Full Disclosure mailing list archives

Reverse http traffic revisited

From: "Daniel H. Renner" <dan () losangelescomputerhelp com>
Date: 18 Jan 2004 01:12:17 -0800
Hello guys,

On my last foray on this subject, I had no specifics to back up what I
had witnessed - this time I offer the following.

Originally, on a client's LAN, I had spotted mulitple inbound traffic
ORIGINATING from port 80 and arriving on port in the temporary range of
1024-5000.

Steve S. sent the following email which could have explained this phenomenon as coming from Akamia:
------
Sounds a lot like an Akamai setup, see their FAQ:
http://www.akamai.com/en/html/misc/support_faq.html

Without seeing more complete information such as the protocol or flags 
it's impossible to tell for sure.

Steve
------

Since the destination ports in that traffic were in the 3000 range, I believe this could have explained the previous 
traffic.

However...

We now have a log from another network that shows a similar bit of reverse http traffic, except that:
1)  no HTTP outbound browsing was active at the time of the incoming port 80 traffic
(Al's Messenger was active on one Linux workstation, hence the Squid log - 207.46.110.21 belongs to Hotmail)
2)  after a WHOIS and traceroute, the IP address that the traffic came from does not appear to belong to Akamai
3)  the destination port is far outside of the temporary port range associated with the previous, or normal traffic

The 2nd line in the 'firewall log' below is the culprit.  All logs below are complete for the start-end times seen and 
originate from an IPCop v1.3 Linux firewall/proxy with all patches installed, and which is the only connection for this 
LAN to the Internet.  All browsers and media players use the Squid proxy.  All internal IPs, the gateway and DNSs are 
hard-coded on all workstations (no DHCP server running.)

I have 'Googled' for "reverse http traffic" and have found nothing but messages from my previous post of the same title.

I'm back in "Eh?" mode...

-- 

Cheers,

Dan Renner
President
Los Angeles Computerhelp
http://losangelescomputerhelp.com
818.352.8700


FIREWALL LOG:
Time            Chain   Iface   Proto   Source          Src Port        Destination     Dst Port
23:49:31        INPUT   eth2    TCP     4.62.83.225     1156            4.62.xxx.xxx    135
--> 23:52:02    INPUT   eth2    TCP     211.152.51.13   80(HTTP)        4.62.xxx.xxx    24875
23:53:46        INPUT   eth2    TCP     4.65.99.99      3212            4.62.xxx.xxx    135


SNORT LOG:
Date:   01/17 23:50:57  Name:   ICMP PING CyberKit 2.2 Windows
Priority:       3       Type:   Misc activity
IP info:        4.65.252.212:n/a -> 4.62.xxx.xxx:n/a
References:     none found      SID:    483
Date:   01/17 23:52:56  Name:   ICMP PING CyberKit 2.2 Windows
Priority:       3       Type:   Misc activity
IP info:        4.64.84.115:n/a -> 4.62.xxx.xxx:n/a
References:     none found      SID:    483
Date:   01/17 23:53:44  Name:   ICMP PING CyberKit 2.2 Windows
Priority:       3       Type:   Misc activity
IP info:        4.65.99.99:n/a -> 4.62.xxx.xxx:n/a
References:     none found      SID:    483


SQUID LOG:
Time            Source IP       Website
23:51:01        {internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:51:07        {internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:51:13        {internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:51:18        {internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:51:24        {internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:51:29        {internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:51:34        {internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:51:39        {internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:51:44        {internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:51:49        {internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:51:55        {internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:52:00        {internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:52:05        {internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:52:10        {internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:52:15        {internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:52:20        {internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:52:25        {internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:52:31        {internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:52:36        {internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:52:41        {internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:52:46        {internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:52:51        {internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:52:56        {internal IP}   http://207.46.110.21/gateway/gateway.dll?


According to http://www.apnic.net/apnic-bin/whois.pl IP address 211.152.51.13 belongs to Beijing Lexun network corp. 
along with the rest of the 211.152.51.0 - 211.152.52.255 range which appears to be connected to www.21vianet.com 
(English version of the site is "under construction".)

TRACEROUTE:
traceroute to 211.152.51.13 (211.152.51.13), 30 hops max, 38 byte packets
 1  firewall ({internal IP})  1.006 ms  0.602 ms  0.373 ms
 2  lsanca1-ar1-4-62-120-001.lsanca1.dsl-verizon.net (4.62.120.1)  29.561 ms  34.884 ms  29.388 ms
 3  a4-0-3.lsanca1-cr7.bbnplanet.net (4.24.62.125)  45.075 ms  31.631 ms  29.191 ms
 4  p7-0.lsanca1-cr8.bbnplanet.net (4.24.7.126)  29.752 ms  29.626 ms  35.091 ms
 5  p6-0.lsanca2-br2.bbnplanet.net (4.24.5.53)  37.785 ms  33.590 ms  29.919 ms
 6  unknown.Level3.net (64.159.4.37)  29.655 ms  38.449 ms  29.567 ms
 7  unknown.Level3.net (209.247.9.218)  33.526 ms  30.053 ms  29.528 ms
 8  so-0-0-0.gar1.LosAngeles1.Level3.net (209.247.9.221)  30.859 ms  37.223 ms 31.752 ms
 9  uunet-level3-oc48.LosAngeles1.Level3.net (209.0.227.38)  38.468 ms  30.499 ms  30.655 ms
10  0.so-1-0-0.XL2.LAX7.ALTER.NET (152.63.112.154)  30.761 ms  30.394 ms  31.320 ms
11  0.so-6-0-0.CL2.LAX1.ALTER.NET (152.63.57.81)  38.566 ms  30.952 ms  33.952 ms
12  0.so-3-0-0.IG3.LAX1.ALTER.NET (152.63.57.97)  37.962 ms  31.835 ms  30.239 ms
13  chinatelecom-gw.customer.alter.net (157.130.246.58)  30.267 ms  30.933 ms  30.141 ms
14  202.97.49.66 (202.97.49.66)  406.935 ms  404.050 ms  400.418 ms
15  202.97.51.5 (202.97.51.5)  535.710 ms  532.183 ms  531.275 ms
16  202.97.33.89 (202.97.33.89)  531.137 ms  533.724 ms  530.926 ms
17  202.101.63.253 (202.101.63.253)  541.153 ms  538.483 ms  541.257 ms
18  61.152.83.2 (61.152.83.2)  539.541 ms  534.397 ms  533.571 ms
19  61.152.83.38 (61.152.83.38)  552.751 ms  554.188 ms  547.813 ms
20  61.152.83.65 (61.152.83.65)  540.952 ms  543.161 ms  544.014 ms
21  211.152.63.57 (211.152.63.57)  541.551 ms  533.582 ms  544.318 ms
22  211.152.63.62 (211.152.63.62)  535.206 ms  555.112 ms  542.406 ms
23  * * *
24  * * *
25  * * *
26  *(Ctrl-C at this point)



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:

Reverse http traffic revisited Daniel H. Renner (Jan 18)
- Re: Reverse http traffic revisited George Adamopoulos (Jan 19)