lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
From: dan at losangelescomputerhelp.com (Daniel H. Renner)
Subject: Reverse http traffic revisited

Hello guys,

On my last foray on this subject, I had no specifics to back up what I
had witnessed - this time I offer the following.

Originally, on a client's LAN, I had spotted mulitple inbound traffic
ORIGINATING from port 80 and arriving on port in the temporary range of
1024-5000.

Steve S. sent the following email which could have explained this phenomenon as coming from Akamia:
------
Sounds a lot like an Akamai setup, see their FAQ:
http://www.akamai.com/en/html/misc/support_faq.html

Without seeing more complete information such as the protocol or flags 
it's impossible to tell for sure.

Steve
------

Since the destination ports in that traffic were in the 3000 range, I believe this could have explained the previous traffic.

However...

We now have a log from another network that shows a similar bit of reverse http traffic, except that:
1)  no HTTP outbound browsing was active at the time of the incoming port 80 traffic
(Al's Messenger was active on one Linux workstation, hence the Squid log - 207.46.110.21 belongs to Hotmail)
2)  after a WHOIS and traceroute, the IP address that the traffic came from does not appear to belong to Akamai
3)  the destination port is far outside of the temporary port range associated with the previous, or normal traffic

The 2nd line in the 'firewall log' below is the culprit.  All logs below are complete for the start-end times seen and originate from an IPCop v1.3 Linux firewall/proxy with all patches installed, and which is the only connection for this LAN to the Internet.  All browsers and media players use the Squid proxy.  All internal IPs, the gateway and DNSs are hard-coded on all workstations (no DHCP server running.)

I have 'Googled' for "reverse http traffic" and have found nothing but messages from my previous post of the same title.

I'm back in "Eh?" mode...

-- 

Cheers,

Dan Renner
President
Los Angeles Computerhelp
http://losangelescomputerhelp.com
818.352.8700


FIREWALL LOG:
Time		Chain 	Iface	Proto	Source		Src Port	Destination	Dst Port
23:49:31	INPUT 	eth2	TCP	4.62.83.225	1156		4.62.xxx.xxx	135
--> 23:52:02	INPUT 	eth2	TCP	211.152.51.13	80(HTTP)	4.62.xxx.xxx	24875
23:53:46	INPUT 	eth2	TCP	4.65.99.99	3212		4.62.xxx.xxx	135


SNORT LOG:
Date:	01/17 23:50:57 	Name:	ICMP PING CyberKit 2.2 Windows
Priority:	3 	Type:	Misc activity
IP info: 	4.65.252.212:n/a -> 4.62.xxx.xxx:n/a
References:	none found	SID: 	483
Date:	01/17 23:52:56 	Name:	ICMP PING CyberKit 2.2 Windows
Priority:	3 	Type:	Misc activity
IP info: 	4.64.84.115:n/a -> 4.62.xxx.xxx:n/a
References:	none found	SID: 	483
Date:	01/17 23:53:44 	Name:	ICMP PING CyberKit 2.2 Windows
Priority:	3 	Type:	Misc activity
IP info: 	4.65.99.99:n/a -> 4.62.xxx.xxx:n/a
References:	none found	SID: 	483


SQUID LOG:
Time		Source IP	Website
23:51:01  	{internal IP}  	http://207.46.110.21/gateway/gateway.dll?
23:51:07 	{internal IP}	http://207.46.110.21/gateway/gateway.dll?
23:51:13 	{internal IP}	http://207.46.110.21/gateway/gateway.dll?
23:51:18 	{internal IP}	http://207.46.110.21/gateway/gateway.dll?
23:51:24 	{internal IP}	http://207.46.110.21/gateway/gateway.dll?
23:51:29 	{internal IP}	http://207.46.110.21/gateway/gateway.dll?
23:51:34 	{internal IP}	http://207.46.110.21/gateway/gateway.dll?
23:51:39 	{internal IP}	http://207.46.110.21/gateway/gateway.dll?
23:51:44 	{internal IP}	http://207.46.110.21/gateway/gateway.dll?
23:51:49 	{internal IP}	http://207.46.110.21/gateway/gateway.dll?
23:51:55 	{internal IP}	http://207.46.110.21/gateway/gateway.dll?
23:52:00 	{internal IP}	http://207.46.110.21/gateway/gateway.dll?
23:52:05 	{internal IP}	http://207.46.110.21/gateway/gateway.dll?
23:52:10 	{internal IP}	http://207.46.110.21/gateway/gateway.dll?
23:52:15 	{internal IP}	http://207.46.110.21/gateway/gateway.dll?
23:52:20 	{internal IP}	http://207.46.110.21/gateway/gateway.dll?
23:52:25 	{internal IP}	http://207.46.110.21/gateway/gateway.dll?
23:52:31 	{internal IP}	http://207.46.110.21/gateway/gateway.dll?
23:52:36 	{internal IP}	http://207.46.110.21/gateway/gateway.dll?
23:52:41 	{internal IP}	http://207.46.110.21/gateway/gateway.dll?
23:52:46 	{internal IP}	http://207.46.110.21/gateway/gateway.dll?
23:52:51 	{internal IP}	http://207.46.110.21/gateway/gateway.dll?
23:52:56 	{internal IP}	http://207.46.110.21/gateway/gateway.dll?


