[mythtv-users] Odd mythweb activity

Mike Perkins mikep at randomtraveller.org.uk
Tue Dec 23 14:32:41 UTC 2014 

On 23/12/14 12:20, Mike Perkins wrote:
> Whenever I fire up mythweb I've been noticing these in my (pfsense) firewall log
> for some time now, and I'm wondering just why they are happening.
>
> I thought I'd throw these out to see if anyone has an explanation. I don't think
> there's evil intent but who knows? It may be just something to do with php
> configuration... or something.
>
> What I see is a load of these - I've just chopped out a sample and attempted to
> tidy up the log entries for display - this may not work. First line is date and
> time, 2nd source IP and port, 3rd destination IP and port, 4th reason.
>
> 12/21/14        21:06:01     2     TCP     Attempted Information Leak
> 192.168.1.9     58758
> 54.225.223.192  80
> 1:2013031       ET POLICY Python-urllib/ Suspicious User Agent
>
> 12/21/14        21:06:00     2     TCP     Attempted Information Leak
> 192.168.1.9     56027
> 23.21.98.69     80
> 1:2013031       ET POLICY Python-urllib/ Suspicious User Agent
>
> 12/21/14        21:06:00     2     TCP     Attempted Information Leak
> 192.168.1.9     40645
> 54.243.221.106  80
> 1:2013031       ET POLICY Python-urllib/ Suspicious User Agent
>
> 12/21/14        21:06:00     2     TCP     Attempted Information Leak
> 192.168.1.9     54517
> 50.16.219.183   80
> 1:2013031       ET POLICY Python-urllib/ Suspicious User Agent
>
> 12/21/14        21:06:00     2     TCP     Attempted Information Leak
> 192.168.1.9     35668
> 50.16.214.131   80
> 1:2013031       ET POLICY Python-urllib/ Suspicious User Agent
>
> 12/21/14        21:06:00     2     TCP     Attempted Information Leak
> 192.168.1.9     51498
> 54.243.227.76   80
> 1:2013031       ET POLICY Python-urllib/ Suspicious User Agent
>
> 12/21/14        21:05:59     2     TCP     Attempted Information Leak
> 192.168.1.9     53304
> 54.243.212.236  80
> 1:2013031       ET POLICY Python-urllib/ Suspicious User Agent
>
> Question 1: The destinations all seem to be Amazon EC2 nodes. Why would mythweb
> need to go out to EC2 nodes to just display the status page? I'd rather it
> didn't go anywhere near the Internet unless I ask it to.
>
> Question 2: Has somebody forgotten to fill in a field in the http header to give
> this error message?
>
> I have not yet attempted to put Wireshark on these packets so I don't know
> what's in them. Presently, that will involve a /lot/ of wires and use of a spare
> PC.
>

I forgot to add, the source IP addresses, from which I would expect the packets 
to come, is that of my master backend. This is a headless box and contains 
mythtv, apache and very little else. All my access, frontend or mythweb, is 
remote. I use SSH to configure and update the box.

-- 

Mike Perkins

More information about the mythtv-users mailing list