Results 1 to 3 of 3

Thread: Instant messenger behavior

  1. #1
    Member
    Join Date
    May 2003
    Location
    Somewhere in Texas
    Posts
    76

    Instant messenger behavior

    So, I'm looking at my Snort logs with a focus on looking for odd after-hours type of file-transfer nastiness, and I keep seeing Yahoo IM logons from the same box at random late-night hours during the night.

    I don't *think* anyone's on the box at those hours... ;-)

    If someone leaves the IM open, does it periodically re-logon (refresh?) itself? Is this typical behavior for IM, IRC, or any of those? (Yes, I'm aware the 'bot C&C over IRC stuff -- just not sure what's "normal").

    Thanks in advance,
    ~m

  2. #2
    Senior Member t34b4g5's Avatar
    Join Date
    Sep 2003
    Location
    Australia.
    Posts
    2,391
    The yahoo client will automatically try to log itself back in after 20 seconds if the connection is lost. Either it be by internet connectiong going out for a few seconds and the computer regrabbing a IP addresse to use, or if the user's yahoo account was disconnected via a booter type program.

    Other then that if none of those conditions are being met then yahoo will not disconnect and try to reconnect after 20 seconds.

    Could there be someone who uses that workstation during the day have a program like VNC running, and they are accessing the computer from home or another location?.

    Also if the workstation is doing a file transfer via yahoo then you should be able to grab the other persons IP addresse, as during a file transfer you do a direct connection to the other persons computer and skip the yahoo server completly.

    a simple netstat -a {While transfer is taking place } would bring up enough details, and a simple whois would then give you more info.

  3. #3
    Member
    Join Date
    May 2003
    Location
    Somewhere in Texas
    Posts
    76

    thanks

    Hmm, guess I'll have to start looking closer then... no "good" reason for this behavior.

    Thanks for the input.
    ~m

Similar Threads

  1. Yahoo Messenger Flaw allows injection of JavaScript into IM Windows
    By el-half in forum Microsoft Security Discussions
    Replies: 8
    Last Post: December 10th, 2003, 10:14 PM
  2. strange messenger service behavior
    By Mykol in forum Microsoft Security Discussions
    Replies: 3
    Last Post: August 8th, 2003, 05:28 PM
  3. AOL Instant Messenger Vulnerability
    By KOBBRAS in forum Miscellaneous Security Discussions
    Replies: 4
    Last Post: January 29th, 2003, 08:37 PM
  4. Getting an IP address using an Instant Messenger
    By LoGiK in forum Newbie Security Questions
    Replies: 4
    Last Post: November 12th, 2002, 05:08 PM
  5. Cash for MSN usage?
    By Sick Dwarf in forum AntiOnline's General Chit Chat
    Replies: 6
    Last Post: September 26th, 2002, 02:59 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •