-
September 17th, 2007, 02:08 PM
#1
Instant messenger behavior
So, I'm looking at my Snort logs with a focus on looking for odd after-hours type of file-transfer nastiness, and I keep seeing Yahoo IM logons from the same box at random late-night hours during the night.
I don't *think* anyone's on the box at those hours... ;-)
If someone leaves the IM open, does it periodically re-logon (refresh?) itself? Is this typical behavior for IM, IRC, or any of those? (Yes, I'm aware the 'bot C&C over IRC stuff -- just not sure what's "normal").
Thanks in advance,
~m
-
September 17th, 2007, 03:37 PM
#2
The yahoo client will automatically try to log itself back in after 20 seconds if the connection is lost. Either it be by internet connectiong going out for a few seconds and the computer regrabbing a IP addresse to use, or if the user's yahoo account was disconnected via a booter type program.
Other then that if none of those conditions are being met then yahoo will not disconnect and try to reconnect after 20 seconds.
Could there be someone who uses that workstation during the day have a program like VNC running, and they are accessing the computer from home or another location?.
Also if the workstation is doing a file transfer via yahoo then you should be able to grab the other persons IP addresse, as during a file transfer you do a direct connection to the other persons computer and skip the yahoo server completly.
a simple netstat -a {While transfer is taking place } would bring up enough details, and a simple whois would then give you more info.
-
September 19th, 2007, 05:52 PM
#3
thanks
Hmm, guess I'll have to start looking closer then... no "good" reason for this behavior.
Thanks for the input.
~m
Similar Threads
-
By el-half in forum Microsoft Security Discussions
Replies: 8
Last Post: December 10th, 2003, 10:14 PM
-
By Mykol in forum Microsoft Security Discussions
Replies: 3
Last Post: August 8th, 2003, 05:28 PM
-
By KOBBRAS in forum Miscellaneous Security Discussions
Replies: 4
Last Post: January 29th, 2003, 08:37 PM
-
By LoGiK in forum Newbie Security Questions
Replies: 4
Last Post: November 12th, 2002, 05:08 PM
-
By Sick Dwarf in forum AntiOnline's General Chit Chat
Replies: 6
Last Post: September 26th, 2002, 02:59 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|