[mythtv-users] Odd mythweb activity
Mike Perkins
mikep at randomtraveller.org.uk
Tue Dec 23 14:32:41 UTC 2014
On 23/12/14 12:20, Mike Perkins wrote:
> Whenever I fire up mythweb I've been noticing these in my (pfsense) firewall log
> for some time now, and I'm wondering just why they are happening.
>
> I thought I'd throw these out to see if anyone has an explanation. I don't think
> there's evil intent but who knows? It may be just something to do with php
> configuration... or something.
>
> What I see is a load of these - I've just chopped out a sample and attempted to
> tidy up the log entries for display - this may not work. First line is date and
> time, 2nd source IP and port, 3rd destination IP and port, 4th reason.
>
> 12/21/14 21:06:01 2 TCP Attempted Information Leak
> 192.168.1.9 58758
> 54.225.223.192 80
> 1:2013031 ET POLICY Python-urllib/ Suspicious User Agent
>
> 12/21/14 21:06:00 2 TCP Attempted Information Leak
> 192.168.1.9 56027
> 23.21.98.69 80
> 1:2013031 ET POLICY Python-urllib/ Suspicious User Agent
>
> 12/21/14 21:06:00 2 TCP Attempted Information Leak
> 192.168.1.9 40645
> 54.243.221.106 80
> 1:2013031 ET POLICY Python-urllib/ Suspicious User Agent
>
> 12/21/14 21:06:00 2 TCP Attempted Information Leak
> 192.168.1.9 54517
> 50.16.219.183 80
> 1:2013031 ET POLICY Python-urllib/ Suspicious User Agent
>
> 12/21/14 21:06:00 2 TCP Attempted Information Leak
> 192.168.1.9 35668
> 50.16.214.131 80
> 1:2013031 ET POLICY Python-urllib/ Suspicious User Agent
>
> 12/21/14 21:06:00 2 TCP Attempted Information Leak
> 192.168.1.9 51498
> 54.243.227.76 80
> 1:2013031 ET POLICY Python-urllib/ Suspicious User Agent
>
> 12/21/14 21:05:59 2 TCP Attempted Information Leak
> 192.168.1.9 53304
> 54.243.212.236 80
> 1:2013031 ET POLICY Python-urllib/ Suspicious User Agent
>
> Question 1: The destinations all seem to be Amazon EC2 nodes. Why would mythweb
> need to go out to EC2 nodes to just display the status page? I'd rather it
> didn't go anywhere near the Internet unless I ask it to.
>
> Question 2: Has somebody forgotten to fill in a field in the http header to give
> this error message?
>
> I have not yet attempted to put Wireshark on these packets so I don't know
> what's in them. Presently, that will involve a /lot/ of wires and use of a spare
> PC.
>
I forgot to add, the source IP addresses, from which I would expect the packets
to come, is that of my master backend. This is a headless box and contains
mythtv, apache and very little else. All my access, frontend or mythweb, is
remote. I use SSH to configure and update the box.
--
Mike Perkins
More information about the mythtv-users
mailing list