According to http://www.apnic.net/apnic-bin/whois.pl IP address 211.152.51.13 belongs to Beijing Lexun network corp. along with the rest of the 211.152.51.0 - 211.152.52.255 range which appears to be connected to www.21vianet.com (English version of the site is "under construction".)

TRACEROUTE:
traceroute to 211.152.51.13 (211.152.51.13), 30 hops max, 38 byte packets
 1  firewall ({internal IP})  1.006 ms  0.602 ms  0.373 ms
 2  lsanca1-ar1-4-62-120-001.lsanca1.dsl-verizon.net (4.62.120.1)  29.561 ms  34.884 ms  29.388 ms
 3  a4-0-3.lsanca1-cr7.bbnplanet.net (4.24.62.125)  45.075 ms  31.631 ms  29.191 ms
 4  p7-0.lsanca1-cr8.bbnplanet.net (4.24.7.126)  29.752 ms  29.626 ms  35.091 ms
 5  p6-0.lsanca2-br2.bbnplanet.net (4.24.5.53)  37.785 ms  33.590 ms  29.919 ms
 6  unknown.Level3.net (64.159.4.37)  29.655 ms  38.449 ms  29.567 ms
 7  unknown.Level3.net (209.247.9.218)  33.526 ms  30.053 ms  29.528 ms
 8  so-0-0-0.gar1.LosAngeles1.Level3.net (209.247.9.221)  30.859 ms  37.223 ms 31.752 ms
 9  uunet-level3-oc48.LosAngeles1.Level3.net (209.0.227.38)  38.468 ms  30.499 ms  30.655 ms
10  0.so-1-0-0.XL2.LAX7.ALTER.NET (152.63.112.154)  30.761 ms  30.394 ms  31.320 ms
11  0.so-6-0-0.CL2.LAX1.ALTER.NET (152.63.57.81)  38.566 ms  30.952 ms  33.952 ms
12  0.so-3-0-0.IG3.LAX1.ALTER.NET (152.63.57.97)  37.962 ms  31.835 ms  30.239 ms
13  chinatelecom-gw.customer.alter.net (157.130.246.58)  30.267 ms  30.933 ms  30.141 ms
14  202.97.49.66 (202.97.49.66)  406.935 ms  404.050 ms  400.418 ms
15  202.97.51.5 (202.97.51.5)  535.710 ms  532.183 ms  531.275 ms
16  202.97.33.89 (202.97.33.89)  531.137 ms  533.724 ms  530.926 ms
17  202.101.63.253 (202.101.63.253)  541.153 ms  538.483 ms  541.257 ms
18  61.152.83.2 (61.152.83.2)  539.541 ms  534.397 ms  533.571 ms
19  61.152.83.38 (61.152.83.38)  552.751 ms  554.188 ms  547.813 ms
20  61.152.83.65 (61.152.83.65)  540.952 ms  543.161 ms  544.014 ms
21  211.152.63.57 (211.152.63.57)  541.551 ms  533.582 ms  544.318 ms
22  211.152.63.62 (211.152.63.62)  535.206 ms  555.112 ms  542.406 ms
23  * * *
24  * * *
25  * * *
26  *(Ctrl-C at this point)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