FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo User

 
 
LinkBack Thread Tools
 
Old 08-15-2010, 09:18 PM
BRM
 
Default Yahoo and strange traffic.

----- Original Message ----

> On Sun, Aug 15, 2010 at 3:34 PM, Dale <rdalek1967@gmail.com> wrote:
> > Hi folks,
> > I been noticing the past few weeks that something is communicating with
> > Yahoo at these addresses:
> >
> > cs210p2.msg.sp1.yahoo.com
> >
> > rdis.msg.vip.sp1.yahoo.com
> >
> > I thought it was Kopete getting some info, profile pics maybe, from the
> > server. Thing is, it does this for a really long time. It is also
SENDING
> > data as well. I have no idea why it is doing this or what it is sending.
I
> > closed the Kopete app but the data still carries on. This "transfer" has
> I think it's normal.
>
> The first address is one of their pool of messaging servers and the
> second is a web server, probably like you said for retrieving
> additional info. The sending of data could be the http request, or
> updating your status/picture/whatever kopete may be doing. You could
> try blocking it and see what breaks.

Likely true as Yahoo!'a interfaces are highly AJAX driven - with their own PHP
oriented widget kit as well.
So if you have a web page open to any Yahoo! site that is probably what is doing
it.

Ben
 
Old 08-15-2010, 09:29 PM
Alan McKinnon
 
Default Yahoo and strange traffic.

On Sunday 15 August 2010 22:55:23 Paul Hartman wrote:
> On Sun, Aug 15, 2010 at 3:34 PM, Dale <rdalek1967@gmail.com> wrote:
> > Hi folks,
> >
> > I been noticing the past few weeks that something is communicating with
> > Yahoo at these addresses:
> >
> > cs210p2.msg.sp1.yahoo.com
> >
> > rdis.msg.vip.sp1.yahoo.com
> >
> > I thought it was Kopete getting some info, profile pics maybe, from the
> > server. Thing is, it does this for a really long time. It is also
> > SENDING data as well. I have no idea why it is doing this or what it is
> > sending. I closed the Kopete app but the data still carries on. This
> > "transfer" has been going for a while now and the only way I can stop it
> > is to stop the network, wait a minute or two for it to time out and then
> > restart the network.
> >
> > Anybody have any idea what the heck this is? Is Yahoo up to something?
> >
> > Some new security issue that I haven't heard of?
>
> I think it's normal.
>
> The first address is one of their pool of messaging servers and the
> second is a web server, probably like you said for retrieving
> additional info. The sending of data could be the http request, or
> updating your status/picture/whatever kopete may be doing. You could
> try blocking it and see what breaks.

Dale,

It could also be a weather map, or any number of widgets that get data from
the intartubes.

netstat with -p can help track down the app that has the connection open




--
alan dot mckinnon at gmail dot com
 
Old 08-15-2010, 09:32 PM
Mick
 
Default Yahoo and strange traffic.

On Sunday 15 August 2010 21:34:33 Dale wrote:
> Hi folks,
>
> I been noticing the past few weeks that something is communicating with
> Yahoo at these addresses:
>
> cs210p2.msg.sp1.yahoo.com
>
> rdis.msg.vip.sp1.yahoo.com
>
> I thought it was Kopete getting some info, profile pics maybe, from the
> server. Thing is, it does this for a really long time. It is also
> SENDING data as well. I have no idea why it is doing this or what it is
> sending. I closed the Kopete app but the data still carries on. This
> "transfer" has been going for a while now and the only way I can stop it
> is to stop the network, wait a minute or two for it to time out and then
> restart the network.
>
> Anybody have any idea what the heck this is? Is Yahoo up to something?
> Some new security issue that I haven't heard of?

What does your netstat show with respect to ports being used and what does
tcpdump/tcpflow show? If it is Yahoo, you should see things that are relevant
and hopefully make sense.
--
Regards,
Mick
 
Old 08-15-2010, 09:35 PM
Dale
 
Default Yahoo and strange traffic.

BRM wrote:

----- Original Message ----



On Sun, Aug 15, 2010 at 3:34 PM, Dale<rdalek1967@gmail.com> wrote:


Hi folks,
I been noticing the past few weeks that something is communicating with
Yahoo at these addresses:

cs210p2.msg.sp1.yahoo.com

rdis.msg.vip.sp1.yahoo.com

I thought it was Kopete getting some info, profile pics maybe, from the
server. Thing is, it does this for a really long time. It is also


SENDING


data as well. I have no idea why it is doing this or what it is sending.


I


closed the Kopete app but the data still carries on. This "transfer" has


I think it's normal.

The first address is one of their pool of messaging servers and the
second is a web server, probably like you said for retrieving
additional info. The sending of data could be the http request, or
updating your status/picture/whatever kopete may be doing. You could
try blocking it and see what breaks.


