[Dshield] I should recognize this, but...

Meidinger Chris chris.meidinger at badenit.de
Wed Apr 28 09:07:59 GMT 2004


Google suggests that it is probably GoToMyPC,

http://www.dshield.org/pipermail/intrusions/2003-March/007230.php

Also, this GCIA Practical
http://www.giac.org/practical/GCIA/Johnny_Wong_GCIA.pdf examined GoToMyPC on
page 12.

Hope this helps,

Chris Meidinger
IT Technology and Services

badenIT GmbH
Innovationstechnologie für Ihre Zukunft

Tel. +49 761 279 2280
Fax. +49 761 279 2200

Tullastrasse 70
79108 Freiburg
Deutschland 
 

> -----Original Message-----
> From: list-bounces at lists.dshield.org 
> [mailto:list-bounces at lists.dshield.org] On Behalf Of Josh Tolley
> Sent: Tuesday, April 27, 2004 10:09 PM
> To: General DShield Discussion List
> Subject: [Dshield] I should recognize this, but...
> 
> I think I should probably recognize this traffic, but I 
> don't. Anyone know what it is from? Snort says it's p2p 
> traffic, and I'm willing to believe it, but I'm looking for 
> specifics on the client, if it really is p2p. Google didn't 
> turn up much for me... TIA
> 
> Generated by ACID v0.9.6b23 on Tue, 27 Apr 2004 13:00:30 -0700
> 
> --------------------------------------------------------------
> ----------------
> #(5 - 12032) [2004-04-26 10:07:17] [snort/1432]  P2P GNUTella GET
> IPv4: xxx.xxx.xxx.xxx -> 216.115.213.29
>        hlen=5 TOS=0 dlen=204 ID=6189 flags=0 offset=0 TTL=128
> TCP:  port=2699 -> dport: 8200  flags=***AP*** seq=846113190
>        ack=1475707860 off=5 res=0 win=64512 urp=0 chksum=45838
> Payload:  length = 164
> 
> 000 : 47 45 54 20 2F 6A 65 64 69 3F 72 65 71 75 65 73   GET 
> /jedi?reques
> 010 : 74 3D 61 67 65 6E 74 26 6A 65 64 69 3D 31 30 30   
> t=agent&jedi=100
> 020 : 26 63 6C 63 74 5F 6F 6B 3D 31 26 73 65 73 73 69   
> &clct_ok=1&sessi
> 030 : 6F 6E 3D 31 31 35 35 37 31 37 32 32 36 26 74 69   
> on=1155717226&ti
> 040 : 63 6B 65 74 3D 31 30 32 26 74 69 6D 65 73 74 61   
> cket=102&timesta
> 050 : 6D 70 3D 34 36 26 6E 6F 63 61 63 68 65 3D 31 30   
> mp=46&nocache=10
> 060 : 39 26 73 65 71 3D 30 26 74 74 6C 3D 30 26 61 67   
> 9&seq=0&ttl=0&ag
> 070 : 65 6E 74 32 2E 73 74 61 74 65 3D 65 78 69 74 26   
> ent2.state=exit&
> 080 : 6D 61 73 74 65 72 2E 6D 61 69 6E 53 77 69 74 63   
> master.mainSwitc
> 090 : 68 3D 63 6C 6F 73 65 20 48 54 54 50 2F 31 2E 30   
> h=close HTTP/1.0
> 0a0 : 0D 0A 0D 0A                                       ....
> --------------------------------------------------------------
> ----------------
> #(5 - 12033) [2004-04-26 10:07:17] [snort/1432]  P2P GNUTella GET
> IPv4: xxx.xxx.xxx.xxx -> 216.115.213.29
>        hlen=5 TOS=0 dlen=163 ID=6194 flags=0 offset=0 TTL=128
> TCP:  port=2700 -> dport: 8200  flags=***AP*** seq=846282988
>        ack=683867581 off=5 res=0 win=64512 urp=0 chksum=64740
> Payload:  length = 123
> 
> 000 : 47 45 54 20 2F 6A 65 64 69 3F 72 65 71 75 65 73   GET 
> /jedi?reques
> 010 : 74 3D 61 67 65 6E 74 26 6A 65 64 69 3D 31 30 30   
> t=agent&jedi=100
> 020 : 26 63 6C 63 74 5F 6F 6B 3D 31 26 73 65 73 73 69   
> &clct_ok=1&sessi
> 030 : 6F 6E 3D 31 31 35 35 37 31 37 32 32 36 26 74 69   
> on=1155717226&ti
> 040 : 63 6B 65 74 3D 31 30 32 26 74 69 6D 65 73 74 61   
> cket=102&timesta
> 050 : 6D 70 3D 34 39 26 6E 6F 63 61 63 68 65 3D 31 31   
> mp=49&nocache=11
> 060 : 30 26 73 65 71 3D 30 26 74 74 6C 3D 31 32 20 48   
> 0&seq=0&ttl=12 H
> 070 : 54 54 50 2F 31 2E 30 0D 0A 0D 0A                  TTP/1.0....
> --------------------------------------------------------------
> ----------------
> #(5 - 12030) [2004-04-26 10:07:16] [snort/1432]  P2P GNUTella GET
