Re: Strange port 23 traffic

[Bill Royds <Bill_Royds () PCH GC CA>]

This is Conducent spyware posting user information to select its advertising.
It uses POST to describe the adware you are running and the particular user ID
of the machine. It then retrieves the ad that will be shown to the user.
   Conducent collects the demographics of its users to tailor the advertising to
user interest.




Costas Karafasoulis <karafas () MAIL ARIADNE-T GR> on 03/18/2001 03:49:37 PM

Please respond to Costas Karafasoulis <karafas () MAIL ARIADNE-T GR>



 To:      INCIDENTS () SECURITYFOCUS COM

 cc:      (bcc: Bill Royds/HullOttawa/PCH/CA)



 Subject: Strange port 23 traffic






There is some strange traffic in my network, that I can really
figure out what its is. It consists of a large number of connections
of the form:


xxx.xxx.xxx.xxx.1079-yyy.yyy.yyy.yyy.23
POST
http://xxx.xxx.xxx.xxx:23/Ready?PVersion=1.0&CVersion=4000000&TVersion=1.0&S
ession=441272 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 38
Cache-Control: no-cache
Pragma: no-cache
Date: Thu, 15 Feb 2001 00:20:56 GMT
Host: xxx.xxx.xxx.xxx

transaction=
DAAAAAgAAAASAAAAAAAAAA==
----------------------------------------------------------------------------
--------

yyy.yyy.yyy.yyy.23-xxx.xxx.xxx.xxx.1079

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Connection: close
Date: Thu, 15 Feb 2001 00:19:15 GMT
Content-Type: text/html
Content-Length: 660
Expires: Thu, 15 Feb 2001 00:19:15 GMT

<html><title>Conducent Response</title><body><P>
OjU5AGh0dHA6Ly9yZWRVjZW50LmNvbS9TY3JpcHRzL1JlZG
yLmRsbD9SyMDAxLTA2LTMwIDIzOjU5OjU5ADIzOjU5
</P></body></html>


any ideas waht it could be ???

Attachment: att1.eml
Description: