Re: netpay.tv connections

[Chris Ess <securityfocus () cae tokimi net>]

On Sat, 3 Jan 2004, Dave wrote:

>  For at least the past 36 hours I've been getting connectons from netpay.
> I'm not sure if they are spoofed or not. The site doesnt appear to be
> online. Anyone else seeing this?
>
> here is a snip of tcpdump. I'm dropping the packets now though.
> 16:26:04.384446 netpay.tv.50971 > neuromancer.http: S
> 2510312004:2510312004(0) win 32120 <mss 1460,sackOK,timestamp 1054041
> 1342177280,nop,wscale 0> (DF)

[snip]

I will guess that your getting this off of the machine that hosts
'www.neuromancer.cx'.  According to my DNS, 'www.neuromancer.cx' resolves
to an IP on 66.0.0.0/8

I had seen the like activity on other machines under 66.0.0.0/8 (the only
number these share with 'www.neuromancer.cx' is the initial 66).  The
source IP is 200.46.203.23, which has a reverse DNS of 'netpay.tv'.
('netpay.tv' itself resolves to 64.116.172.147)

Normally, I'd think nothing of it except that machines with several IPs
under 66.0.0.0/8 all had connections from this IP in the SYN_RECV state on
all of the 66.0.0.0/8 IPs.  After restarting the web server on one of
these machines, these connections went away, presumably since there was no
longer anything listening on 80/tcp, only to be reestablished within the
next couple minutes after the webserver came back up.

I'm not sure what to make of this behavior.  Does anyone have any ideas?

This activity seems to have stopped between about 11pm EST on 04 January
and 11am EST, 05 January.

Sincerely,


Chris Ess
System Administrator / CDTT (Certified Duct Tape Technician)

---------------------------------------------------------------------------
----------------------------------------------------------------------------