[Dshield] unknown port

Rick Leske rick at jaray.net
Thu Jun 5 02:25:17 GMT 2003


Honestly I'm not using a web server.. here's a snip of the capture:

 TCP 1420    64.124.82.21     10.1.58.122     80  3154  [2003.06.04 - 14:58:09.303]

E O&ö@ 5Bj@|R
:z PRX×»?.RßJP{ü
,  HTTP/1.1 206 Partial Content
Content-Type: application/x-msdownload
Last-Modified: Sat, 24 May 2003 05:44:40 GMT
Accept-Ranges: bytes
Server: Microsoft-IIS/6.0
P3P: CP='ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI'
Date: Wed, 04 Jun 2003 19:58:05 GMT
Content-Range: bytes 1607726-1609725/2064512
Content-Length: 2000
Connection: keep-alive

p¡âÊ0ÿgOÕ&÷Û¤§ÿ=üËW^OaÙ^§>Â"ÃnëbÏ,y`-ÚEQX5ö)TDF
SÄÿjäê9MiªEz<»'­_>öÊY gߏ
©óKÈ4O흲ËOó/÷Vß$7·JàOSpnàï~Óze
PH¢¢±ûføKYömõ"¨lù¬0
ùÿøäg.ѧȽ©nÀ¶­?£*pÔ¬C¬®Ooi=~RÇ"çoͪå gÅo媷8IhnN0~P:Ñe²PË>»@ÌLvXÌ[·3Ë[¼W°¸¢OÞ¨êÚïm¶É'¡ãúyÑÏxÎ" Átf/ãÀOi<'ls.yo/×W¯ýMöÈ><æDb$ærÆ8¾Q{)ná¯ÌÙȧHeïÑ7<í¸h;<_Ôv1Ñh¡Ô2=î./¤D/kS·?¯~-ko?½á²Å¬
×ÄÝ%|_T$ÖÏuU&óþ"eèÊ)>O®,Äs¦?È¢T,äé-p¼³-ô²~åÙ/u£Ôb:ê?ÆÙ³kPeü®«UBP×ìÎýóN=ÏLvx.ZÿEßÎ-ÇÎÀiÞØ'ü#ò¥õoZI#ï?V?04Ô¿< =>áC"4ÞãZsÀ®{Ы
Â/?CÍÚ>¸-ävÑ[ÔB-Vì/J°Sÿ
ùP1î¡~oÑò>Úðo÷ñ¤èæJS"d
?Ðöû?#i?a2ö¾§ZBf7éil;Ǹ·å4yýûk] !­WpÆ3>\æ*2éþ"j¬Ýö¡'ü¸vÚ¶5Ü îò¯ô :eéÒìÿçâ
2Kfõ-ÿðqü6¨ËðM²O²ãà
êI3UZ0ÇK>hlÌ?Z?^ö9CZ û[6}w.fOjR

#~"¨jP'<9Zé-lh.0´Ê¯;lÞ³Ùn";Vûd< hïµö»¡À.¤lIѸ×ß
MÕÃ09Òs"O¸¹-!<iݳ.ø A)©
^-|+¼%ëæ-9^Ë0ùÿZZ°?^ Zzme¶Î~¼<z åת-×W\órØ°ï8¢T"ZfL
¼Åº¿fÓtTe¥ o¼.êa_xAîóÕr9cLC_{¨8SÆ>dý.Ǹ¿ç ÿeÂ½¥QH¬ØGÿj+m¥zHÄ'R¢^T¡=<ÊL3'nÎQ@,ÖyðÎrÿ¡kN½
Þ³Ñz­¬BÔ?cgÙºß~ÐÖ©âU

~Rick
  ----- Original Message ----- 
  From: John Sage 
  To: General DShield Discussion List 
  Sent: Wednesday, June 04, 2003 6:27 PM
  Subject: Re: [Dshield] unknown port


  Let me see if I've got this straight:

  On Wed, Jun 04, 2003 at 03:30:52PM -0500, Rick Leske wrote:
  > I have been seeing a lot of outbound traffic port 80 to port 3154 to
  > ip address 64.124.82.21

  You're seeing *outbound* traffic from *your* source port 80 -- you
  running a webserver?

  jsage at tweedle /storage/virii] $ host 64.124.82.21
  21.82.124.64.in-addr.arpa domain name pointer 64.124.82.21.akamai.com.

  [jsage at tweedle /storage/virii] $ lynx -head -dump http://64.124.82.21/
  HTTP/1.0 400 Bad Request
  Server: AkamaiGHost
  Mime-Version: 1.0
  Content-Type: text/html
  Content-Length: 132
  Expires: Wed, 04 Jun 2003 23:19:16 GMT
  Date: Wed, 04 Jun 2003 23:19:16 GMT
  Connection: close

  [jsage at tweedle /storage/virii] $ lynx -source http://64.124.82.21/index.html
  <HTML><HEAD>
  <TITLE>Invalid URL</TITLE>
  </HEAD><BODY>
  <H1>Invalid URL</H1>
  The requested URL "&#47;index&#46;html", is invalid.<p>
  </BODY></HTML>

  Smells to me like this is one of Akamai's content servers; you sure
  you're sending stuff *out* to this host?

  > Does anyone know what could be causing this?
  > 
  > Outbound traffic is encrypted data caputered via packet sniffer.  I
  > have yet to decode it. 

  Post a packet dump.

  "Encrypted"? It'll still have IP and TCP headers...


  - John
  -- 
  "You are in a twisty maze of weblogs, all alike."

  See the all new look! http://www.finchhaven.com/index.html

  _______________________________________________
  list mailing list
  list at dshield.org
  To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
  ___________________________________________________________________
  Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.




More information about the list mailing list