Full Disclosure mailing list archives
Reverse http traffic revisited
From: "Daniel H. Renner" <dan () losangelescomputerhelp com>
Date: 18 Jan 2004 01:12:17 -0800
Hello guys, On my last foray on this subject, I had no specifics to back up what I had witnessed - this time I offer the following. Originally, on a client's LAN, I had spotted mulitple inbound traffic ORIGINATING from port 80 and arriving on port in the temporary range of 1024-5000. Steve S. sent the following email which could have explained this phenomenon as coming from Akamia: ------ Sounds a lot like an Akamai setup, see their FAQ: http://www.akamai.com/en/html/misc/support_faq.html Without seeing more complete information such as the protocol or flags it's impossible to tell for sure. Steve ------ Since the destination ports in that traffic were in the 3000 range, I believe this could have explained the previous traffic. However... We now have a log from another network that shows a similar bit of reverse http traffic, except that: 1) no HTTP outbound browsing was active at the time of the incoming port 80 traffic (Al's Messenger was active on one Linux workstation, hence the Squid log - 207.46.110.21 belongs to Hotmail) 2) after a WHOIS and traceroute, the IP address that the traffic came from does not appear to belong to Akamai 3) the destination port is far outside of the temporary port range associated with the previous, or normal traffic The 2nd line in the 'firewall log' below is the culprit. All logs below are complete for the start-end times seen and originate from an IPCop v1.3 Linux firewall/proxy with all patches installed, and which is the only connection for this LAN to the Internet. All browsers and media players use the Squid proxy. All internal IPs, the gateway and DNSs are hard-coded on all workstations (no DHCP server running.) I have 'Googled' for "reverse http traffic" and have found nothing but messages from my previous post of the same title. I'm back in "Eh?" mode... -- Cheers, Dan Renner President Los Angeles Computerhelp http://losangelescomputerhelp.com 818.352.8700 FIREWALL LOG: Time Chain Iface Proto Source Src Port Destination Dst Port 23:49:31 INPUT eth2 TCP 4.62.83.225 1156 4.62.xxx.xxx 135 --> 23:52:02 INPUT eth2 TCP 211.152.51.13 80(HTTP) 4.62.xxx.xxx 24875 23:53:46 INPUT eth2 TCP 4.65.99.99 3212 4.62.xxx.xxx 135 SNORT LOG: Date: 01/17 23:50:57 Name: ICMP PING CyberKit 2.2 Windows Priority: 3 Type: Misc activity IP info: 4.65.252.212:n/a -> 4.62.xxx.xxx:n/a References: none found SID: 483 Date: 01/17 23:52:56 Name: ICMP PING CyberKit 2.2 Windows Priority: 3 Type: Misc activity IP info: 4.64.84.115:n/a -> 4.62.xxx.xxx:n/a References: none found SID: 483 Date: 01/17 23:53:44 Name: ICMP PING CyberKit 2.2 Windows Priority: 3 Type: Misc activity IP info: 4.65.99.99:n/a -> 4.62.xxx.xxx:n/a References: none found SID: 483 SQUID LOG: Time Source IP Website 23:51:01 {internal IP} http://207.46.110.21/gateway/gateway.dll? 23:51:07 {internal IP} http://207.46.110.21/gateway/gateway.dll? 23:51:13 {internal IP} http://207.46.110.21/gateway/gateway.dll? 23:51:18 {internal IP} http://207.46.110.21/gateway/gateway.dll? 23:51:24 {internal IP} http://207.46.110.21/gateway/gateway.dll? 23:51:29 {internal IP} http://207.46.110.21/gateway/gateway.dll? 