[mythtv-users] Odd mythweb activity

brad dreisbach bradd at ameri.ca
Tue Dec 23 14:36:00 UTC 2014 

> On Dec 23, 2014, at 7:20 AM, Mike Perkins <mikep at randomtraveller.org.uk> wrote:
> 
> Whenever I fire up mythweb I've been noticing these in my (pfsense) firewall log for some time now, and I'm wondering just why they are happening.
> 
> I thought I'd throw these out to see if anyone has an explanation. I don't think there's evil intent but who knows? It may be just something to do with php configuration... or something.
> 
> What I see is a load of these - I've just chopped out a sample and attempted to tidy up the log entries for display - this may not work. First line is date and time, 2nd source IP and port, 3rd destination IP and port, 4th reason.
> 
> 12/21/14        21:06:01 	2 	TCP 	Attempted Information Leak
> 192.168.1.9     58758
> 54.225.223.192  80
> 1:2013031       ET POLICY Python-urllib/ Suspicious User Agent
> 
> 12/21/14        21:06:00 	2 	TCP 	Attempted Information Leak
> 192.168.1.9     56027
> 23.21.98.69     80
> 1:2013031       ET POLICY Python-urllib/ Suspicious User Agent
> 
> 12/21/14        21:06:00 	2 	TCP 	Attempted Information Leak
> 192.168.1.9     40645
> 54.243.221.106  80
> 1:2013031       ET POLICY Python-urllib/ Suspicious User Agent
> 
> 12/21/14        21:06:00 	2 	TCP 	Attempted Information Leak
> 192.168.1.9     54517
> 50.16.219.183   80
> 1:2013031       ET POLICY Python-urllib/ Suspicious User Agent
> 
> 12/21/14        21:06:00 	2 	TCP 	Attempted Information Leak
> 192.168.1.9     35668
> 50.16.214.131   80
> 1:2013031       ET POLICY Python-urllib/ Suspicious User Agent
> 
> 12/21/14        21:06:00 	2 	TCP 	Attempted Information Leak
> 192.168.1.9     51498
> 54.243.227.76   80
> 1:2013031       ET POLICY Python-urllib/ Suspicious User Agent
> 
> 12/21/14        21:05:59 	2 	TCP 	Attempted Information Leak
> 192.168.1.9     53304
> 54.243.212.236  80
> 1:2013031       ET POLICY Python-urllib/ Suspicious User Agent
> 
> Question 1: The destinations all seem to be Amazon EC2 nodes. Why would mythweb need to go out to EC2 nodes to just display the status page? I'd rather it didn't go anywhere near the Internet unless I ask it to.


all of those destination addresses seem to be associated with themoviedb.org. i would guess
that mythweb is trying to do some metadata lookups.

> 
> Question 2: Has somebody forgotten to fill in a field in the http header to give this error message?
> 
> I have not yet attempted to put Wireshark on these packets so I don't know what's in them. Presently, that will involve a /lot/ of wires and use of a spare PC.
> 
> -- 
> 
> Mike Perkins
> 
> _______________________________________________
> mythtv-users mailing list
> mythtv-users at mythtv.org
> http://lists.mythtv.org/mailman/listinfo/mythtv-users
> http://wiki.mythtv.org/Mailing_List_etiquette
> MythTV Forums: https://forum.mythtv.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2014 bytes
Desc: not available
URL: <http://lists.mythtv.org/pipermail/mythtv-users/attachments/20141223/70c757d5/attachment.p7s>

More information about the mythtv-users mailing list