Security Incidents mailing list archives
IMesh Scans from 209.225.26.19 and 216.35.208.153
From: Crist Clark <crist.clark () GLOBALSTAR COM>
Date: Mon, 26 Feb 2001 14:20:48 -0800
I was analysing some of the more strange traffic patterns from last weeks logs when I came across these, 23Feb2001 8:43:39 accept >qfe3 tcp 192.168.AAA.BBB:1436 -> 216.35.208.153:5000 44 (DDD.EEE.FFF.GGG:53596 -> 216.35.208.153:5000) 23Feb2001 8:43:50 drop >hme0 tcp 216.35.208.153:51851 -> DDD.EEE.FFF.GGG:4456 44 23Feb2001 8:43:56 drop >hme0 tcp 216.35.208.153:51869 -> DDD.EEE.FFF.GGG:4329 44 23Feb2001 8:44:02 drop >hme0 tcp 216.35.208.153:51882 -> DDD.EEE.FFF.GGG:4500 44 23Feb2001 8:44:08 drop >hme0 tcp 216.35.208.153:51896 -> DDD.EEE.FFF.GGG:5000 44 23Feb2001 8:44:14 drop >hme0 tcp 216.35.208.153:51916 -> DDD.EEE.FFF.GGG:5500 44 23Feb2001 8:44:20 drop >hme0 tcp 216.35.208.153:51932 -> DDD.EEE.FFF.GGG:X11 44 23Feb2001 8:44:25 drop >hme0 tcp 216.35.208.153:51948 -> DDD.EEE.FFF.GGG:6500 44 23Feb2001 8:44:31 drop >hme0 tcp 216.35.208.153:51962 -> DDD.EEE.FFF.GGG:7000 44 23Feb2001 8:44:36 drop >hme0 tcp 216.35.208.153:51972 -> DDD.EEE.FFF.GGG:7500 44 23Feb2001 8:44:42 drop >hme0 tcp 216.35.208.153:51981 -> DDD.EEE.FFF.GGG:http 44 23Feb2001 13:31:09 accept >qfe3 tcp 192.168.AAA.CCC:1459 -> 209.225.26.19:5000 44 (DDD.EEE.FFF.GGG:20653 -> 209.225.26.19:5000) 23Feb2001 13:31:13 drop >hme0 tcp 209.225.26.19:60461 -> DDD.EEE.FFF.GGG:4923 44 23Feb2001 13:31:19 drop >hme0 tcp 209.225.26.19:60471 -> DDD.EEE.FFF.GGG:4329 44 23Feb2001 13:31:25 drop >hme0 tcp 209.225.26.19:60482 -> DDD.EEE.FFF.GGG:4500 44 23Feb2001 13:31:31 drop >hme0 tcp 209.225.26.19:60489 -> DDD.EEE.FFF.GGG:5000 44 23Feb2001 13:31:38 drop >hme0 tcp 209.225.26.19:60499 -> DDD.EEE.FFF.GGG:5500 44 23Feb2001 13:31:44 drop >hme0 tcp 209.225.26.19:60512 -> DDD.EEE.FFF.GGG:X11 44 23Feb2001 13:31:50 drop >hme0 tcp 209.225.26.19:60523 -> DDD.EEE.FFF.GGG:6500 44 23Feb2001 13:31:57 drop >hme0 tcp 209.225.26.19:60532 -> DDD.EEE.FFF.GGG:7000 44 23Feb2001 13:32:03 drop >hme0 tcp 209.225.26.19:60542 -> DDD.EEE.FFF.GGG:7500 44 23Feb2001 13:32:09 drop >hme0 tcp 209.225.26.19:60555 -> DDD.EEE.FFF.GGG:http 44 What we are seeing is an internal user connecting to port 5000 of the external machine. The internal user's RFC1918 IP address is NATed. The external IMesh "server" then replies with a scan of the NATed source address (at least it looks like the internal client is not passing its IP address through at the application layer). I have managed to associate both of these with IMesh.com filesharing. However, I have been unable to find information about how their protocol actually works and whether these scans are "normal." Is the remote peer trying to find out if we are sharing? Why do the two scans differ slightly, but also look very similar? Any pointers to more info would be appreciated. Thanks. -- Crist J. Clark Network Security Engineer crist.clark () globalstar com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster () globalstar com
Current thread:
- IMesh Scans from 209.225.26.19 and 216.35.208.153 Crist Clark (Feb 27)