Firewall Wizards mailing list archives

Re: Incessant port 80 connections

From: "Philip J. Koenig" <pjklist () ekahuna com>
Date: Fri, 20 Jul 2001 05:18:50 -0700

From: Bill_Royds () pch gc ca
Date: Mon, 16 Jul 2001 11:12:06 -0400

This looks like the user who has the internal IP has installed some adware
(shareware paid by advertising).
The program underneath delivering the advertising is revelaing internal IP and
the adware site is trying to push ads.
Check on the users desktop for  such programs using the Ad-aware program at
http://www.lavasoft.de



Well that's an interesting idea, however what would be the point of 
using (apparently) randomly spoofed source addresses if you would 
never see the reply to each connection attempt?

Date: Mon, 16 Jul 2001 13:49:01 -0400
From: Joseph S D Yao <jsdy () cospo osis gov>

Try running a Web server on that IP address [you might want to get a
Linux or FreeBSD system on an expendable disk] long enough to catch
the connections - see for what Web page they are looking, if that is
it, and WHETHER THERE IS A REFERRAL PAGE that is mistakenly referring
all those people to that machine.



That's an interesting idea also.  However I just connected a Sniffer 
and grabbed the incoming packets.  Here's my initial findings:

They appear to come at somewhat regular intervals, leading me to 
believe they are coming from a single machine. (even though the 
source address changes from one minute to the next)

Even though they are targeted at port 80, I see no evidence that they 
contain any HTTP request component.  As a matter of fact, there is 
only one, completely consistent, short string of data beyond the TCP 
header, and I see it in *every single connection-attempt*:

        rctcpo

Out of curiosity I did a web and dejanews (now google) search for 
that string.  I did find a *single* thread on deja/google where 
someone running Novell Border Manager was seeing this exact string 
returned from an apparently malfunctioning SMTP MTA.

Anyone ever seen this before?  It's a weird one...


Phil



--
Philip J. Koenig                                       pjklist () ekahuna com
Electric Kahuna Systems -- Computers & Communications for the New Millenium

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Incessant port 80 connections Philip J. Koenig (Jul 16)
- Re: Incessant port 80 connections Joseph S D Yao (Jul 17)
- Re: Incessant port 80 connections bacano (Jul 17)
- <Possible follow-ups>
- Re: Incessant port 80 connections Bill_Royds (Jul 17)
- Re: Incessant port 80 connections Philip J. Koenig (Jul 19)
- RE: Incessant port 80 connections Marty Richards (Jul 19)
  - RE: Incessant port 80 connections Philip J. Koenig (Jul 19)
  - RE: Incessant port 80 connections Philip J. Koenig (Jul 22)
- Re: Incessant port 80 connections Jim Leo (Jul 19)