1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

deploy.akamaitechnologies.com

Discussion in 'Security and Privacy' started by rebarnes, 2002/12/23.

Thread Status:
Not open for further replies.
  1. 2002/12/23
    rebarnes

    rebarnes Inactive Thread Starter

    Joined:
    2002/03/22
    Messages:
    12
    Likes Received:
    0
    I am recieving constant high port activity on multiple IP's from deploy.akamaitechnologies.com . I have latest Virus Scan updates, running latest Zone Alarm. And I run Adaware and Spybot most every day. I am also behind a hardware firewall. The only way I can see this activity is through the use of a sniffer Commview. The hits come in on ports 64000 and up. I can shut down explorer and they keep a connection. Netstat does not show this connection at all.

    Is this a trojan? Has anyone else seen this? Virus? What the heck is it?
     
  2. 2002/12/23
    aleekat

    aleekat Inactive

    Joined:
    2002/01/07
    Messages:
    902
    Likes Received:
    0
    I didnt have time to view them all, but here is the link from google search. I think you dont have anthing to worry about.

    Google

    Extract:

    Akamai provides 1000s of cache servers to prevent DOS attacks and improve software delivery. They use a DNS trick to point clients to the closest server run by Akamai that holds the content.
     
    Last edited: 2002/12/23

  3. to hide this advert.

  4. 2002/12/23
    mflynn

    mflynn Inactive

    Joined:
    2002/08/14
    Messages:
    4,141
    Likes Received:
    9
    Rebarnes

    Hmmmmm....

    Interesting.

    I don't have them myself but doing a search with Copernic I found many references mostly bad but some good. I plan on looking into this more after the holidays.

    The only good things mentioned are what Aleekat mentioned.

    But in looking at Spamcorp and several other host files for blocking spam they are on most of them to be blocked which means they are percievied as bad.

    I also found reference to bombardment from them in trying to make a connection. Pings and other probes. Almost a DOS attack itself. Seems to conflict with the few good refs.....

    For additional info on your machine go to the command prompt and type

    netstat -a |more

    From what you said in this message, you may get quite a list!

    I am not ready to advise you what to do yet, mabe someone else has more knowledge about this. But I will know more after the new year when I have more time.

    If you try to add them to your host file to block remember that if the hosts file gets too large it is counter productive as it will slow down general access.

    Mike
     
  5. 2002/12/23
    mflynn

    mflynn Inactive

    Joined:
    2002/08/14
    Messages:
    4,141
    Likes Received:
    9
    Rebarnes

    Forgot....

    You did not say what OS you use.

    If win2k or XP and you are at home on a single computer go to command prompt and type

    ipconfig /flushdns

    then immediately go to SERVICES and set DHCP Client and DNS Client to manual and stop these services.

    If you have any problems after this just put them back like they were.

    If everything is OK retest ocassionaly and see if things change!!

    Let us know!

    Mike
     
  6. 2002/12/23
    brett

    brett Inactive Alumni

    Joined:
    2002/01/11
    Messages:
    2,058
    Likes Received:
    0
    Akamai geo-map IP's enabling a person to be redirected to the web server which is geographically closest. This allows ad-servers to serve relevant content in an appropriate language (which is why Akamai is listed on several "block" sites) and can help to reduce download times. Akamai provides content on behalf of many well known companies such as Symantec. It wouldn't be a good idea to add the Akamai servers to your Hosts file - not unless you want to break a considerable number of sites and be unable to update your AV!

    There are quite a few other companies which provide similar services. Look here.
     
    Last edited: 2002/12/23
  7. 2002/12/23
    rebarnes

    rebarnes Inactive Thread Starter

    Joined:
    2002/03/22
    Messages:
    12
    Likes Received:
    0
    To follow up: This is a WIN2K box on a company network. This machine is the only one recieving this type of activity. It is not just akamai, they are the main one though. I set up a host file to try and block them. But I still receive some high port hits.
     
  8. 2002/12/23
    mflynn

    mflynn Inactive

    Joined:
    2002/08/14
    Messages:
    4,141
    Likes Received:
    9
    If this is not a server you can still disable the items I mentioned and do the /flushdns.

    Did you do them? Did you do the flushdns?

    This will not effect sharing etc!

    Remember host file to large and it will slow down this machine!

    Mike
     
  9. 2002/12/23
    rebarnes

    rebarnes Inactive Thread Starter

    Joined:
    2002/03/22
    Messages:
    12
    Likes Received:
    0
    DNS Client was already set to manual and stoped. I tried the ipconfig /flushdns. It returned a "could not flush the dns resolved cache" I then shut down the DHCP Client and tried Ipconfig again but still got could not flush.
     
  10. 2002/12/23
    mflynn

    mflynn Inactive

    Joined:
    2002/08/14
    Messages:
    4,141
    Likes Received:
    9
    Ok!

    That is correct if DNS Client is aleadr off.

    So that is I can do untill I reshearch more. After holidays!

    Mike
     
  11. 2002/12/23
    rebarnes

    rebarnes Inactive Thread Starter

    Joined:
    2002/03/22
    Messages:
    12
    Likes Received:
    0
    Thanks for your help mflynn.
     
  12. 2002/12/23
    brett

    brett Inactive Alumni

    Joined:
    2002/01/11
    Messages:
    2,058
    Likes Received:
    0
    This may well be related to the browsing habits of the user of that machine. My guess would be that the (s)he is attempting to access Akamai-served streaming content using some form of media player (quite possibly Quicktime - especially if you're seeing UDP connections).
     
