[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] Reverse http traffic revisited

To: full-disclosure@lists.netsys.com
Subject: [Full-Disclosure] Reverse http traffic revisited
From: "Daniel H. Renner" <dan@losangelescomputerhelp.com>
Date: 18 Jan 2004 01:12:17 -0800

Hello guys,

On my last foray on this subject, I had no specifics to back up what I
had witnessed - this time I offer the following.

Originally, on a client's LAN, I had spotted mulitple inbound traffic
ORIGINATING from port 80 and arriving on port in the temporary range of
1024-5000.

Steve S. sent the following email which could have explained this phenomenon as 
coming from Akamia:
------
Sounds a lot like an Akamai setup, see their FAQ:
http://www.akamai.com/en/html/misc/support_faq.html

Without seeing more complete information such as the protocol or flags 
it's impossible to tell for sure.

Steve
------

Since the destination ports in that traffic were in the 3000 range, I believe 
this could have explained the previous traffic.

However...

We now have a log from another network that shows a similar bit of reverse http 
traffic, except that:
1)  no HTTP outbound browsing was active at the time of the incoming port 80 
traffic
(Al's Messenger was active on one Linux workstation, hence the Squid log - 
207.46.110.21 belongs to Hotmail)
2)  after a WHOIS and traceroute, the IP address that the traffic came from 
does not appear to belong to Akamai
3)  the destination port is far outside of the temporary port range associated 
with the previous, or normal traffic

The 2nd line in the 'firewall log' below is the culprit.  All logs below are 
complete for the start-end times seen and originate from an IPCop v1.3 Linux 
firewall/proxy with all patches installed, and which is the only connection for 
this LAN to the Internet.  All browsers and media players use the Squid proxy.  
All internal IPs, the gateway and DNSs are hard-coded on all workstations (no 
DHCP server running.)

I have 'Googled' for "reverse http traffic" and have found nothing but messages 
from my previous post of the same title.

I'm back in "Eh?" mode...

-- 

Cheers,

Dan Renner
President
Los Angeles Computerhelp
http://losangelescomputerhelp.com
818.352.8700


FIREWALL LOG:
Time            Chain   Iface   Proto   Source          Src Port        
Destination     Dst Port
23:49:31        INPUT   eth2    TCP     4.62.83.225     1156            
4.62.xxx.xxx    135
--> 23:52:02    INPUT   eth2    TCP     211.152.51.13   80(HTTP)        
4.62.xxx.xxx    24875
23:53:46        INPUT   eth2    TCP     4.65.99.99      3212            
4.62.xxx.xxx    135


SNORT LOG:
Date:   01/17 23:50:57  Name:   ICMP PING CyberKit 2.2 Windows
Priority:       3       Type:   Misc activity
IP info:        4.65.252.212:n/a -> 4.62.xxx.xxx:n/a
References:     none found      SID:    483
Date:   01/17 23:52:56  Name:   ICMP PING CyberKit 2.2 Windows
Priority:       3       Type:   Misc activity
IP info:        4.64.84.115:n/a -> 4.62.xxx.xxx:n/a
References:     none found      SID:    483
Date:   01/17 23:53:44  Name:   ICMP PING CyberKit 2.2 Windows
Priority:       3       Type:   Misc activity
IP info:        4.65.99.99:n/a -> 4.62.xxx.xxx:n/a
References:     none found      SID:    483


SQUID LOG:
Time            Source IP       Website
23:51:01        {internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:51:07        {internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:51:13        {internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:51:18        {internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:51:24        {internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:51:29        {internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:51:34        {internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:51:39        {internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:51:44        {internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:51:49        {internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:51:55        {internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:52:00        {internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:52:05        {internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:52:10        {internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:52:15        {internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:52:20        {internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:52:25        {internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:52:31        {internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:52:36        {internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:52:41        {internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:52:46        {internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:52:51        {internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:52:56        {internal IP}   http://207.46.110.21/gateway/gateway.dll?


According to http://www.apnic.net/apnic-bin/whois.pl IP address 211.152.51.13 
belongs to Beijing Lexun network corp. along with the rest of the 211.152.51.0 
- 211.152.52.255 range which appears to be connected to www.21vianet.com 
(English version of the site is "under construction".)

TRACEROUTE:
traceroute to 211.152.51.13 (211.152.51.13), 30 hops max, 38 byte packets
 1  firewall ({internal IP})  1.006 ms  0.602 ms  0.373 ms
 2  lsanca1-ar1-4-62-120-001.lsanca1.dsl-verizon.net (4.62.120.1)  29.561 ms  
34.884 ms  29.388 ms
 3  a4-0-3.lsanca1-cr7.bbnplanet.net (4.24.62.125)  45.075 ms  31.631 ms  
29.191 ms
 4  p7-0.lsanca1-cr8.bbnplanet.net (4.24.7.126)  29.752 ms  29.626 ms  35.091 ms
 5  p6-0.lsanca2-br2.bbnplanet.net (4.24.5.53)  37.785 ms  33.590 ms  29.919 ms
 6  unknown.Level3.net (64.159.4.37)  29.655 ms  38.449 ms  29.567 ms
 7  unknown.Level3.net (209.247.9.218)  33.526 ms  30.053 ms  29.528 ms
 8  so-0-0-0.gar1.LosAngeles1.Level3.net (209.247.9.221)  30.859 ms  37.223 ms 
31.752 ms
 9  uunet-level3-oc48.LosAngeles1.Level3.net (209.0.227.38)  38.468 ms  30.499 
ms  30.655 ms
10  0.so-1-0-0.XL2.LAX7.ALTER.NET (152.63.112.154)  30.761 ms  30.394 ms  
31.320 ms
11  0.so-6-0-0.CL2.LAX1.ALTER.NET (152.63.57.81)  38.566 ms  30.952 ms  33.952 
ms
12  0.so-3-0-0.IG3.LAX1.ALTER.NET (152.63.57.97)  37.962 ms  31.835 ms  30.239 
ms
13  chinatelecom-gw.customer.alter.net (157.130.246.58)  30.267 ms  30.933 ms  
30.141 ms
14  202.97.49.66 (202.97.49.66)  406.935 ms  404.050 ms  400.418 ms
15  202.97.51.5 (202.97.51.5)  535.710 ms  532.183 ms  531.275 ms
16  202.97.33.89 (202.97.33.89)  531.137 ms  533.724 ms  530.926 ms
17  202.101.63.253 (202.101.63.253)  541.153 ms  538.483 ms  541.257 ms
18  61.152.83.2 (61.152.83.2)  539.541 ms  534.397 ms  533.571 ms
19  61.152.83.38 (61.152.83.38)  552.751 ms  554.188 ms  547.813 ms
20  61.152.83.65 (61.152.83.65)  540.952 ms  543.161 ms  544.014 ms
21  211.152.63.57 (211.152.63.57)  541.551 ms  533.582 ms  544.318 ms
22  211.152.63.62 (211.152.63.62)  535.206 ms  555.112 ms  542.406 ms
23  * * *
24  * * *
25  * * *
26  *(Ctrl-C at this point)



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] Reverse http traffic revisited
  - From: George Adamopoulos <zen32689@zen.co.uk>

Prev by Date: RE: Religion... was RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause
Next by Date: Re: Religion... was RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause
Previous by thread: Re: [Full-Disclosure] PHRACK 63 is OUT!
Next by thread: Re: [Full-Disclosure] Reverse http traffic revisited
Index(es):
- Date
- Thread