Security Incidents mailing list archives
RE: port 6801 and Netzero
From: "James C Slora Jr" <Jim.Slora () phra com>
Date: Fri, 18 Feb 2005 20:42:01 -0500
Your log shows what looks like normal NetZero or Juno traffic going to a normal United Online server. Probably the search application, based on the UOL server name and identifiers in your capture. Relevant registry entries on a United Online client: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:7900 HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.21.30;64.136.29.34;searchap.untd.com;127.0.0.1;localhost ;*windowsupdate.microsoft.com;*windowsupdate.com;*wustat.windows.com;<local> This might be the program connecting to searchap: hkey_current_user\software\microsoft\windows\currentversion\ run|spc_w|c:\program files\nzsearch\hcm.exe -w The IP addresses in ProxyOverride belong to United - your searchap server address 64.136.29.37 is in the same netblock. Searchap.untd.com:6801 accepts only POST method, not GET. Consistent with being a server that takes phone home calls and delivers search results (or more likely ad pointers) in return. As for why your host is also probing non-UOL hosts that are submitting port 6801 reports to DShield, that remains to be explained. Can you see what ports are open on the host you logged, and what programs have those ports open? Can you capture PSH packets from that host to or from any non-UOL host on TCP 6801? Can you monitor 7000 and 7900 and any other non-standard ports on your suspect host? Are there any unusual hosts in the ProxyOverride key? The NetZero client runs a local proxy server on TCP 7900, and the client bypasses the proxy for certain sites - such as UOL's. It also opens some sort of service port on ??P 7000 based on google info. Dshield shows a recent spike in probes for 7000, and a very slight increase in 7900 probes. Maybe there is some Juno or NetZero exploitation going on. 7000 is used by many other things, so it might not be related. Is your organization a Dshield submitter? Maybe some misconfiguration is causing your network to report itself as a prober. Captures of your suspect hosts's traffic to non-United servers (or proof that there isn't any) would probably tell the true story pretty clearly.
Current thread:
- port 6801 and Netzero Brian Collins (Feb 19)
- RE: port 6801 and Netzero James C Slora Jr (Feb 21)