> IPv4: xxx.xxx.xxx.xxx -> 216.115.213.29
>        hlen=5 TOS=0 dlen=233 ID=6168 flags=0 offset=0 TTL=128
> TCP:  port=2697 -> dport: 8200  flags=***AP*** seq=845784452
>        ack=611653591 off=5 res=0 win=64512 urp=0 chksum=53
> Payload:  length = 193
> 
> 000 : 47 45 54 20 2F 6A 65 64 69 3F 72 65 71 75 65 73   GET 
> /jedi?reques
> 010 : 74 3D 61 67 65 6E 74 26 6A 65 64 69 3D 31 30 30   
> t=agent&jedi=100
> 020 : 26 63 6C 63 74 5F 6F 6B 3D 31 26 73 65 73 73 69   
> &clct_ok=1&sessi
> 030 : 6F 6E 3D 31 31 35 35 37 31 37 32 32 36 26 74 69   
> on=1155717226&ti
> 040 : 63 6B 65 74 3D 31 30 32 26 74 69 6D 65 73 74 61   
> cket=102&timesta
> 050 : 6D 70 3D 34 32 26 6E 6F 63 61 63 68 65 3D 31 30   
> mp=42&nocache=10
> 060 : 37 26 73 65 71 3D 30 26 74 74 6C 3D 30 26 61 67   
> 7&seq=0&ttl=0&ag
> 070 : 65 6E 74 32 2E 65 78 69 74 43 61 75 73 65 3D 30   
> ent2.exitCause=0
> 080 : 26 6D 61 73 74 65 72 2E 63 6C 6F 73 65 4F 72 69   
> &master.closeOri
> 090 : 67 69 6E 3D 61 67 65 6E 74 32 26 6D 61 73 74 65   
> gin=agent2&maste
> 0a0 : 72 2E 6D 61 69 6E 53 77 69 74 63 68 3D 63 6C 6F   
> r.mainSwitch=clo
> 0b0 : 73 69 6E 67 20 48 54 54 50 2F 31 2E 30 0D 0A 0D   sing 
> HTTP/1.0...
> 0c0 : 0A                                                .
> --------------------------------------------------------------
> ----------------
> #(5 - 12031) [2004-04-26 10:07:16] [snort/1432]  P2P GNUTella GET
> IPv4: xxx.xxx.xxx.xxx -> 216.115.213.29
>        hlen=5 TOS=0 dlen=163 ID=6184 flags=0 offset=0 TTL=128
> TCP:  port=2698 -> dport: 8200  flags=***AP*** seq=845984488
>        ack=4155776466 off=5 res=0 win=64512 urp=0 chksum=39401
> Payload:  length = 123
> 
> 000 : 47 45 54 20 2F 6A 65 64 69 3F 72 65 71 75 65 73   GET 
> /jedi?reques
> 010 : 74 3D 61 67 65 6E 74 26 6A 65 64 69 3D 31 30 30   
> t=agent&jedi=100
> 020 : 26 63 6C 63 74 5F 6F 6B 3D 31 26 73 65 73 73 69   
> &clct_ok=1&sessi
> 030 : 6F 6E 3D 31 31 35 35 37 31 37 32 32 36 26 74 69   
> on=1155717226&ti
> 040 : 63 6B 65 74 3D 31 30 32 26 74 69 6D 65 73 74 61   
> cket=102&timesta
> 050 : 6D 70 3D 34 33 26 6E 6F 63 61 63 68 65 3D 31 30   
> mp=43&nocache=10
> 060 : 38 26 73 65 71 3D 30 26 74 74 6C 3D 31 32 20 48   
> 8&seq=0&ttl=12 H
> 070 : 54 54 50 2F 31 2E 30 0D 0A 0D 0A                  TTP/1.0....
> --------------------------------------------------------------
> ----------------
> #(5 - 12029) [2004-04-26 10:07:12] [snort/1432]  P2P GNUTella GET
> IPv4: xxx.xxx.xxx.xxx -> 216.115.213.29
>        hlen=5 TOS=0 dlen=163 ID=6085 flags=0 offset=0 TTL=128
> TCP:  port=2688 -> dport: 8200  flags=***AP*** seq=844537804
>        ack=3113570246 off=5 res=0 win=64512 urp=0 chksum=48208
> Payload:  length = 123
> 
> 000 : 47 45 54 20 2F 6A 65 64 69 3F 72 65 71 75 65 73   GET 
> /jedi?reques
> 010 : 74 3D 61 67 65 6E 74 26 6A 65 64 69 3D 31 30 30   
> t=agent&jedi=100
> 020 : 26 63 6C 63 74 5F 6F 6B 3D 31 26 73 65 73 73 69   
> &clct_ok=1&sessi
> 030 : 6F 6E 3D 31 31 35 35 37 31 37 32 32 36 26 74 69   
> on=1155717226&ti
> 040 : 63 6B 65 74 3D 31 30 32 26 74 69 6D 65 73 74 61   
> cket=102&timesta
> 050 : 6D 70 3D 34 32 26 6E 6F 63 61 63 68 65 3D 31 30   
> mp=42&nocache=10
> 060 : 36 26 73 65 71 3D 30 26 74 74 6C 3D 31 32 20 48   
> 6&seq=0&ttl=12 H
> 070 : 54 54 50 2F 31 2E 30 0D 0A 0D 0A                  TTP/1.0....
> 
> --
> Josh Tolley
> Raintree Systems, Inc.
> http://www.raintreeinc.com
> 760 509 9000
> 
> _______________________________________________
> list mailing list
> list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: 
> http://www.dshield.org/mailman/listinfo/list
> 



More information about the list mailing list