Security Incidents mailing list archives

Strange port 23 traffic

From: Costas Karafasoulis <karafas () MAIL ARIADNE-T GR>
Date: Sun, 18 Mar 2001 22:49:37 +0200

There is some strange traffic in my network, that I can really
figure out what its is. It consists of a large number of connections
of the form:


xxx.xxx.xxx.xxx.1079-yyy.yyy.yyy.yyy.23
POST
http://xxx.xxx.xxx.xxx:23/Ready?PVersion=1.0&CVersion=4000000&TVersion=1.0&S
ession=441272 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 38
Cache-Control: no-cache
Pragma: no-cache
Date: Thu, 15 Feb 2001 00:20:56 GMT
Host: xxx.xxx.xxx.xxx

transaction=
DAAAAAgAAAASAAAAAAAAAA==
----------------------------------------------------------------------------
--------

yyy.yyy.yyy.yyy.23-xxx.xxx.xxx.xxx.1079

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Connection: close
Date: Thu, 15 Feb 2001 00:19:15 GMT
Content-Type: text/html
Content-Length: 660
Expires: Thu, 15 Feb 2001 00:19:15 GMT

<html><title>Conducent Response</title><body><P>
OjU5AGh0dHA6Ly9yZWRVjZW50LmNvbS9TY3JpcHRzL1JlZG
yLmRsbD9SyMDAxLTA2LTMwIDIzOjU5OjU5ADIzOjU5
</P></body></html>


any ideas waht it could be ???

Current thread:

Strange port 23 traffic Costas Karafasoulis (Mar 18)
- Re: Strange port 23 traffic Ray Simard (Mar 19)
- <Possible follow-ups>
- Re: Strange port 23 traffic Bill Royds (Mar 19)
  - Re: Strange port 23 traffic Greg A. Woods (Mar 19)