[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <1074417137.4952.99.camel@localhost>
From: dan at losangelescomputerhelp.com (Daniel H. Renner)
Subject: Reverse http traffic revisited
Hello guys,
On my last foray on this subject, I had no specifics to back up what I
had witnessed - this time I offer the following.
Originally, on a client's LAN, I had spotted mulitple inbound traffic
ORIGINATING from port 80 and arriving on port in the temporary range of
1024-5000.
Steve S. sent the following email which could have explained this phenomenon as coming from Akamia:
------
Sounds a lot like an Akamai setup, see their FAQ:
http://www.akamai.com/en/html/misc/support_faq.html
Without seeing more complete information such as the protocol or flags
it's impossible to tell for sure.
Steve
------
Since the destination ports in that traffic were in the 3000 range, I believe this could have explained the previous traffic.
However...
We now have a log from another network that shows a similar bit of reverse http traffic, except that:
1) no HTTP outbound browsing was active at the time of the incoming port 80 traffic
(Al's Messenger was active on one Linux workstation, hence the Squid log - 207.46.110.21 belongs to Hotmail)
2) after a WHOIS and traceroute, the IP address that the traffic came from does not appear to belong to Akamai
3) the destination port is far outside of the temporary port range associated with the previous, or normal traffic
The 2nd line in the 'firewall log' below is the culprit. All logs below are complete for the start-end times seen and originate from an IPCop v1.3 Linux firewall/proxy with all patches installed, and which is the only connection for this LAN to the Internet. All browsers and media players use the Squid proxy. All internal IPs, the gateway and DNSs are hard-coded on all workstations (no DHCP server running.)
I have 'Googled' for "reverse http traffic" and have found nothing but messages from my previous post of the same title.
I'm back in "Eh?" mode...
--
Cheers,
Dan Renner
President
Los Angeles Computerhelp
http://losangelescomputerhelp.com
818.352.8700
FIREWALL LOG:
Time Chain Iface Proto Source Src Port Destination Dst Port
23:49:31 INPUT eth2 TCP 4.62.83.225 1156 4.62.xxx.xxx 135
--> 23:52:02 INPUT eth2 TCP 211.152.51.13 80(HTTP) 4.62.xxx.xxx 24875
23:53:46 INPUT eth2 TCP 4.65.99.99 3212 4.62.xxx.xxx 135
SNORT LOG:
Date: 01/17 23:50:57 Name: ICMP PING CyberKit 2.2 Windows
Priority: 3 Type: Misc activity
IP info: 4.65.252.212:n/a -> 4.62.xxx.xxx:n/a
References: none found SID: 483
Date: 01/17 23:52:56 Name: ICMP PING CyberKit 2.2 Windows
Priority: 3 Type: Misc activity
IP info: 4.64.84.115:n/a -> 4.62.xxx.xxx:n/a
References: none found SID: 483
Date: 01/17 23:53:44 Name: ICMP PING CyberKit 2.2 Windows
Priority: 3 Type: Misc activity
IP info: 4.65.99.99:n/a -> 4.62.xxx.xxx:n/a
References: none found SID: 483
SQUID LOG:
Time Source IP Website
23:51:01 {internal IP} http://207.46.110.21/gateway/gateway.dll?
23:51:07 {internal IP} http://207.46.110.21/gateway/gateway.dll?
23:51:13 {internal IP} http://207.46.110.21/gateway/gateway.dll?
23:51:18 {internal IP} http://207.46.110.21/gateway/gateway.dll?
23:51:24 {internal IP} http://207.46.110.21/gateway/gateway.dll?
23:51:29 {internal IP} http://207.46.110.21/gateway/gateway.dll?
23:51:34 {internal IP} http://207.46.110.21/gateway/gateway.dll?
23:51:39 {internal IP} http://207.46.110.21/gateway/gateway.dll?
23:51:44 {internal IP} http://207.46.110.21/gateway/gateway.dll?
23:51:49 {internal IP} http://207.46.110.21/gateway/gateway.dll?
23:51:55 {internal IP} http://207.46.110.21/gateway/gateway.dll?
23:52:00 {internal IP} http://207.46.110.21/gateway/gateway.dll?
