Security Incidents mailing list archives
Re: Strange port 23 traffic
From: Bill Royds <Bill_Royds () PCH GC CA>
Date: Mon, 19 Mar 2001 09:36:38 -0500
This is Conducent spyware posting user information to select its advertising. It uses POST to describe the adware you are running and the particular user ID of the machine. It then retrieves the ad that will be shown to the user. Conducent collects the demographics of its users to tailor the advertising to user interest. Costas Karafasoulis <karafas () MAIL ARIADNE-T GR> on 03/18/2001 03:49:37 PM Please respond to Costas Karafasoulis <karafas () MAIL ARIADNE-T GR> To: INCIDENTS () SECURITYFOCUS COM cc: (bcc: Bill Royds/HullOttawa/PCH/CA) Subject: Strange port 23 traffic There is some strange traffic in my network, that I can really figure out what its is. It consists of a large number of connections of the form: xxx.xxx.xxx.xxx.1079-yyy.yyy.yyy.yyy.23 POST http://xxx.xxx.xxx.xxx:23/Ready?PVersion=1.0&CVersion=4000000&TVersion=1.0&S ession=441272 HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 38 Cache-Control: no-cache Pragma: no-cache Date: Thu, 15 Feb 2001 00:20:56 GMT Host: xxx.xxx.xxx.xxx transaction= DAAAAAgAAAASAAAAAAAAAA== ---------------------------------------------------------------------------- -------- yyy.yyy.yyy.yyy.23-xxx.xxx.xxx.xxx.1079 HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Connection: close Date: Thu, 15 Feb 2001 00:19:15 GMT Content-Type: text/html Content-Length: 660 Expires: Thu, 15 Feb 2001 00:19:15 GMT <html><title>Conducent Response</title><body><P> OjU5AGh0dHA6Ly9yZWRVjZW50LmNvbS9TY3JpcHRzL1JlZG yLmRsbD9SyMDAxLTA2LTMwIDIzOjU5OjU5ADIzOjU5 </P></body></html> any ideas waht it could be ???
Attachment:
att1.eml
Description:
Current thread:
- Strange port 23 traffic Costas Karafasoulis (Mar 18)
- Re: Strange port 23 traffic Ray Simard (Mar 19)
- <Possible follow-ups>
- Re: Strange port 23 traffic Bill Royds (Mar 19)
- Re: Strange port 23 traffic Greg A. Woods (Mar 19)