[mythtv-users] Odd mythweb activity

Mike Perkins mikep at randomtraveller.org.uk
Tue Dec 23 12:20:53 UTC 2014 

Whenever I fire up mythweb I've been noticing these in my (pfsense) firewall log 
for some time now, and I'm wondering just why they are happening.

I thought I'd throw these out to see if anyone has an explanation. I don't think 
there's evil intent but who knows? It may be just something to do with php 
configuration... or something.

What I see is a load of these - I've just chopped out a sample and attempted to 
tidy up the log entries for display - this may not work. First line is date and 
time, 2nd source IP and port, 3rd destination IP and port, 4th reason.

12/21/14        21:06:01 	2 	TCP 	Attempted Information Leak
192.168.1.9     58758
54.225.223.192  80
1:2013031       ET POLICY Python-urllib/ Suspicious User Agent

12/21/14        21:06:00 	2 	TCP 	Attempted Information Leak
192.168.1.9     56027
23.21.98.69     80
1:2013031       ET POLICY Python-urllib/ Suspicious User Agent

12/21/14        21:06:00 	2 	TCP 	Attempted Information Leak
192.168.1.9     40645
54.243.221.106  80
1:2013031       ET POLICY Python-urllib/ Suspicious User Agent

12/21/14        21:06:00 	2 	TCP 	Attempted Information Leak
192.168.1.9     54517
50.16.219.183   80
1:2013031       ET POLICY Python-urllib/ Suspicious User Agent

12/21/14        21:06:00 	2 	TCP 	Attempted Information Leak
192.168.1.9     35668
50.16.214.131   80
1:2013031       ET POLICY Python-urllib/ Suspicious User Agent

12/21/14        21:06:00 	2 	TCP 	Attempted Information Leak
192.168.1.9     51498
54.243.227.76   80
1:2013031       ET POLICY Python-urllib/ Suspicious User Agent

12/21/14        21:05:59 	2 	TCP 	Attempted Information Leak
192.168.1.9     53304
54.243.212.236  80
1:2013031       ET POLICY Python-urllib/ Suspicious User Agent

Question 1: The destinations all seem to be Amazon EC2 nodes. Why would mythweb 
need to go out to EC2 nodes to just display the status page? I'd rather it 
didn't go anywhere near the Internet unless I ask it to.

Question 2: Has somebody forgotten to fill in a field in the http header to give 
this error message?

I have not yet attempted to put Wireshark on these packets so I don't know 
what's in them. Presently, that will involve a /lot/ of wires and use of a spare PC.

-- 

Mike Perkins

More information about the mythtv-users mailing list