Snort mailing list archives
Off Topic / Odd TCP 8443 Traffic
From: Jim Forster <jforster () rapidnet com>
Date: Fri, 29 Aug 2003 13:59:58 -0600
If my original message comes through at a later date, my apologies - I sent it from a different server and it appears the listserver didn't like it, so I'm resending from a different location. ----------- Is anyone else seeing odd traffic to TCP 8443 on their networks? My home system is on a different companies network than I work for. I'm not seeing it on any of the Snort boxes at work (9 of them) but my home machine (single IP) logged 1229 of these overnight. I connected to the IPs to see if they were rogue systems with NetCat waiting to send me a file, or what exactly they were. Oddly enough, they're valid SMTP servers... I finally kicked up THP on a box at home and let Snort pick out the data to see exactly what these were. Here are the results. Only 11 different systems hitting me at this time. Name: dpe0502.sxpress.com Address: 216.128.72.24 Name: smtp1.google.com Address: 216.239.33.25 Name: data.ebay.com Address: 66.135.195.180 Around 90% of these contain this payload only- Payload: CONNECT 216.128.72.24:25 HTTP/1.0..user-agent: Mozilla/4.0.... These are also showing up- Payload: CONNECT 216.239.33.25:25 HTTP/1.0.... Payload: CONNECT 66.135.195.180:25 HTTP/1.0.... ------------------------------------------------------------------------------ Example Payloads- #(7 - 2309) [2003-08-28 16:40:01] 8443 Connection IPv4: x.x.x.x ->My.Honeypot.IP.Address hlen=5 TOS=0 dlen=114 ID=23485 flags=0 offset=0 TTL=49 chksum=6708 TCP: port=60313 ->dport: 8443 flags=***AP*** seq=198138734 ack=3839923957 off=8 res=0 win=65535 urp=0 chksum=48013 Options: #1 - NOP len=0 #2 - NOP len=0 #3 - TS len=10 data=0191FD8D000C01BF Payload: CONNECT 216.128.72.24:25 HTTP/1.0..user-agent: Mozilla/4.0.... ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ Full trace of a connection- ------------------------------------------------------------------------------ #(7 - 2417) [2003-08-28 18:30:45] 8443 Connection IPv4: x.x.x.x ->My.Honeypot.IP.Address hlen=5 TOS=0 dlen=48 ID=23224 flags=0 offset=0 TTL=114 chksum=9457 TCP: port=4025 ->dport: 8443 flags=******S* seq=851148915 ack=0 off=7 res=0 win=8760 urp=0 chksum=62437 Options: #1 - MSS len=4 data=05B4 #2 - NOP len=0 #3 - NOP len=0 #4 - SACKOK len=0 Payload: none ------------------------------------------------------------------------------ #(7 - 2418) [2003-08-28 18:30:45] 8443 Connection IPv4: x.x.x.x ->My.Honeypot.IP.Address hlen=5 TOS=0 dlen=40 ID=23318 flags=0 offset=0 TTL=114 chksum=9371 TCP: port=4025 ->dport: 8443 flags=***A**** seq=851148916 ack=44147952 off=5 res=0 win=8760 urp=0 chksum=30984 Payload: none ------------------------------------------------------------------------------ #(7 - 2419) [2003-08-28 18:30:45] 8443 Connection IPv4: x.x.x.x ->My.Honeypot.IP.Address hlen=5 TOS=0 dlen=78 ID=23320 flags=0 offset=0 TTL=114 chksum=9331 TCP: port=4025 ->dport: 8443 flags=***AP*** seq=851148916 ack=44147952 off=5 res=0 win=8760 urp=0 chksum=25864 Payload: CONNECT 66.135.195.180:25 HTTP/1.0.... ------------------------------------------------------------------------------ #(7 - 2420) [2003-08-28 18:31:16] 8443 Connection IPv4: x.x.x.x ->My.Honeypot.IP.Address hlen=5 TOS=0 dlen=40 ID=26870 flags=0 offset=0 TTL=114 chksum=5819 TCP: port=4025 ->dport: 8443 flags=***A***F seq=851148954 ack=44147952 off=5 res=0 win=8760 urp=0 chksum=30945 Payload: none ------------------------------------------------------------------------------ #(7 - 2421) [2003-08-28 18:31:16] 8443 Connection IPv4: x.x.x.x ->My.Honeypot.IP.Address hlen=5 TOS=0 dlen=40 ID=26984 flags=0 offset=0 TTL=114 chksum=5705 TCP: port=4025 ->dport: 8443 flags=***A**** seq=851148955 ack=44147953 off=5 res=0 win=8760 urp=0 chksum=30944 Payload: none ------------------------------------------------------------------------------ Is anyone else seeing this traffic? I shot a note to incidents.org yesterday, but didn't get any replies. I did get one response about 8443 being an 'alternate' port for SSL, but this appears to be something a little different. Thanks! -Jim ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Off Topic / Odd TCP 8443 Traffic Jim Forster (Aug 29)