unusual file transfer, I think...

[Mykol]

My Snort shows me plently of Yahoo file transfers, and we don't care about them normally; just the ones that happen at odd hours (which aren't too many). I can't tell if this is legitimate, or if it's something I should be concerned about: a file transfer request from our box at 00:44 o'clock.

Sorry for the long output posted here, I think the most important stuff is near the top. I tried Googling keywords found in here, to no avail.

Would YOU be concerned about this?

#(33 - 201093) [2007-12-03 00:44:08] [local/3692] [snort/1:3692] CHAT Yahoo Messenger File Transfer Initiation Request

IPv4: xxx.xxx.xxx.xxx -> 216.155.194.210
hlen=5 TOS=0 dlen=1420 ID=58928 flags=0 offset=0 TTL=127 chksum=5629

TCP: port=4626 -> dport: 80 flags=***A**** seq=2521291786
ack=3328599571 off=5 res=0 win=65535 urp=0 chksum=19055

Payload: POST /notifyft HTTP/1.1<DIV class="nonascii">[2 non-ASCII characters]</DIV>Referer: LEDTXP<DIV class="nonascii">[2 non-ASCII characters]</DIV>User-Agent: Mozilla/4.01 [en] (Win95; I)<DIV class="nonascii">[2 non-ASCII characters]</DIV>Host:

filetransfer.msg.yahoo.com<DIV class="nonascii">[2 non-ASCII characters]</DIV>Content-Length: 7249<DIV class="nonascii">[2 non-ASCII characters]</DIV>Cache-Control: no-cache<DIV class="nonascii">[2 non-ASCII characters]</DIV>

Cookie: B=9ue83lh2bpmpg&b=3&s=kt; LYC=l_v=2&l_lv=10&l_l=4db8jdqr&l_l_lid=1bl02or&l_r=6b&l_um=0_0_0_0_0; Y=v=1&n=bt9r0jo719s7g&l=4db8jdqr/o&p=m2i24u9013000000&r=6b&lg=us&intl=us; T=z=ViJTHBVoeTHBLw1DIjGBjm9NDMzBk82NU4yMjVPNg--&a=QAE&sk=DAA.AMF.RYObLj&ks=EAAmByEovm0mwbu3SczT2JnyA--~A&d=c2wBTXpRMEFUZ3hNamsxTlRJNE1RLS0BYQFRQUUBdGlwAVNhQXpKRAF6egFWaUpUSEJnV0E-&af=QUFBQ0FDQUQmdHM9MTE5NjIwMjEzMyZwcz02NnZBMTdGNGY3cGFLNFFSZzlZLi5RLS0-; C=mg=1<DIV class="nonascii">[4 non-ASCII characte!
rs]</DIV>YMSG<DIV class="nonascii">[5 non-ASCII characters]</DIV>}<DIV class="nonascii">[8 non-ASCII characters]</DIV>}71<DIV class="nonascii">[2 non-ASCII characters]</DIV>enlitn01<DIV class="nonascii">[2 non-ASCII characters]</DIV>38<DIV class="nonascii">[2 non-ASCII characters]</DIV>604800<DIV class="nonascii">[2 non-ASCII characters]</DIV>0<DIV class="nonascii">[2 non-ASCII characters]</DIV>enlitn01<DIV class="nonascii">[2 non-ASCII characters]</DIV>28<DIV class="nonascii">[2 non-ASCII characters]</DIV>7104<DIV class="nonascii">[2 non-ASCII characters]</DIV>27<DIV class="nonascii">[2 non-ASCII characters]</DIV>c%3A\program+files\trillian\users\default\cache\\tmp18467.png<DIV class="nonascii">[2 non-ASCII characters]</DIV>14<DIV class="nonascii">[4 non-ASCII characters]</DIV>29<DIV class="nonascii">[3 non-ASCII characters]</DIV>PNG<DIV class="nonascii">[8 non-ASCII characters]</DIV>IHDR<DIV class="nonascii">[3 non-ASCII characters]</DIV>`<DIV class="nonascii">[3 non-ASCI!
I characters]</DIV>`<DIV class="nonascii">[7 non-ASCII charact!
ers]</DIV>w8<DIV class="nonascii">[4 non-ASCII characters]</DIV>IDATx<DIV class="nonascii">[2 non-ASCII characters]</DIV>]K<br>$<br>U>=<DIV class="nonascii">[3 non-ASCII characters]</DIV>y<br>s<DIV class="nonascii">[8 non-ASCII characters]</DIV>=!61I<br><!<DIV class="nonascii">[2 non-ASCII characters]</DIV>%<DIV class="nonascii">[3 non-ASCII characters]</DIV>B<DIV class="nonascii">[4 non-ASCII characters]</DIV>X <br>,<br> <DIV class="nonascii">[2 non-ASCII characters]</DIV>E <DIV class="nonascii">[2 non-ASCII characters]</DIV>@<br>@Q<br> <br> ;<DIV class="nonascii">[2 non-ASCII characters]</DIV>D&<br>9!<br>c;<DIV class="nonascii">[3 non-ASCII characters]</DIV>c<br>y{<DIV class="nonascii">[2 non-ASCII characters]</DIV>g<br>{<DIV class="nonascii">[2 non-ASCII characters]</DIV>]<br>U,<DIV class="nonascii">[5 non-ASCII characters]</DIV>3<DIV class="nonascii">[8 non-ASCII characters]</DIV>~<DIV class="nonascii">[12 non-ASCII characters]</DIV>Y8<DIV class="nonascii">[2 non-ASCII characte!
rs]</DIV>TDddl<DIV class="nonascii">[7 non-ASCII characters]</DIV>D,<DIV class="nonascii">[5 non-ASCII characters]</DIV>cb<DIV class="nonascii">[5 non-ASCII characters]</DIV>i<DIV class="nonascii">[10 non-ASCII characters]</DIV>\8.""<br>7_<DIV class="nonascii">[3 non-ASCII characters]</DIV>a<DIV class="nonascii">[2 non-ASCII characters]</DIV>-<DIV class="nonascii">[7 non-ASCII characters]</DIV>x)<DIV class="nonascii">[9 non-ASCII characters]</DIV>0<DIV class="nonascii">[2 non-ASCII characters]</DIV>yDC<DIV class="nonascii">[8 non-ASCII characters]</DIV><<DIV class="nonascii">[2 non-ASCII characters]</DIV>""<br>O0<DIV class="nonascii">[6 non-ASCII characters]</DIV>(<br>]G{g<DIV class="nonascii">[3 non-ASCII characters]</DIV>tDDdw<br>&^7[<br>Z<<DIV class="nonascii">[3 non-ASCII characters]</DIV>8Z<<DIV class="nonascii">[2 non-ASCII characters]</DIV>.<DIV class="nonascii">[3 non-ASCII characters]</DIV>3<DIV class="nonascii">[4 non-ASCII characters]</DIV>p^<DIV class="nonascii"!
>[6 non-ASCII characters]</DIV>Q<DIV class="nonascii">[4 non-A!
SCII characters]</DIV>%<DIV class="nonascii">[2 non-ASCII characters]</DIV>4<DIV class="nonascii">[2 non-ASCII characters]</DIV>v<DIV class="nonascii">[4 non-ASCII characters]</DIV>[<DIV class="nonascii">[8 non-ASCII characters]</DIV>V<DIV class="nonascii">[2 non-ASCII characters]</DIV>w<DIV class="nonascii">[5 non-ASCII characters]</DIV>5<br>4wtx<DIV class="nonascii">[3 non-ASCII characters]</DIV>w6i<br>DDd<DIV class="nonascii">[3 non-ASCII characters]</DIV>Vi<DIV class="nonascii">[2 non-ASCII characters]</DIV>N<DIV class="nonascii">[4 non-ASCII characters]</DIV>e<DIV class="nonascii">[8 non-ASCII characters]</DIV>H<br>P<DIV class="nonascii">[3 non-ASCII characters]</DIV>8<br>$<br>D<DIV class="nonascii">[2 non-ASCII characters]</DIV>c<br>q<DIV class="nonascii">[2 non-ASCII characters]</DIV>_<DIV class="nonascii">[4 non-ASCII characters]</DIV>.,w<DIV class="nonascii">[5 non-ASCII characters]</DIV> <DIV class="nonascii">[5 non-ASCII characters]</DIV>o<br>0<DIV class="nonascii">[6 non!
-ASCII characters]</DIV>p<br>t<br>q<DIV class="nonascii">[2 non-ASCII characters]</DIV>&<DIV class="nonascii">[5 non-ASCII characters]</DIV>X<DIV class="nonascii">[7 non-ASCII characters]</DIV>,<br>>"""<DIV class="nonascii">[2 non-ASCII characters]</DIV>CD<DIV class="nonascii">[3 non-ASCII characters]</DIV>X<DIV class="nonascii">[2 non-ASCII characters]</DIV>7<DIV class="nonascii">[8 non-ASCII characters]</DIV> <DIV class="nonascii">[7 non-ASCII characters]</DIV> <br>G<DIV class="nonascii">[5 non-ASCII characters]</DIV>N<br>0<DIV class="nonascii">[2 non-ASCII characters]</DIV>0<DIV class="nonascii">[2 non-ASCII characters]</DIV>6}<br>z*K<DIV class="nonascii">[3 non-ASCII characters]</DIV>f<br>%#<DIV class="nonascii">[2 non-ASCII characters]</DIV>$UD<DIV class="nonascii">[7 non-ASCII characters]</DIV>:<DIV class="nonascii">[5 non-ASCII characters]</DIV>,.<DIV class="nonascii">[5 non-ASCII characters]</DIV>^<DIV class="nonascii">[3 non-ASCII characters]</DIV>q4<br>y<DIV class!
="nonascii">[4 non-ASCII characters]</DIV>.<DIV class="nonasci!
i">[3 non-ASCII characters]</DIV>\<DIV class="nonascii">[7 non-ASCII characters]</DIV>3<DIV class="nonascii">[3 non-ASCII characters]</DIV>Oq<br>D<DIV class="nonascii">[5 non-ASCII characters]</DIV>>,<DIV class="nonascii">[3 non-ASCII characters]</DIV>p<DIV class="nonascii">[3 non-ASCII characters]</DIV>- <DIV class="nonascii">[5 non-ASCII characters]</DIV>^<br>u4<br>

