October 9th, 2003, 03:47 AM
wierd happenings with netstat
So I open up AIM and then do a netstat -n.
It shows three ip's with the aim port. normal enough(even though there was only one buddy on. I guess you have to connect to a server first.). Then I pinged all of them just to see if they would respond. Then I do netstat -n again and get the same three ip's with the aim ports plus two other one's with port 80. So I open up ie and type in the two ip's and both get the same thing, a page which says "nothing to see here". one of the ip's started with 205 and the other with 64. Here is the source from view source in ie:
<HTML><HEAD><meta http-equiv="pics-label" content='(pics-1.1 "http://www.icra.org/ratingsv02.html" l r (ca 1 lz 1 nz 1 oz 1 vz 1) gen true for "http://188.8.131.52" r (ca 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l r (n 0 s 0 v 0 l 0) gen true for "http://184.108.40.206" r (n 0 s 0 v 0 l 0))' /></HEAD><BODY>Nothing to see here</BODY></HTML>
What do you all make of this?
October 9th, 2003, 03:58 AM
hmm this is interesting ..why are some links
hidden in the source ... the link doesnt show up anywhere on this page .... http://www.rsac.org/rsac/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
October 9th, 2003, 04:09 AM
The link shouldn't show up anywhere on the page, all that is happening in that part of the source code is the doctype is being declared - amusing that it should be declared as 'strict' since the code is not current w/the latest HTML standard, but =P if you don't exactly follow, go to http://www.w3schools.com and read up a bit on regular HTML vs. xhtml and you'll find a DOCTYPE section I'm sure.
October 9th, 2003, 05:58 AM
I like to use SamSpade (http://www.samspade.org/) to figure out who is on the other end of IP numbers:
What it looks like is you are seeing some of the routing servers or hops from your machine to the site you ping'ed. Try a TraceRt or pick up a PingPlotter to see where things go from your location to the ping target.
Trying whois -h whois.arin.net 220.127.116.11
OrgName: America Online, Inc.
Address: 10600 Infantry Ridge Road
NetRange: 18.104.22.168 - 22.214.171.124
NetType: Direct Assignment
TechName: America Online, Inc.
# ARIN WHOIS database, last updated 2003-10-08 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.
BTW, I did a little Google on some of the strings you posted. Here is one of the results:
Curioser and curioser.
October 9th, 2003, 03:17 PM
Those connections on port 80 might be to the servers that host the ads and crap on the top of AIM and the news ticker/headlines.
I could be completely wrong..but it was just a thought.
October 9th, 2003, 06:22 PM
Tekno, I believe has hit the nail on the head. This is just AIM pulling banners from various aol sites:
Addresses: 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11
18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52
Blocking these sites will reportedly screw AIM up but I hear that DeadAIM does a good job.
\"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier