[prev in list] [next in list] [prev in thread] [next in thread]
List: incidents
Subject: IMesh Scans from 209.225.26.19 and 216.35.208.153
From: Crist Clark <crist.clark () GLOBALSTAR ! COM>
Date: 2001-02-26 22:20:48
[Download RAW message or body]
I was analysing some of the more strange traffic patterns from last weeks
logs when I came across these,
23Feb2001 8:43:39 accept >qfe3 tcp 192.168.AAA.BBB:1436 -> 216.35.208.153:5000 44 \
(DDD.EEE.FFF.GGG:53596 -> 216.35.208.153:5000) 23Feb2001 8:43:50 drop >hme0 tcp \
216.35.208.153:51851 -> DDD.EEE.FFF.GGG:4456 44 23Feb2001 8:43:56 drop >hme0 tcp \
216.35.208.153:51869 -> DDD.EEE.FFF.GGG:4329 44 23Feb2001 8:44:02 drop >hme0 tcp \
216.35.208.153:51882 -> DDD.EEE.FFF.GGG:4500 44 23Feb2001 8:44:08 drop >hme0 tcp \
216.35.208.153:51896 -> DDD.EEE.FFF.GGG:5000 44 23Feb2001 8:44:14 drop >hme0 tcp \
216.35.208.153:51916 -> DDD.EEE.FFF.GGG:5500 44 23Feb2001 8:44:20 drop >hme0 tcp \
216.35.208.153:51932 -> DDD.EEE.FFF.GGG:X11 44 23Feb2001 8:44:25 drop >hme0 tcp \
216.35.208.153:51948 -> DDD.EEE.FFF.GGG:6500 44 23Feb2001 8:44:31 drop >hme0 tcp \
216.35.208.153:51962 -> DDD.EEE.FFF.GGG:7000 44 23Feb2001 8:44:36 drop >hme0 tcp \
216.35.208.153:51972 -> DDD.EEE.FFF.GGG:7500 44 23Feb2001 8:44:42 drop >hme0 tcp \
216.35.208.153:51981 -> DDD.EEE.FFF.GGG:http 44
23Feb2001 13:31:09 accept >qfe3 tcp 192.168.AAA.CCC:1459 -> 209.225.26.19:5000 44 \
(DDD.EEE.FFF.GGG:20653 -> 209.225.26.19:5000) 23Feb2001 13:31:13 drop >hme0 tcp \
209.225.26.19:60461 -> DDD.EEE.FFF.GGG:4923 44 23Feb2001 13:31:19 drop >hme0 tcp \
209.225.26.19:60471 -> DDD.EEE.FFF.GGG:4329 44 23Feb2001 13:31:25 drop >hme0 tcp \
209.225.26.19:60482 -> DDD.EEE.FFF.GGG:4500 44 23Feb2001 13:31:31 drop >hme0 tcp \
209.225.26.19:60489 -> DDD.EEE.FFF.GGG:5000 44 23Feb2001 13:31:38 drop >hme0 tcp \
209.225.26.19:60499 -> DDD.EEE.FFF.GGG:5500 44 23Feb2001 13:31:44 drop >hme0 tcp \
209.225.26.19:60512 -> DDD.EEE.FFF.GGG:X11 44 23Feb2001 13:31:50 drop >hme0 tcp \
209.225.26.19:60523 -> DDD.EEE.FFF.GGG:6500 44 23Feb2001 13:31:57 drop >hme0 tcp \
209.225.26.19:60532 -> DDD.EEE.FFF.GGG:7000 44 23Feb2001 13:32:03 drop >hme0 tcp \
209.225.26.19:60542 -> DDD.EEE.FFF.GGG:7500 44 23Feb2001 13:32:09 drop >hme0 tcp \
209.225.26.19:60555 -> DDD.EEE.FFF.GGG:http 44
What we are seeing is an internal user connecting to port 5000 of the
external machine. The internal user's RFC1918 IP address is NATed. The
external IMesh "server" then replies with a scan of the NATed source
address (at least it looks like the internal client is not passing its
IP address through at the application layer).
I have managed to associate both of these with IMesh.com filesharing.
However, I have been unable to find information about how their protocol
actually works and whether these scans are "normal." Is the remote peer
trying to find out if we are sharing? Why do the two scans differ slightly,
but also look very similar?
Any pointers to more info would be appreciated. Thanks.
--
Crist J. Clark Network Security Engineer
crist.clark@globalstar.com Globalstar, L.P.
(408) 933-4387 FAX: (408) 933-4926
The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above. If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited. If you have received this
e-mail in error, please contact postmaster@globalstar.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic