[mythtv-users] Odd mythweb activity

Mike Perkins mikep at randomtraveller.org.uk
Tue Dec 23 15:28:27 UTC 2014 

On 23/12/14 14:36, brad dreisbach wrote:
>
>> On Dec 23, 2014, at 7:20 AM, Mike Perkins <mikep at randomtraveller.org.uk> wrote:
>>
>> Whenever I fire up mythweb I've been noticing these in my (pfsense) firewall log for some time now, and I'm wondering just why they are happening.
>>
>> I thought I'd throw these out to see if anyone has an explanation. I don't think there's evil intent but who knows? It may be just something to do with php configuration... or something.
>>
>> What I see is a load of these - I've just chopped out a sample and attempted to tidy up the log entries for display - this may not work. First line is date and time, 2nd source IP and port, 3rd destination IP and port, 4th reason.
>>
>> 12/21/14        21:06:01 	2 	TCP 	Attempted Information Leak
>> 192.168.1.9     58758
>> 54.225.223.192  80
>> 1:2013031       ET POLICY Python-urllib/ Suspicious User Agent
>>
>> 12/21/14        21:06:00 	2 	TCP 	Attempted Information Leak
>> 192.168.1.9     56027
>> 23.21.98.69     80
>> 1:2013031       ET POLICY Python-urllib/ Suspicious User Agent
>>
>> 12/21/14        21:06:00 	2 	TCP 	Attempted Information Leak
>> 192.168.1.9     40645
>> 54.243.221.106  80
>> 1:2013031       ET POLICY Python-urllib/ Suspicious User Agent
>>
>> 12/21/14        21:06:00 	2 	TCP 	Attempted Information Leak
>> 192.168.1.9     54517
>> 50.16.219.183   80
>> 1:2013031       ET POLICY Python-urllib/ Suspicious User Agent
>>
>> 12/21/14        21:06:00 	2 	TCP 	Attempted Information Leak
>> 192.168.1.9     35668
>> 50.16.214.131   80
>> 1:2013031       ET POLICY Python-urllib/ Suspicious User Agent
>>
>> 12/21/14        21:06:00 	2 	TCP 	Attempted Information Leak
>> 192.168.1.9     51498
>> 54.243.227.76   80
>> 1:2013031       ET POLICY Python-urllib/ Suspicious User Agent
>>
>> 12/21/14        21:05:59 	2 	TCP 	Attempted Information Leak
>> 192.168.1.9     53304
>> 54.243.212.236  80
>> 1:2013031       ET POLICY Python-urllib/ Suspicious User Agent
>>
>> Question 1: The destinations all seem to be Amazon EC2 nodes. Why would mythweb need to go out to EC2 nodes to just display the status page? I'd rather it didn't go anywhere near the Internet unless I ask it to.
>
>
> all of those destination addresses seem to be associated with themoviedb.org. i would guess
> that mythweb is trying to do some metadata lookups.
>
Darn. Or something.

I'd rather there were no lookups unless I actually set up a recording or clicked 
on the link to get additional info.

Thanks for that.

-- 

Mike Perkins

More information about the mythtv-users mailing list