|
Security Incidents
mailing list archives
Re: Strange port 23 traffic
From: Bill Royds <Bill_Royds () PCH GC CA>
Date: Mon, 19 Mar 2001 09:36:38 -0500
This is Conducent spyware posting user information to select its advertising.
It uses POST to describe the adware you are running and the particular user ID
of the machine. It then retrieves the ad that will be shown to the user.
Conducent collects the demographics of its users to tailor the advertising to
user interest.
Costas Karafasoulis <karafas () MAIL ARIADNE-T GR> on 03/18/2001 03:49:37 PM
Please respond to Costas Karafasoulis <karafas () MAIL ARIADNE-T GR>
To: INCIDENTS () SECURITYFOCUS COM
cc: (bcc: Bill Royds/HullOttawa/PCH/CA)
Subject: Strange port 23 traffic
There is some strange traffic in my network, that I can really
figure out what its is. It consists of a large number of connections
of the form:
xxx.xxx.xxx.xxx.1079-yyy.yyy.yyy.yyy.23
POST
http://xxx.xxx.xxx.xxx:23/Ready?PVersion=1.0&CVersion=4000000&TVersion=1.0&S
ession=441272 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 38
Cache-Control: no-cache
Pragma: no-cache
Date: Thu, 15 Feb 2001 00:20:56 GMT
Host: xxx.xxx.xxx.xxx
transaction=
DAAAAAgAAAASAAAAAAAAAA==
----------------------------------------------------------------------------
--------
yyy.yyy.yyy.yyy.23-xxx.xxx.xxx.xxx.1079
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Connection: close
Date: Thu, 15 Feb 2001 00:19:15 GMT
Content-Type: text/html
Content-Length: 660
Expires: Thu, 15 Feb 2001 00:19:15 GMT
<html><title>Conducent Response</title><body><P>
OjU5AGh0dHA6Ly9yZWRVjZW50LmNvbS9TY3JpcHRzL1JlZG
yLmRsbD9SyMDAxLTA2LTMwIDIzOjU5OjU5ADIzOjU5
</P></body></html>
any ideas waht it could be ???
Attachment:
att1.eml
Description:
 By Date 
By Thread
Current thread:
- Strange port 23 traffic Costas Karafasoulis (Mar 18)
- <Possible follow-ups>
- Re: Strange port 23 traffic Bill Royds (Mar 19)
|
Intro
