[Full-Disclosure] Reverse http traffic revisited

[Daniel H. Renner]

Hello guys,

On my last foray on this subject, I had no specifics to back up what I
had witnessed - this time I offer the following.

Originally, on a client's LAN, I had spotted mulitple inbound traffic
ORIGINATING from port 80 and arriving on port in the temporary range of
1024-5000.

Steve S. sent the following email which could have explained this phenomenon as coming 
from Akamia:
--
Sounds a lot like an Akamai setup, see their FAQ:
http://www.akamai.com/en/html/misc/support_faq.html

Without seeing more complete information such as the protocol or flags 
it's impossible to tell for sure.

Steve
--

Since the destination ports in that traffic were in the 3000 range, I believe this 
could have explained the previous traffic.

However...

We now have a log from another network that shows a similar bit of reverse http 
traffic, except that:
1)  no HTTP outbound browsing was active at the time of the incoming port 80 traffic
(Al's Messenger was active on one Linux workstation, hence the Squid log - 
207.46.110.21 belongs to Hotmail)
2)  after a WHOIS and traceroute, the IP address that the traffic came from does not 
appear to belong to Akamai
3)  the destination port is far outside of the temporary port range associated with 
the previous, or normal traffic

The 2nd line in the 'firewall log' below is the culprit.  All logs below are complete 
for the start-end times seen and originate from an IPCop v1.3 Linux firewall/proxy 
with all patches installed, and which is the only connection for this LAN to the 
Internet.  All browsers and media players use the Squid proxy.  All internal IPs, the 
gateway and DNSs are hard-coded on all workstations (no DHCP server running.)

I have 'Googled' for "reverse http traffic" and have found nothing but messages from 
my previous post of the same title.

I'm back in "Eh?" mode...

-- 

Cheers,

Dan Renner
President
Los Angeles Computerhelp
http://losangelescomputerhelp.com
818.352.8700


FIREWALL LOG:
TimeChain   Iface   Proto   Source  Src PortDestination
 Dst Port
23:49:31INPUT   eth2TCP 4.62.83.225 11564.62.xxx.xxx   
 135
--> 23:52:02INPUT   eth2TCP 211.152.51.13   80(HTTP)4.62.xxx.xxx   
 24875
23:53:46INPUT   eth2TCP 4.65.99.99  32124.62.xxx.xxx   
 135


SNORT LOG:
Date:   01/17 23:50:57  Name:   ICMP PING CyberKit 2.2 Windows
Priority:   3   Type:   Misc activity
IP info:4.65.252.212:n/a -> 4.62.xxx.xxx:n/a
References: none found  SID:483
Date:   01/17 23:52:56  Name:   ICMP PING CyberKit 2.2 Windows
Priority:   3   Type:   Misc activity
IP info:4.64.84.115:n/a -> 4.62.xxx.xxx:n/a
References: none found  SID:483
Date:   01/17 23:53:44  Name:   ICMP PING CyberKit 2.2 Windows
Priority:   3   Type:   Misc activity
IP info:4.65.99.99:n/a -> 4.62.xxx.xxx:n/a
References: none found  SID:483


SQUID LOG:
TimeSource IP   Website
23:51:01{internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:51:07{internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:51:13{internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:51:18{internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:51:24{internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:51:29{internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:51:34{internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:51:39{internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:51:44{internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:51:49{internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:51:55{internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:52:00{internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:52:05{internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:52:10{internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:52:15{internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:52:20{internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:52:25{internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:52:31{internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:52:36{internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:52:41{internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:52:46{internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:52:51{internal IP}   http://207.46.110.21/gateway/gateway.dll?
23:52:56{internal IP}   http://207.46.110.21/gateway/gateway.dll?


According to http://www.apnic.net/apnic-bin/whois.pl IP address 211.152.51.13 belongs 
to Beijing Lexun network corp. along with the rest of the 211.152.51.0 - 
211.152.52.255 range which appears to be connected to www.21vianet.com (English 
version of t

Re: [Full-Disclosure] Reverse http traffic revisited

[George Adamopoulos]

On 18 Jan 2004 01:12:17 -0800
"Daniel H. Renner" <[EMAIL PROTECTED]> wrote:

> ICMP PING CyberKit 2.2 Windows

This is how snort detects blaster's/nachi's attempts to ping an IP in order to check 
if it's alive, before trying to connect to port 80. Could be another variation of the 
blaster worm.I would check (Also snort may detect Cyberkit's 2.2 packets as well, but 
i suppose that is something you would know of). If the packets are incoming, it is a 
normal thing that i witness in snort's logs as well very often. Actually, i have 
removed the rule from snort's rulesets, because it used to fill my logs with cyberkit 
attempts :P. If it is outgoing traffic, i would suggest that you should run trend's 
housecall (free online antivirus) on the windows servers/workstations of your network.

Also... gateway.dll is because of msn chat. If you add a deny acl for gateway.dll in 
your squid.conf, your workstations won't be able to use msn chat any more.

Giorgos Adamopoulos

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html