[Dshield] Blaster, or AOL strangeness... - SOLVED

Bjorn Stromberg bjorn at thechemistrylab.com
Wed Oct 8 17:26:58 GMT 2003


I just telnetted to port 4444 on
205.188.134.233, 205.188.134.234, 205.188.134.235, 205.188.134.236,
205.188.134.237, & 205.188.134.238

also known as
ht-s11.websys.aol.com, ht-s12.websys.aol.com, ht-s13.websys.aol.com,
ht-s14.websys.aol.com, ht-s15.websys.aol.com, & ht-s16.websys.aol.com

They are serving up some nice web content:

test page

as the default page.

and here's a bad request...

HTTP/1.0 400 Bad Request
MIME-Version: 1.0
Date: Wed, 08 Oct 2003 16:50:14 GMT
Server: AOLserver/3.4.2
Content-Type: text/html
Content-Length: 530
Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML>
<HEAD>
<TITLE>Invalid Request</TITLE>
</HEAD>
<BODY>
<H2>Invalid Request</H2>
The HTTP request presented by your browser is invalid.
<P>
Invalid HTTP request
<P ALIGN=RIGHT><SMALL><I>AOLserver/3.4.2 on
http://ht-s11:4444</I></SMALL></P></BODY></HTML>

It would be pretty safe to assume these are webservers running AOLServer
(http://www.aolserver.com/)

It would appear they are image/ad servers for AOL

I'm not sure if websites would reference these servers or if AOL's IM client
would or if their own AOL software would reference it... It could be that
someone is using AOL software over your network and your firewall is
blocking the access to the non-standard port usage. The whole thing appears
rather benign.

I wouldn't lose any sleep over it.

google turned up this site which references these urls:
http://hometown.aol.ca/
http://ht-s15.websys.aol.com:4444/promos.js?i=15934,15856,15583,15544,14800,14881,15817,15505,15232,15076,15895,15622,15661,15778,15115
http://ht-s15.websys.aol.com:4444/PromoArt/aol_us_branding_background_image.gif.107331.1.gif

so finally...

It's a webhosting service called "hometown" from AOL that references these 6
web servers putting out benign .js and .gif content on non-standard ports.

I hope that answers your questions...

*SNIP*

> I have been in contact with someone via another list who works for AOL.
There is nothing valid on
> port 4444 in the entire 205.188.134.xxx class C.

I would take information from someone who claims to represent AOL or even
actually works for AOL with a grain of salt.

Bjorn Stromberg




More information about the list mailing list