Re: A few odd outbound packets

From: James Wyatt (wyatt@attbi.com)
Date: 03/30/02 

From: James Wyatt <wyatt@attbi.com>
Date: Sat, 30 Mar 2002 21:03:11 GMT

I did a reverse DNS lookup on the destination IP and came back with
ftp24c.newaol.com...it's using the TCP protocol so it is a connection
based exchange...any AOL programs on your system? The first packet you
have here is a SYN packet which is requesting a connection...the second
appears to be carrying a payload...My guess is that AOL is doing some
spyware stuff when you look at their page, use their email/news,
etc...If the ip stays static, I would just add a rule to deny ip any
64.12.168.202 log...and watch what happens...

frankB wrote:

> Every now and then I get a couple of strange outbound packets that are
> caught by IPTABLES - I only allow a few specific ports open for outbound
> and all inbound is only on established connections (machine is also behind
> a router).
>
> Mar 29 18:25:59 localhost kernel: IPTABLES TCP-OUT: IN= OUT=eth0
> SRC=192.168.1.250 DST=64.12.168.202 LEN=60 TOS=0x00 PREC=0x00 TTL=64
> ID=6144 PROTO=TCP SPT=33483 DPT=44483 WINDOW=5840 RES=0x00 SYN URGP=0
>
> Mar 29 18:26:39 localhost kernel: IPTABLES TCP-OUT: IN= OUT=eth0
> SRC=192.168.1.250 DST=64.12.168.202 LEN=60 TOS=0x00 PREC=0x00 TTL=64
> ID=6144 PROTO=TCP SPT=33485
>
> I don't see any pattern that relates to apps I'm running. Mostly it's just
> mail, web, news. I had a couple of these packets about a week ago, but
> nothing for the last few days. I read 1 post that suggested this could be
> a rootkit. I just ran chkrootkit 0.35, and everything came up negative.
>
> Any suggestions? Thanks.
>
>

Relevant Pages

  • Re: peer to peer messaging
    ... attempts to open a connection to port 80 of the server at that IP address. ... For example a packet from my machine might have source IP ... Packets from the sever to my laptop would have those reversed. ...
    (comp.lang.java.programmer)
  • Re: IPFW Dynamic Rules
    ... > So if the dynamic rule has the same behaviour as the origination ... > rule on the same port with the same protocol, ... If client sends UDP query to DNS on your machine, you get the packet: ... is deleted after connection is inactive for some time. ...
    (FreeBSD-Security)
  • Re: One Computer Connected, Other Not
    ... DISPLAY_NAME: AOL Connectivity Service ... DISPLAY_NAME: Windows Audio ... DISPLAY_NAME: AVG7 Alert Manager Server ... DISPLAY_NAME: Remote Access Connection Manager ...
    (microsoft.public.windowsxp.network_web)
  • Re: error 711-windows networking not properly configured
    ... If you have the XP firewall enabled, ... is not compatible with AOL and cannot be used with AOL. ... Open Connection settings in Control ... >> as though it is related to your AOL software which is quite proprietary. ...
    (microsoft.public.windowsxp.general)
  • Re: SBC!!!(with disgust!!!!)
    ... Martin Eastburn @ home at Lions' Lair with our computer lionslair at consolidated dot net ... Gunner Asch wrote: ... AOL said I couldn't cancel without the login and PW...someone in India. ... I got the answer when I called and cancelled my dsl connection, ...
    (rec.crafts.metalworking)