    Last edited: 2002/12/23
  13. 2002/12/26
    rebarnes

    rebarnes Inactive Thread Starter

    Joined:
    2002/03/22
    Messages:
    12
    Likes Received:
    0
    That user would be me. I am not looking at streaming media. Yahoo, FoxNews and so on are the sights I hit including this sight. Still have not solved this problem.
     
  14. 2002/12/26
    mflynn

    mflynn Inactive

    Joined:
    2002/08/14
    Messages:
    4,141
    Likes Received:
    9
    RE

    Just reread entire thread!

    Just noticed then that you say that netstat does not show this! This means you are seeing them somehow but they are not getting thu to the station??!!! I am not familiar with CommView. Is it perchance set to see past the router/firewall and not just the local port????

    1. Are you directly connected to a personal HW firewall or is this a system firewall?

    2. Are you absolutly sure that on another Win2k computer on the same domain/workgroup/subnet using same network config as you. That they don't show up using CommView?

    3. Has the HW firewall or router been set to do any special port mapping/forwarding?

    4. Can you see this from the HW firewall utility or logs?

    Nuff for now, let us know what you find!

    Newt if you are out there what do you think of this?

    Mike
     
  15. 2002/12/26
    brett

    brett Inactive Alumni

    Joined:
    2002/01/11
    Messages:
    2,058
    Likes Received:
    0
    Maybe something here will help.
     
  16. 2002/12/26
    mflynn

    mflynn Inactive

    Joined:
    2002/08/14
    Messages:
    4,141
    Likes Received:
    9
    Yeah Brett that sounds like it could be!

    Did you have a good "Isle of Man" christmas?

    Hope so.

    Anyway RE they don't say where this HTML file is so zap everything. Run Disk Cleanup the get rid of the index.dat's.

    Locate them in win2k then boot to dos if fat32 find and delete them, kill the pagefile also. If no fat32 then do you have dual boot. If not use recovery console to boot to the NTFS prompt to delete.

    You need to temporarily uninstall quicktime. Review any web pages you visit that may provide streaming content even though you may be going there for other reasons.

    Mike
     
  17. 2002/12/27
    rebarnes

    rebarnes Inactive Thread Starter

    Joined:
    2002/03/22
    Messages:
    12
    Likes Received:
    0
    mflynn
    1. Are you directly connected to a personal HW firewall or is this a system firewall?

    Yes to hardware firewall.

    2. Are you absolutly sure that on another Win2k computer on the same domain/workgroup/subnet using same network config as you. That they don't show up using CommView?

    There are other Win2k systems that I can see. And I can easily differentiate between them.

    3. Has the HW firewall or router been set to do any special port mapping/forwarding?

    No

    4. Can you see this from the HW firewall utility or logs?

    No it is not detected as a intrusion so no log entry.

    brett

    Nothing there like what I am seeing. I am taking hits on ports 64000 and up, not 6970-6999.

    mflynn

    I killed all index.dat files and emptied the pagefile. I never have installed quicktime.

    And the problem still exists.
     
  18. 2002/12/27
    mflynn

    mflynn Inactive

    Joined:
    2002/08/14
    Messages:
    4,141
    Likes Received:
    9
    Clarify

    I understand that you are behind a HW firewall.

    My question is:
    personal = network cable comes to your station into HW firewall
    you are directly connected to firewall

    or

    HW firewall is a system device and everyone goes thru it?

    On the other question
    I assumed you could see these other Win2k stations on the network.

    What I need to know is if you physically go to these stations and run CommView exactly like on yours, do you see the same activity on the high ports?

    If not what is the obvious differences in these and yours as far as setup and installed software?

    Are you on a Domain and are these other 2 stations on same or different. Are they on a different hub/switch or router?

    Mike
     
  19. 2002/12/27
    rebarnes

    rebarnes Inactive Thread Starter

    Joined:
    2002/03/22
    Messages:
    12
    Likes Received:
    0
    It is a system device everyone hooks to the same firewall.

    Whether I am at my station or physically at the other stations I see high port activity only on my station.

    As far as I know there is no difference in setup or software.

    We are all on the same hub.
     
  20. 2002/12/27
    mflynn

    mflynn Inactive

    Joined:
    2002/08/14
    Messages:
    4,141
    Likes Received:
    9
    Well that didn't help much! LOL!

    But it did for sure seem to pin it to something on your station!

    Now I really need to research this! I definately do not need this on my own networks.

    I'll get back.

    Mike
     
  21. 2002/12/27
    mflynn

    mflynn Inactive

    Joined:
    2002/08/14
    Messages:
    4,141
    Likes Received:
    9
    Re

    I have read enough to confirm that in some way this machine is requesting this.

    It is time to look at your computer more closely!

    1st Are your Adaware an Spybot signatures up to date an all configs set to max for deepest scans?

    2nd Do you use any messengers such as MSN Yahoo or ICQ? Or are any of these loading eventhough you do not use them?

    3rd Do you use a proxy of any kind.

    4th Has a P2P downloader like Kazaa or Morpheus etc ever been on this computer?

    5th Any File downloader like Getright etc. ?

    D/L install and run BhoDemon, this will display hidden Browser Helper Objects. A typical normal entry here will be Acrobat reader but what else do you have.

    http://www.definitivesolutions.com/bhodemon.htm

    D/L and install Starup Control panel (best way to control startups) lets look closely at these.

    http://www.mlin.net/StartupCPL.shtml

    Let me know what is starting.

    Mike
     
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.