A little help - AOL, what are they up to?
Results 1 to 4 of 4

Thread: A little help - AOL, what are they up to?

  1. #1
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884

    A little help - AOL, what are they up to?

    I'm not familiar with all the goofy AOL services these days and I have seen some odd traffic on my firewall. Can anyone tell me if they have seen similar traffic? Any help is appreciated.

    (dest IP changed for obvious reasons)

    LOG SAMPLE
    =====================================================
    event source port dest port
    UDP : Port: 11792 152.163.159.228 51 207.96.1.4 11792
    UDP : Port: 23896 152.163.159.229 52 207.96.1.4 23896
    UDP : Port: 08786 205.188.157.225 50 207.96.1.4 8786
    UDP : Port: 07160 64.12.51.141 50 207.96.1.4 7160
    UDP : Port: 07528 205.188.157.230 52 207.96.1.4 7528
    UDP : Port: 05696 205.188.157.230 66 207.96.1.4 5696
    UDP : Port: 14204 64.12.51.141 50 207.96.1.4 14204
    UDP : Port: 04120 205.188.157.227 50 207.96.1.4 4120
    UDP : Port: 13942 64.12.51.130 52 207.96.1.4 13942
    UDP : Port: 06668 152.163.159.227 51 207.96.1.4 6668
    UDP : Port: 05858 64.12.51.144 50 207.96.1.4 5858
    UDP : Port: 10918 152.163.159.226 50 207.96.1.4 10918
    UDP : Port: 12228 205.188.157.226 51 207.96.1.4 12228
    UDP : Port: 13514 152.163.159.228 50 207.96.1.4 13514
    UDP : Port: 10736 64.12.51.143 50 207.96.1.4 10736
    UDP : Port: 07966 152.163.159.228 51 207.96.1.4 7966
    UDP : Port: 05620 152.163.159.225 50 207.96.1.4 5620
    UDP : Port: 13830 64.12.51.130 50 207.96.1.4 13830
    UDP : Port: 10506 64.12.51.143 50 207.96.1.4 10506
    UDP : Port: 12796 205.188.157.227 50 207.96.1.4 12796
    UDP : Port: 07858 152.163.159.229 51 207.96.1.4 7858
    UDP : Port: 07150 64.12.51.143 52 207.96.1.4 7150
    UDP : Port: 08128 152.163.159.227 66 207.96.1.4 8128

    Here are the resolved AOL servers from the entire log:
    ======================================================
    rtc-ext1.ns.aol.com
    rtc-ext2.ns.aol.com
    rtc-ext3.ns.aol.com
    rtc-ext4.ns.aol.com
    rtc-ext5.ns.aol.com
    rtc-ext6.ns.aol.com
    dtc-ext1.ns.aol.com
    dtc-ext2.ns.aol.com
    dtc-ext3.ns.aol.com
    dtc-ext4.ns.aol.com
    dtc-ext6.ns.aol.com
    mtc-ext1.ns.aol.com
    mtc-ext2.ns.aol.com
    mtc-ext3.ns.aol.com
    mtc-ext4.ns.aol.com
    mtc-ext5.ns.aol.com
    mtc-ext6.ns.aol.com

    Here are all the IANA port assignments for the UDP ports of the AOL servers
    =====================================================
    50 - Remote Mail Checking
    51 - IMP Logical Address Maintenance
    52 - XNS Time Protocol
    61 - NI MAIL
    64 - Communications Integrator (CI)
    66 - Oracle SQL*NET

    My initial hunch was that users were hitting webmail using their personal AOL accounts but I don't see any port 80 activity. My next guess was the e-mail notification feature used in AIM but after a quick test using Ethereal, no such luck.

    Again, any input would be appreciated.

    Thanks!
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  2. #2
    Senior Member tampabay420's Avatar
    Join Date
    Aug 2002
    Posts
    953
    i was llooking around, the only thing that i saw was activity on ports 3361/3363 -> 5190
    but of course, i'm not using their dialup?

    is this your AOL account, or are people using AOL behind your network?
    yeah, I\'m gonna need that by friday...

  3. #3
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Is it possible for you to supply some verbose sniffs/traces from the firewall (hiding your address of course)? It is really kind of hard to guess what might be going on without seeing the actual data being passed on those ports (you can make a program work on any port, but just cause it is on a port doesn't necessarily mean it the program associated with that port)

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  4. #4
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    Here's a little update:

    I went over to the building that was reporting the issue and sat on their network. Turns out that the admin wasn't giving me the entire story. The traffic is actually being dropped by the firewall on the WAN side. The traffic is originating from the AOL servers and the firewall is just eating it. I popped the IP addresses from the log file in the IP INFO page over at www.dshield.org and it seems that one of those AOL servers is a notorious box where attacks bounce off of. I called the AOL OPSEC group but as usual, they were less than interested.

    The other funny thing is that someone haxored their whois record for all the boxes above. Check this out:

    03/28/03 16:25:23 whois rtc-ext1.ns.aol.com
    .com is a domain of USA & International Commercial
    Searches for .com can be run at http://www.crsnic.net/

    whois -h whois.crsnic.net aol.com ...

    Whois Server Version 1.3

    Domain names in the .com and .net domains can now be registered
    with many different competing registrars. Go to http://www.internic.net
    for detailed information.

    AOL.COM.SAYS.HARASS.SOFTY797.FOR.SUBVERTER.NET
    AOL.COM.RAPED.SUBVERTER.NET
    AOL.COM.IS.N0T.AS.1337.AS.GULLI.COM
    AOL.COM.CANT.STOP.US.IFUD.COM
    AOL.COM

    LOL, this is from the "magic" server from SamSpade. It reports the same info for each box above.

    That's where I'm at so far. If anyone is interested, I will post the end result of this little investigation when I get to the bottom of it.

    Thanks for the replys. I appreciate it!
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •