Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Off Topic / Odd TCP 8443 Traffic

From: Jim Forster <jforster () rapidnet com>
Date: Fri, 29 Aug 2003 13:59:58 -0600
If my original message comes through at a later date, my apologies - I sent it from a different server and it appears 
the listserver didn't like it, so I'm resending from a different location.
-----------
Is anyone else seeing odd traffic to TCP 8443 on their networks?  My home system is on a different companies network 
than I work for. I'm not seeing it on any of the Snort boxes at work (9 of them) but my home machine (single IP) logged 
1229 of these overnight.   I connected to the IPs to see if they were rogue systems with NetCat waiting to send me a 
file, or what exactly they were.  Oddly enough, they're valid SMTP servers... I finally kicked up THP on a box at home 
and let Snort pick out the data to see exactly what these were.   Here are the results.

Only 11 different systems hitting me at this time.

Name:    dpe0502.sxpress.com
Address:  216.128.72.24

Name:    smtp1.google.com
Address:  216.239.33.25

Name:    data.ebay.com
Address:  66.135.195.180

Around 90% of these contain this payload only-
Payload: CONNECT 216.128.72.24:25 HTTP/1.0..user-agent: Mozilla/4.0....

These are also showing up-
Payload: CONNECT 216.239.33.25:25 HTTP/1.0....
Payload: CONNECT 66.135.195.180:25 HTTP/1.0....

------------------------------------------------------------------------------
Example Payloads-
#(7 - 2309) [2003-08-28 16:40:01] 8443 Connection
IPv4: x.x.x.x ->My.Honeypot.IP.Address
   hlen=5 TOS=0 dlen=114 ID=23485 flags=0 offset=0 TTL=49 chksum=6708
TCP: port=60313 ->dport: 8443 flags=***AP*** seq=198138734
   ack=3839923957 off=8 res=0 win=65535 urp=0 chksum=48013
   Options:
   #1 - NOP len=0
   #2 - NOP len=0
   #3 - TS len=10 data=0191FD8D000C01BF
Payload: CONNECT 216.128.72.24:25 HTTP/1.0..user-agent: Mozilla/4.0....
------------------------------------------------------------------------------


------------------------------------------------------------------------------
Full trace of a connection-
------------------------------------------------------------------------------
#(7 - 2417) [2003-08-28 18:30:45] 8443 Connection
IPv4: x.x.x.x ->My.Honeypot.IP.Address
   hlen=5 TOS=0 dlen=48 ID=23224 flags=0 offset=0 TTL=114 chksum=9457
TCP: port=4025 ->dport: 8443 flags=******S* seq=851148915
   ack=0 off=7 res=0 win=8760 urp=0 chksum=62437
   Options:
   #1 - MSS len=4 data=05B4
   #2 - NOP len=0
   #3 - NOP len=0
   #4 - SACKOK len=0
Payload: none
------------------------------------------------------------------------------
#(7 - 2418) [2003-08-28 18:30:45] 8443 Connection
IPv4: x.x.x.x ->My.Honeypot.IP.Address
   hlen=5 TOS=0 dlen=40 ID=23318 flags=0 offset=0 TTL=114 chksum=9371
TCP: port=4025 ->dport: 8443 flags=***A**** seq=851148916
   ack=44147952 off=5 res=0 win=8760 urp=0 chksum=30984
Payload: none
------------------------------------------------------------------------------
#(7 - 2419) [2003-08-28 18:30:45] 8443 Connection
IPv4: x.x.x.x ->My.Honeypot.IP.Address
   hlen=5 TOS=0 dlen=78 ID=23320 flags=0 offset=0 TTL=114 chksum=9331
TCP: port=4025 ->dport: 8443 flags=***AP*** seq=851148916
   ack=44147952 off=5 res=0 win=8760 urp=0 chksum=25864
Payload: CONNECT 66.135.195.180:25 HTTP/1.0....
------------------------------------------------------------------------------
#(7 - 2420) [2003-08-28 18:31:16] 8443 Connection
IPv4: x.x.x.x ->My.Honeypot.IP.Address
   hlen=5 TOS=0 dlen=40 ID=26870 flags=0 offset=0 TTL=114 chksum=5819
TCP: port=4025 ->dport: 8443 flags=***A***F seq=851148954
   ack=44147952 off=5 res=0 win=8760 urp=0 chksum=30945
Payload: none
------------------------------------------------------------------------------
#(7 - 2421) [2003-08-28 18:31:16] 8443 Connection
IPv4: x.x.x.x ->My.Honeypot.IP.Address
   hlen=5 TOS=0 dlen=40 ID=26984 flags=0 offset=0 TTL=114 chksum=5705
TCP: port=4025 ->dport: 8443 flags=***A**** seq=851148955
   ack=44147953 off=5 res=0 win=8760 urp=0 chksum=30944
Payload: none
------------------------------------------------------------------------------

Is anyone else seeing this traffic?  I shot a note to incidents.org yesterday, but didn't get any replies.  I did get 
one response about 8443
being an 'alternate' port for SSL, but this appears to be something a little different.

Thanks!

-Jim






-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: