RE: port 6801 and Netzero

["James C Slora Jr" <Jim.Slora () phra com>]

Your log shows what looks like normal NetZero or Juno traffic going to a
normal United Online server. Probably the search application, based on the
UOL server name and identifiers in your capture. 

Relevant registry entries on a United Online client:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer
= http=127.0.0.1:7900
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride =
64.136.29.30;64.136.21.30;64.136.29.34;searchap.untd.com;127.0.0.1;localhost
;*windowsupdate.microsoft.com;*windowsupdate.com;*wustat.windows.com;<local>

This might be the program connecting to searchap:
hkey_current_user\software\microsoft\windows\currentversion\
run|spc_w|c:\program files\nzsearch\hcm.exe -w

The IP addresses in ProxyOverride belong to United - your searchap server
address 64.136.29.37 is in the same netblock.

Searchap.untd.com:6801 accepts only POST method, not GET. Consistent with
being a server that takes phone home calls and delivers search results (or
more likely ad pointers) in return.

As for why your host is also probing non-UOL hosts that are submitting port
6801 reports to DShield, that remains to be explained. Can you see what
ports are open on the host you logged, and what programs have those ports
open? Can you capture PSH packets from that host to or from any non-UOL host
on TCP 6801? Can you monitor 7000 and 7900 and any other non-standard ports
on your suspect host? Are there any unusual hosts in the ProxyOverride key?

The NetZero client runs a local proxy server on TCP 7900, and the client
bypasses the proxy for certain sites - such as UOL's. It also opens some
sort of service port on ??P 7000 based on google info. 

Dshield shows a recent spike in probes for 7000, and a very slight increase
in 7900 probes. Maybe there is some Juno or NetZero exploitation going on.
7000 is used by many other things, so it might not be related.

Is your organization a Dshield submitter? Maybe some misconfiguration is
causing your network to report itself as a prober.

Captures of your suspect hosts's traffic to non-United servers (or proof
that there isn't any) would probably tell the true story pretty clearly.