23:51:34 {internal IP} http://207.46.110.21/gateway/gateway.dll? 23:51:39 {internal IP} http://207.46.110.21/gateway/gateway.dll? 23:51:44 {internal IP} http://207.46.110.21/gateway/gateway.dll? 23:51:49 {internal IP} http://207.46.110.21/gateway/gateway.dll? 23:51:55 {internal IP} http://207.46.110.21/gateway/gateway.dll? 23:52:00 {internal IP} http://207.46.110.21/gateway/gateway.dll? 23:52:05 {internal IP} http://207.46.110.21/gateway/gateway.dll? 23:52:10 {internal IP} http://207.46.110.21/gateway/gateway.dll? 23:52:15 {internal IP} http://207.46.110.21/gateway/gateway.dll? 23:52:20 {internal IP} http://207.46.110.21/gateway/gateway.dll? 23:52:25 {internal IP} http://207.46.110.21/gateway/gateway.dll? 23:52:31 {internal IP} http://207.46.110.21/gateway/gateway.dll? 23:52:36 {internal IP} http://207.46.110.21/gateway/gateway.dll? 23:52:41 {internal IP} http://207.46.110.21/gateway/gateway.dll? 23:52:46 {internal IP} http://207.46.110.21/gateway/gateway.dll? 23:52:51 {internal IP} http://207.46.110.21/gateway/gateway.dll? 23:52:56 {internal IP} http://207.46.110.21/gateway/gateway.dll? According to http://www.apnic.net/apnic-bin/whois.pl IP address 211.152.51.13 belongs to Beijing Lexun network corp. along with the rest of the 211.152.51.0 - 211.152.52.255 range which appears to be connected to www.21vianet.com (English version of the site is "under construction".) TRACEROUTE: traceroute to 211.152.51.13 (211.152.51.13), 30 hops max, 38 byte packets 1 firewall ({internal IP}) 1.006 ms 0.602 ms 0.373 ms 2 lsanca1-ar1-4-62-120-001.lsanca1.dsl-verizon.net (4.62.120.1) 29.561 ms 34.884 ms 29.388 ms 3 a4-0-3.lsanca1-cr7.bbnplanet.net (4.24.62.125) 45.075 ms 31.631 ms 29.191 ms 4 p7-0.lsanca1-cr8.bbnplanet.net (4.24.7.126) 29.752 ms 29.626 ms 35.091 ms 5 p6-0.lsanca2-br2.bbnplanet.net (4.24.5.53) 37.785 ms 33.590 ms 29.919 ms 6 unknown.Level3.net (64.159.4.37) 29.655 ms 38.449 ms 29.567 ms 7 unknown.Level3.net (209.247.9.218) 33.526 ms 30.053 ms 29.528 ms 8 so-0-0-0.gar1.LosAngeles1.Level3.net (209.247.9.221) 30.859 ms 37.223 ms 31.752 ms 9 uunet-level3-oc48.LosAngeles1.Level3.net (209.0.227.38) 38.468 ms 30.499 ms 30.655 ms 10 0.so-1-0-0.XL2.LAX7.ALTER.NET (152.63.112.154) 30.761 ms 30.394 ms 31.320 ms 11 0.so-6-0-0.CL2.LAX1.ALTER.NET (152.63.57.81) 38.566 ms 30.952 ms 33.952 ms 12 0.so-3-0-0.IG3.LAX1.ALTER.NET (152.63.57.97) 37.962 ms 31.835 ms 30.239 ms 13 chinatelecom-gw.customer.alter.net (157.130.246.58) 30.267 ms 30.933 ms 30.141 ms 14 202.97.49.66 (202.97.49.66) 406.935 ms 404.050 ms 400.418 ms 15 202.97.51.5 (202.97.51.5) 535.710 ms 532.183 ms 531.275 ms 16 202.97.33.89 (202.97.33.89) 531.137 ms 533.724 ms 530.926 ms 17 202.101.63.253 (202.101.63.253) 541.153 ms 538.483 ms 541.257 ms 18 61.152.83.2 (61.152.83.2) 539.541 ms 534.397 ms 533.571 ms 19 61.152.83.38 (61.152.83.38) 552.751 ms 554.188 ms 547.813 ms 20 61.152.83.65 (61.152.83.65) 540.952 ms 543.161 ms 544.014 ms 21 211.152.63.57 (211.152.63.57) 541.551 ms 533.582 ms 544.318 ms 22 211.152.63.62 (211.152.63.62) 535.206 ms 555.112 ms 542.406 ms 23 * * * 24 * * * 25 * * * 26 *(Ctrl-C at this point) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Reverse http traffic revisited Daniel H. Renner (Jan 18)
- Re: Reverse http traffic revisited George Adamopoulos (Jan 19)