A little help - AOL, what are they up to?

Printable View

March 28th, 2003, 04:11 PM
thehorse13

A little help - AOL, what are they up to?

I'm not familiar with all the goofy AOL services these days and I have seen some odd traffic on my firewall. Can anyone tell me if they have seen similar traffic? Any help is appreciated.

(dest IP changed for obvious reasons)

LOG SAMPLE
=====================================================
event source port dest port
UDP : Port: 11792 152.163.159.228 51 207.96.1.4 11792
UDP : Port: 23896 152.163.159.229 52 207.96.1.4 23896
UDP : Port: 08786 205.188.157.225 50 207.96.1.4 8786
UDP : Port: 07160 64.12.51.141 50 207.96.1.4 7160
UDP : Port: 07528 205.188.157.230 52 207.96.1.4 7528
UDP : Port: 05696 205.188.157.230 66 207.96.1.4 5696
UDP : Port: 14204 64.12.51.141 50 207.96.1.4 14204
UDP : Port: 04120 205.188.157.227 50 207.96.1.4 4120
UDP : Port: 13942 64.12.51.130 52 207.96.1.4 13942
UDP : Port: 06668 152.163.159.227 51 207.96.1.4 6668
UDP : Port: 05858 64.12.51.144 50 207.96.1.4 5858
UDP : Port: 10918 152.163.159.226 50 207.96.1.4 10918
UDP : Port: 12228 205.188.157.226 51 207.96.1.4 12228
UDP : Port: 13514 152.163.159.228 50 207.96.1.4 13514
UDP : Port: 10736 64.12.51.143 50 207.96.1.4 10736
UDP : Port: 07966 152.163.159.228 51 207.96.1.4 7966
UDP : Port: 05620 152.163.159.225 50 207.96.1.4 5620
UDP : Port: 13830 64.12.51.130 50 207.96.1.4 13830
UDP : Port: 10506 64.12.51.143 50 207.96.1.4 10506
UDP : Port: 12796 205.188.157.227 50 207.96.1.4 12796
UDP : Port: 07858 152.163.159.229 51 207.96.1.4 7858
UDP : Port: 07150 64.12.51.143 52 207.96.1.4 7150
UDP : Port: 08128 152.163.159.227 66 207.96.1.4 8128

Here are the resolved AOL servers from the entire log:
======================================================
rtc-ext1.ns.aol.com
rtc-ext2.ns.aol.com
rtc-ext3.ns.aol.com
rtc-ext4.ns.aol.com
rtc-ext5.ns.aol.com
rtc-ext6.ns.aol.com
dtc-ext1.ns.aol.com
dtc-ext2.ns.aol.com
dtc-ext3.ns.aol.com
dtc-ext4.ns.aol.com
dtc-ext6.ns.aol.com
mtc-ext1.ns.aol.com
mtc-ext2.ns.aol.com
mtc-ext3.ns.aol.com
mtc-ext4.ns.aol.com
mtc-ext5.ns.aol.com
mtc-ext6.ns.aol.com

Here are all the IANA port assignments for the UDP ports of the AOL servers
=====================================================
50 - Remote Mail Checking
51 - IMP Logical Address Maintenance
52 - XNS Time Protocol
61 - NI MAIL
64 - Communications Integrator (CI)
66 - Oracle SQL*NET

My initial hunch was that users were hitting webmail using their personal AOL accounts but I don't see any port 80 activity. My next guess was the e-mail notification feature used in AIM but after a quick test using Ethereal, no such luck.

Again, any input would be appreciated.

Thanks!
March 28th, 2003, 08:46 PM
tampabay420

i was llooking around, the only thing that i saw was activity on ports 3361/3363 -> 5190
but of course, i'm not using their dialup?

is this your AOL account, or are people using AOL behind your network?
March 28th, 2003, 08:59 PM
nebulus200

Is it possible for you to supply some verbose sniffs/traces from the firewall (hiding your address of course)? It is really kind of hard to guess what might be going on without seeing the actual data being passed on those ports (you can make a program work on any port, but just cause it is on a port doesn't necessarily mean it the program associated with that port)

/nebulus
March 28th, 2003, 10:26 PM
thehorse13

Here's a little update:

I went over to the building that was reporting the issue and sat on their network. Turns out that the admin wasn't giving me the entire story. The traffic is actually being dropped by the firewall on the WAN side. The traffic is originating from the AOL servers and the firewall is just eating it. I popped the IP addresses from the log file in the IP INFO page over at www.dshield.org and it seems that one of those AOL servers is a notorious box where attacks bounce off of. I called the AOL OPSEC group but as usual, they were less than interested.

The other funny thing is that someone haxored their whois record for all the boxes above. Check this out:

03/28/03 16:25:23 whois rtc-ext1.ns.aol.com
.com is a domain of USA & International Commercial
Searches for .com can be run at http://www.crsnic.net/

whois -h whois.crsnic.net aol.com ...

Whois Server Version 1.3

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

AOL.COM.SAYS.HARASS.SOFTY797.FOR.SUBVERTER.NET
AOL.COM.RAPED.SUBVERTER.NET
AOL.COM.IS.N0T.AS.1337.AS.GULLI.COM
AOL.COM.CANT.STOP.US.IFUD.COM
AOL.COM

LOL, this is from the "magic" server from SamSpade. It reports the same info for each box above.

That's where I'm at so far. If anyone is interested, I will post the end result of this little investigation when I get to the bottom of it.

Thanks for the replys. I appreciate it!