Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: port 6801 and Netzero

from [James C Slora Jr] Network Security [Permanent Link]
Subject: RE: port 6801 and Netzero
Date: Fri, 18 Feb 2005 20:42:01 -0500 
Your log shows what looks like normal NetZero or Juno traffic going to a
normal United Online server. Probably the search application, based on the
UOL server name and identifiers in your capture. 

Relevant registry entries on a United Online client:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer
= http=127.0.0.1:7900
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride =
64.136.29.30;64.136.21.30;64.136.29.34;searchap.untd.com;127.0.0.1;localhost
;*windowsupdate.microsoft.com;*windowsupdate.com;*wustat.windows.com;<local>

This might be the program connecting to searchap:
hkey_current_user\software\microsoft\windows\currentversion\
run|spc_w|c:\program files\nzsearch\hcm.exe -w

The IP addresses in ProxyOverride belong to United - your searchap server
address 64.136.29.37 is in the same netblock.

Searchap.untd.com:6801 accepts only POST method, not GET. Consistent with
being a server that takes phone home calls and delivers search results (or
more likely ad pointers) in return.

As for why your host is also probing non-UOL hosts that are submitting port
6801 reports to DShield, that remains to be explained. Can you see what
ports are open on the host you logged, and what programs have those ports
open? Can you capture PSH packets from that host to or from any non-UOL host
on TCP 6801? Can you monitor 7000 and 7900 and any other non-standard ports
on your suspect host? Are there any unusual hosts in the ProxyOverride key?

The NetZero client runs a local proxy server on TCP 7900, and the client
bypasses the proxy for certain sites - such as UOL's. It also opens some
sort of service port on ??P 7000 based on google info. 

Dshield shows a recent spike in probes for 7000, and a very slight increase
in 7900 probes. Maybe there is some Juno or NetZero exploitation going on.
7000 is used by many other things, so it might not be related.

Is your organization a Dshield submitter? Maybe some misconfiguration is
causing your network to report itself as a prober.

Captures of your suspect hosts's traffic to non-United servers (or proof
that there isn't any) would probably tell the true story pretty clearly.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  port 6801 and Netzero, Brian Collins
Previous by Thread:  port 6801 and Netzero, Brian Collins
Indexes:  [Date] [Thread] [Top] [All Lists]