Hello guys,
On my last foray on this subject, I had no specifics to back up what I
had witnessed - this time I offer the following.
Originally, on a client's LAN, I had spotted mulitple inbound traffic
ORIGINATING from port 80 and arriving on port in the temporary range of
1024-5000.
Steve S. sent the following email which could have explained this phenomenon as coming
from Akamia:
--
Sounds a lot like an Akamai setup, see their FAQ:
http://www.akamai.com/en/html/misc/support_faq.html
Without seeing more complete information such as the protocol or flags
it's impossible to tell for sure.
Steve
--
Since the destination ports in that traffic were in the 3000 range, I believe this
could have explained the previous traffic.
However...
We now have a log from another network that shows a similar bit of reverse http
traffic, except that:
1) no HTTP outbound browsing was active at the time of the incoming port 80 traffic
(Al's Messenger was active on one Linux workstation, hence the Squid log -
207.46.110.21 belongs to Hotmail)
2) after a WHOIS and traceroute, the IP address that the traffic came from does not
appear to belong to Akamai
3) the destination port is far outside of the temporary port range associated with
the previous, or normal traffic
The 2nd line in the 'firewall log' below is the culprit. All logs below are complete
for the start-end times seen and originate from an IPCop v1.3 Linux firewall/proxy
with all patches installed, and which is the only connection for this LAN to the
Internet. All browsers and media players use the Squid proxy. All internal IPs, the
gateway and DNSs are hard-coded on all workstations (no DHCP server running.)
I have 'Googled' for "reverse http traffic" and have found nothing but messages from
my previous post of the same title.
I'm back in "Eh?" mode...
--
Cheers,
Dan Renner
President
Los Angeles Computerhelp
http://losangelescomputerhelp.com
818.352.8700
FIREWALL LOG:
TimeChain Iface Proto Source Src PortDestination
Dst Port
23:49:31INPUT eth2TCP 4.62.83.225 11564.62.xxx.xxx
135
--> 23:52:02INPUT eth2TCP 211.152.51.13 80(HTTP)4.62.xxx.xxx
24875
23:53:46INPUT eth2TCP 4.65.99.99 32124.62.xxx.xxx
135
SNORT LOG:
Date: 01/17 23:50:57 Name: ICMP PING CyberKit 2.2 Windows
Priority: 3 Type: Misc activity
IP info:4.65.252.212:n/a -> 4.62.xxx.xxx:n/a
References: none found SID:483
Date: 01/17 23:52:56 Name: ICMP PING CyberKit 2.2 Windows
Priority: 3 Type: Misc activity
IP info:4.64.84.115:n/a -> 4.62.xxx.xxx:n/a
References: none found SID:483
Date: 01/17 23:53:44 Name: ICMP PING CyberKit 2.2 Windows
Priority: 3 Type: Misc activity
IP info:4.65.99.99:n/a -> 4.62.xxx.xxx:n/a
References: none found SID:483
SQUID LOG:
TimeSource IP Website
23:51:01{internal IP} http://207.46.110.21/gateway/gateway.dll?
23:51:07{internal IP} http://207.46.110.21/gateway/gateway.dll?
23:51:13{internal IP} http://207.46.110.21/gateway/gateway.dll?
23:51:18{internal IP} http://207.46.110.21/gateway/gateway.dll?
23:51:24{internal IP} http://207.46.110.21/gateway/gateway.dll?
23:51:29{internal IP} http://207.46.110.21/gateway/gateway.dll?
23:51:34{internal IP} http://207.46.110.21/gateway/gateway.dll?
23:51:39{internal IP} http://207.46.110.21/gateway/gateway.dll?
23:51:44{internal IP} http://207.46.110.21/gateway/gateway.dll?
23:51:49{internal IP} http://207.46.110.21/gateway/gateway.dll?
23:51:55{internal IP} http://207.46.110.21/gateway/gateway.dll?
23:52:00{internal IP} http://207.46.110.21/gateway/gateway.dll?
23:52:05{internal IP} http://207.46.110.21/gateway/gateway.dll?
23:52:10{internal IP} http://207.46.110.21/gateway/gateway.dll?
23:52:15{internal IP} http://207.46.110.21/gateway/gateway.dll?
23:52:20{internal IP} http://207.46.110.21/gateway/gateway.dll?
23:52:25{internal IP} http://207.46.110.21/gateway/gateway.dll?
23:52:31{internal IP} http://207.46.110.21/gateway/gateway.dll?
23:52:36{internal IP} http://207.46.110.21/gateway/gateway.dll?
23:52:41{internal IP} http://207.46.110.21/gateway/gateway.dll?
23:52:46{internal IP} http://207.46.110.21/gateway/gateway.dll?
23:52:51{internal IP} http://207.46.110.21/gateway/gateway.dll?
23:52:56{internal IP} http://207.46.110.21/gateway/gateway.dll?
According to http://www.apnic.net/apnic-bin/whois.pl IP address 211.152.51.13 belongs
to Beijing Lexun network corp. along with the rest of the 211.152.51.0 -
211.152.52.255 range which appears to be connected to www.21vianet.com (English
version of t