23:52:05 {internal IP} http://207.46.110.21/gateway/gateway.dll?
23:52:10 {internal IP} http://207.46.110.21/gateway/gateway.dll?
23:52:15 {internal IP} http://207.46.110.21/gateway/gateway.dll?
23:52:20 {internal IP} http://207.46.110.21/gateway/gateway.dll?
23:52:25 {internal IP} http://207.46.110.21/gateway/gateway.dll?
23:52:31 {internal IP} http://207.46.110.21/gateway/gateway.dll?
23:52:36 {internal IP} http://207.46.110.21/gateway/gateway.dll?
23:52:41 {internal IP} http://207.46.110.21/gateway/gateway.dll?
23:52:46 {internal IP} http://207.46.110.21/gateway/gateway.dll?
23:52:51 {internal IP} http://207.46.110.21/gateway/gateway.dll?
23:52:56 {internal IP} http://207.46.110.21/gateway/gateway.dll?
According to http://www.apnic.net/apnic-bin/whois.pl IP address 211.152.51.13 belongs to Beijing Lexun network corp. along with the rest of the 211.152.51.0 - 211.152.52.255 range which appears to be connected to www.21vianet.com (English version of the site is "under construction".)
TRACEROUTE:
traceroute to 211.152.51.13 (211.152.51.13), 30 hops max, 38 byte packets
1 firewall ({internal IP}) 1.006 ms 0.602 ms 0.373 ms
2 lsanca1-ar1-4-62-120-001.lsanca1.dsl-verizon.net (4.62.120.1) 29.561 ms 34.884 ms 29.388 ms
3 a4-0-3.lsanca1-cr7.bbnplanet.net (4.24.62.125) 45.075 ms 31.631 ms 29.191 ms
4 p7-0.lsanca1-cr8.bbnplanet.net (4.24.7.126) 29.752 ms 29.626 ms 35.091 ms
5 p6-0.lsanca2-br2.bbnplanet.net (4.24.5.53) 37.785 ms 33.590 ms 29.919 ms
6 unknown.Level3.net (64.159.4.37) 29.655 ms 38.449 ms 29.567 ms
7 unknown.Level3.net (209.247.9.218) 33.526 ms 30.053 ms 29.528 ms
8 so-0-0-0.gar1.LosAngeles1.Level3.net (209.247.9.221) 30.859 ms 37.223 ms 31.752 ms
9 uunet-level3-oc48.LosAngeles1.Level3.net (209.0.227.38) 38.468 ms 30.499 ms 30.655 ms
10 0.so-1-0-0.XL2.LAX7.ALTER.NET (152.63.112.154) 30.761 ms 30.394 ms 31.320 ms
11 0.so-6-0-0.CL2.LAX1.ALTER.NET (152.63.57.81) 38.566 ms 30.952 ms 33.952 ms
12 0.so-3-0-0.IG3.LAX1.ALTER.NET (152.63.57.97) 37.962 ms 31.835 ms 30.239 ms
13 chinatelecom-gw.customer.alter.net (157.130.246.58) 30.267 ms 30.933 ms 30.141 ms
14 202.97.49.66 (202.97.49.66) 406.935 ms 404.050 ms 400.418 ms
15 202.97.51.5 (202.97.51.5) 535.710 ms 532.183 ms 531.275 ms
16 202.97.33.89 (202.97.33.89) 531.137 ms 533.724 ms 530.926 ms
17 202.101.63.253 (202.101.63.253) 541.153 ms 538.483 ms 541.257 ms
18 61.152.83.2 (61.152.83.2) 539.541 ms 534.397 ms 533.571 ms
19 61.152.83.38 (61.152.83.38) 552.751 ms 554.188 ms 547.813 ms
20 61.152.83.65 (61.152.83.65) 540.952 ms 543.161 ms 544.014 ms
21 211.152.63.57 (211.152.63.57) 541.551 ms 533.582 ms 544.318 ms
22 211.152.63.62 (211.152.63.62) 535.206 ms 555.112 ms 542.406 ms
23 * * *
24 * * *
25 * * *
26 *(Ctrl-C at this point)
Powered by blists - more mailing lists