AOL 8.0 and discover.xml

From: Louie M. (neuralat_private)
Date: Wed Apr 02 2003 - 19:14:07 PST

Next message: Andrew Brown: "Re: Webserver CVS (In)Security"

Previous message: Blue Boar: "Re: Generating Hex Numbers to brute force rs_iis.c"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

A few employees recently installed AOL 8.0 on their PCs here at work and 
access AOL over our company's T1 connection. Since then I noticed that a 
few machines on our network were making port 80 requests to our firewall. 
All machines on our network has the firewall set as the internet gateway 
machine. ippl reported this:

Apr  1 13:04:33 http connection attempt from 192.168.1.12 
(192.168.1.12:1112->192.168.1.1:80)
Apr  1 13:08:19 http connection attempt from 192.168.1.16 
(192.168.1.16:3599->192.168.1.1:80)
Apr  1 13:17:49 http connection attempt from 192.168.1.12 
(192.168.1.12:1165->192.168.1.1:80)
Apr  1 13:51:30 http connection attempt from 192.168.1.12 
(192.168.1.12:1289->192.168.1.1:80)

I confirmed that the request was made when the user signed onto their aol 
account. I have apache running on the firewall so that I could use demarc 
to view the snort logs. I checked the apache logs and found this in my 
error_log

[Tue Apr  1 13:04:35 2003] [error] [client 192.168.1.12] File does not 
exist: /var/www/htdocs/aol/discover.xml
[Tue Apr  1 13:08:19 2003] [error] [client 192.168.1.16] File does not 
exist: /var/www/htdocs/aol/discover.xml
[Tue Apr  1 13:17:49 2003] [error] [client 192.168.1.12] File does not 
exist: /var/www/htdocs/aol/discover.xml
[Tue Apr  1 13:51:30 2003] [error] [client 192.168.1.12] File does not 
exist: /var/www/htdocs/aol/discover.xml

Does anyone know what discover.xml does for aol and why is aol looking for 
it on the gateway machine?

The only thing I can think of is that maybe this is similar to how MSN 
messenger used SSDP to talk to the firewall to request access to the 
outside world. I personally use linux as my dsl router at home so I'm 
unfamiliar with commercial home routers, but I'm aware that they usually 
have a web interface to configure them and maybe discover.xml might be on 
these routers to auto configure port 5190 so that AOL can talk to it's 
server without any configuration by the user.

A google search didn't turn up anything other than a few logs with similar 
requests. If anyone could shed some light on this, it would be much 
appreciated.
------------------------------------------------------------------------
Neural Nightmare  	       "It's like Kung-fu lesson for your brain"
Head Mad Scientist			     http://www.cerebrallab.com/
neuralat_private
------------------------------------------------------------------------
PGP Fingerprint 7F13 8F0D 8F29 C375 4C2B 4570 57D1 83E1
PGP Public Key available at http://www.cerebrallab.com/publickey.php

Next message: Andrew Brown: "Re: Webserver CVS (In)Security"
Previous message: Blue Boar: "Re: Generating Hex Numbers to brute force rs_iis.c"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Apr 03 2003 - 09:57:12 PST