lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
From: dan at losangelescomputerhelp.com (Daniel H. Renner)
Subject: Reverse http traffic

Hello,

I had a case recently wherein one of a client's systems (Win2k) could
not access http, or mail traffic.  At the same time, 2 other systems
(Win95 and Xandros) could, and yet he could access all of the other
network shares via TCP.

He brought it to my shop, it was patched up, already had the latest
anti-virus defs, and it got on the 'net fine here.  He returned with it
and set it up - and could not get any http or email.

I went to his office to see what was up, hooked in my little 'kneetop'
(Sony Picturebook) and browsed just fine.

I then installed a Linux firewall on a spare computer, replaced the
Linksys router with it and instantly his Win2k was able to browse and
get email.

I checked the firewall logs and saw quite a few attempts from a Google
IP address (whois-ed, but I'm not ignoring that it was possibly spoofed)
that was sending IN traffic with a source port of 80 and a destination
port in the temporary range (33xx) - eh???

I can speculate (otherwise known as 'assume' :) that this site was
trying to spoof my client's system into accepting some traffic by using
a reverse-flow, but...

Can anyone tell me what actually could cause this?


-- 


Thank you,

Dan Renner
President
Los Angeles Computerhelp
http://losangelescomputerhelp.com
818.352.8700

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