempt?]"
Maybe in reply to: Jeremy Junginger: "Weird Traffic from www.eyeblaster-bs.com"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Can't explain your traffic, but your description doesn't sit quite right.  Did you really see a Syn to internal port 80 from these folks?  Or did you just see traffic with port 80 as a destination?  A client can use port 80 to initiate a connection.  I'm betting that's all you saw.  Logs?

Eyeblaster is an ad server...
http://www.eyeblaster.com/WebSite/default.htm

I guess bs (in this case) stands for Burst Server.

From google:
http://www.ufoot.org/misc/plague/ads.php3
http://ssmedia.com/Utilities/hosts/

Doesn't sound like something to get worked up over.  Why not block them and save your users a few ads, heh heh.

-David

> -----Original Message-----
> From: Jeremy Junginger [mailto:jjat_private]
> Sent: Thursday, May 29, 2003 5:45 PM
> To: incidentsat_private
> Subject: Weird Traffic from www.eyeblaster-bs.com
> 
> 
> Good Afternoon,
> 
> I am seeing some strange traffic from www.eyeblaster-bs.com on both
> network and host based IDS.  More specifically, I'm seeing TCP port 80
> (http) traffic from multiple internal clients to
> http://www.eyeblaster-bs.com/BurstingPipe and
> http://www.eyeblastrer-bs.com/BurstingPipe.asp?param=% .  So far, it
> looks like normal surfing....well...almost.  The strange 
> thing is that I
> have seen traffic that appears to be sourced from this server 
> to clients
> (dest port 80) on the Internal Network (which should be relatively
> protected as they use Port Address Translation, not to 
> mention that port
> 80 is not allowed to those client machines).  I've seen this URL
> mentioned on several usage reports, but have not seen any explanations
> about what it is.  Let me know what you think.
> 
> Here are some of the other networks that have seen traffic TO this
> server:
> http://www.olc.edu/~bbump/usage/ns1/7th/url_200211.html
> http://network.ci.seekonk.ma.us/WebUsage/Library/url_200212.html
> http://www.bsafehome.com/historyreport.asp
> 
> 
> -Jeremy
> 
> These are not the packets you're looking for...You can go about your
> business.....Move along....
> :-)
> 
> --------------------------------------------------------------
> --------------
> --------------------------------------------------------------
> --------------
> 
> 

----------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Jeff Adams: "RE: strange cmd.exe access"
Previous message: Michele Chubirka: "RE: Whois updates, Was: [Re: Possible Intrusion Attempt?]"
Maybe in reply to: Jeremy Junginger: "Weird Traffic from www.eyeblaster-bs.com"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri May 30 2003 - 15:25:06 PDT