Re: Strange Activity

From: Cossix (cossixat_private)
Date: Wed May 02 2001 - 12:18:32 PDT

Next message: Kurt Seifried: "Re: What "methods" are being used"

Previous message: Darrin Wassom: "Re: What "methods" are being used"
In reply to: Valdis Kletnieks: "Re: Strange Activity"
Next in thread: H C: "Re: Strange Activity"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

IRC only uses those ports for it's initial connection. DCC chatting and file
transfers are handled on completely different ports.

----- Original Message -----
From: "Valdis Kletnieks" <Valdis.Kletnieksat_private>
To: <INCIDENTSat_private>
Sent: Wednesday, May 02, 2001 10:20 AM
Subject: Re: Strange Activity

On Tue, 01 May 2001 20:49:41 EDT, "Johannes B. Ullrich"
<jullrichat_private
> Looks like IRC traffic based on the ports used. Did you use IRC
> at the time?

I don't agree.  First off, IRC usually is seen right around 6666-6668 or
so.  Secondly, the packet sizes are weird for that..

> 16:26:14.957566 24.109.6.174.6700 > x.x.x.x.63781: tcp 0 (DF)
> 16:26:14.958509 x.x.x.x.63781 > 24.109.6.174.6700: tcp 1460 (DF)
> 16:26:14.959240 x.x.x.x.63781 > 24.109.6.174.6700: tcp 588 (DF)

An ACK for a previous packet, followed by 2K of data sent *out*.  How
often do you type a line 2K long? ;)

> 16:26:15.155428 24.109.6.174.6700 > x.x.x.x.63781: tcp 0 (DF)
> 16:26:15.156308 x.x.x.x.63781 > 24.109.6.174.6700: tcp 1460 (DF)
> 16:26:15.157046 x.x.x.x.63781 > 24.109.6.174.6700: tcp 588 (DF)

Another ACK, another 2K sent.  This is file transfer of some sort.

> 16:26:15.242682 172.150.125.247.6688 > x.x.x.x.63783: tcp 0 (DF)
> 16:26:15.286571 172.174.174.84.6700 > x.x.x.x.63780: tcp 0 (DF)

2 more ACK?

> 16:26:15.443723 172.150.125.247.6688 > x.x.x.x.63783: tcp 0 (DF)
> 16:26:15.448809 x.x.x.x.63783 > 172.150.125.247.6688: tcp 1360 (DF)
> 16:26:15.449510 x.x.x.x.63783 > 172.150.125.247.6688: tcp 688 (DF)

ACK and 2K again..

> 16:26:15.479993 172.174.174.84.6700 > x.x.x.x.63780: tcp 0 (DF)
> 16:26:15.485314 x.x.x.x.63780 > 172.174.174.84.6700: tcp 1360 (DF)

and some more.

It *could* be IRC 'dcc send' traffic going outbound, but those
usually pick ephemeral port numbers at both ends (so I'd expect that
one or both ports would be up in the 32K range).

Given that 2 of the IPs involved have PTRs back to AOL address space,
I'd be more inclined to bet on file transfer to AIM buddies.  However,
I admit not knowing what ports AIM likes to use, and it's just a bit
worrysome that the owner of the box wouldn't know about it.

I'd *REALLY* suggest checking that 'netstat' hasn't been rootkitted.

--
    Valdis Kletnieks
    Operating Systems Analyst
    Virginia Tech

Next message: Kurt Seifried: "Re: What "methods" are being used"
Previous message: Darrin Wassom: "Re: What "methods" are being used"
In reply to: Valdis Kletnieks: "Re: Strange Activity"
Next in thread: H C: "Re: Strange Activity"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed May 02 2001 - 12:35:22 PDT