On Tue, 01 May 2001 20:49:41 EDT, "Johannes B. Ullrich" <jullrichat_private > Looks like IRC traffic based on the ports used. Did you use IRC > at the time? I don't agree. First off, IRC usually is seen right around 6666-6668 or so. Secondly, the packet sizes are weird for that.. > 16:26:14.957566 24.109.6.174.6700 > x.x.x.x.63781: tcp 0 (DF) > 16:26:14.958509 x.x.x.x.63781 > 24.109.6.174.6700: tcp 1460 (DF) > 16:26:14.959240 x.x.x.x.63781 > 24.109.6.174.6700: tcp 588 (DF) An ACK for a previous packet, followed by 2K of data sent *out*. How often do you type a line 2K long? ;) > 16:26:15.155428 24.109.6.174.6700 > x.x.x.x.63781: tcp 0 (DF) > 16:26:15.156308 x.x.x.x.63781 > 24.109.6.174.6700: tcp 1460 (DF) > 16:26:15.157046 x.x.x.x.63781 > 24.109.6.174.6700: tcp 588 (DF) Another ACK, another 2K sent. This is file transfer of some sort. > 16:26:15.242682 172.150.125.247.6688 > x.x.x.x.63783: tcp 0 (DF) > 16:26:15.286571 172.174.174.84.6700 > x.x.x.x.63780: tcp 0 (DF) 2 more ACK? > 16:26:15.443723 172.150.125.247.6688 > x.x.x.x.63783: tcp 0 (DF) > 16:26:15.448809 x.x.x.x.63783 > 172.150.125.247.6688: tcp 1360 (DF) > 16:26:15.449510 x.x.x.x.63783 > 172.150.125.247.6688: tcp 688 (DF) ACK and 2K again.. > 16:26:15.479993 172.174.174.84.6700 > x.x.x.x.63780: tcp 0 (DF) > 16:26:15.485314 x.x.x.x.63780 > 172.174.174.84.6700: tcp 1360 (DF) and some more. It *could* be IRC 'dcc send' traffic going outbound, but those usually pick ephemeral port numbers at both ends (so I'd expect that one or both ports would be up in the 32K range). Given that 2 of the IPs involved have PTRs back to AOL address space, I'd be more inclined to bet on file transfer to AIM buddies. However, I admit not knowing what ports AIM likes to use, and it's just a bit worrysome that the owner of the box wouldn't know about it. I'd *REALLY* suggest checking that 'netstat' hasn't been rootkitted. -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
This archive was generated by hypermail 2b30 : Wed May 02 2001 - 09:01:00 PDT