[SirDice]

Not sure but it looks legit.. Just someone that forgot to logoff?

POST /notifyft HTTP/1.1
Host: filetransfer.msg.yahoo.com

And somewhere in there:
c%3A\program+files\trillian\users\default\cache\\tmp18467.png

I did find a piece of source code that looks like the stuff you're seeing. It part of the Gaim source..

http://cr.yp.to/2004-494/gaim/0.81-s...hoo_filexfer.c

[Mykol]

I was thinking along those lines, but I can't any information on what "normal" behavior would look like (like someone not forgeting to log off). My thoughts are that if it was normal: I'd see it more often and from others, it would happen on a recurring schedule (once an hour e.g.), and maybe it would be simple refresh message (not a file transfer request). If it were IN-bound, I'd consider an auto-update or something...

Thanks for Gaim info, I didn't come up with those references before.

Cheers!

[SirDice]

I searched for that "POST /notifyft" and it pointed me to that gaim source. The difference being that uses HTTP/1.0. Probably a bug because they're also sending the Host: header, which is 1.1

You probably won't find much info on the protocol used by Yahoo. AFAIK it's proprietary and all third party clients are basically reverse-engineered.

Is that <DIV class="nonascii"> really there or is that caused by copy/pasting some web reporting tool output here?
As it's most likely a filetransfer I would expect to see lots of binary. The tool seems to hide this as it mainly contains non printable characters. There may be a way to show this in a combined hexadecimal/ascii output.