Likely true as Yahoo!'a interfaces are highly AJAX driven - with their own PHP
oriented widget kit as well.
So if you have a web page open to any Yahoo! site that is probably what is doing
it.

Ben




Wouldn't it stop tho if I closed Kopete? I'm not using Yahoo's
messenger tho. I don't think they have one now.


I did also trying closing Seamonkey to but the traffic continues. I
very rarely go to yahoo.com.


Also, this can carry on for a really long time. This can last over 30
minutes.


Dale

:-) :-)
 
Old 08-15-2010, 10:25 PM
Peter Humphrey
 
Default Yahoo and strange traffic.

On Sunday 15 August 2010 22:35:01 Dale wrote:

> Also, this can carry on for a really long time. This can last over
> 30 minutes.

I think I'd be getting tcpdump out about now...

--
Rgds
Peter. Linux Counter 5290, 1994-04-23.
 
Old 08-15-2010, 10:48 PM
Dale
 
Default Yahoo and strange traffic.

Peter Humphrey wrote:

On Sunday 15 August 2010 22:35:01 Dale wrote:



Also, this can carry on for a really long time. This can last over
30 minutes.


I think I'd be getting tcpdump out about now...




I'm going to try netstat next time. Waiting on it to start again.

Dale

:-) :-)
 
Old 08-16-2010, 10:55 PM
Dale
 
Default Yahoo and strange traffic.

Alan McKinnon wrote:

On Sunday 15 August 2010 22:55:23 Paul Hartman wrote:


On Sun, Aug 15, 2010 at 3:34 PM, Dale<rdalek1967@gmail.com> wrote:


Hi folks,

I been noticing the past few weeks that something is communicating with
Yahoo at these addresses:

cs210p2.msg.sp1.yahoo.com

rdis.msg.vip.sp1.yahoo.com

I thought it was Kopete getting some info, profile pics maybe, from the
server. Thing is, it does this for a really long time. It is also
SENDING data as well. I have no idea why it is doing this or what it is
sending. I closed the Kopete app but the data still carries on. This
"transfer" has been going for a while now and the only way I can stop it
is to stop the network, wait a minute or two for it to time out and then
restart the network.

Anybody have any idea what the heck this is? Is Yahoo up to something?

Some new security issue that I haven't heard of?


I think it's normal.

The first address is one of their pool of messaging servers and the
second is a web server, probably like you said for retrieving
additional info. The sending of data could be the http request, or
updating your status/picture/whatever kopete may be doing. You could
try blocking it and see what breaks.


Dale,

It could also be a weather map, or any number of widgets that get data from
the intartubes.

netstat with -p can help track down the app that has the connection open




OK. It finally started doing it again. Here is the short version of
netstat -p. It looks like kopete but what in the heck is it sending and
receiving?


root@smoker / # netstat -p
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address
State PID/Program name
tcp 0 0 192.168.1.2:43577 rdis.msg.vip.sp1.y:http
TIME_WAIT -
tcp 0 0 192.168.1.2:43438 rdis.msg.vip.sp1.y:http
TIME_WAIT -
tcp 0 0 192.168.1.2:52423 cs204p1.msg.sp1.ya:5050
ESTABLISHED 9968/kopete
tcp 0 0 192.168.1.2:43490 rdis.msg.vip.sp1.y:http
TIME_WAIT -
tcp 0 1 192.168.1.2:43586 rdis.msg.vip.sp1.y:http
SYN_SENT 18971/kopeteFc9968.
tcp 0 0 localhost:60971 localhost:nut
ESTABLISHED 9578/upsmon
tcp 1 1 192.168.1.2:43584 rdis.msg.vip.sp1.y:http
CLOSING -
tcp 0 0 192.168.1.2:43558 rdis.msg.vip.sp1.y:http
TIME_WAIT -
tcp 0 0 192.168.1.2:48301 cs201p1.msg.sp1.ya:5050
ESTABLISHED 9968/kopete
tcp 0 0 192.168.1.2:43523 rdis.msg.vip.sp1.y:http
TIME_WAIT -
tcp 0 0 localhost:nut localhost:60971
ESTABLISHED 9640/upsd
tcp 0 0 192.168.1.2:42517 cs215p2.msg.ac4.ya:5050
ESTABLISHED 9968/kopete
tcp 0 0 192.168.1.2:43462 rdis.msg.vip.sp1.y:http
TIME_WAIT -
tcp 0 0 192.168.1.2:43516 rdis.msg.vip.sp1.y:http
TIME_WAIT -
tcp 0 0 192.168.1.2:43479 rdis.msg.vip.sp1.y:http
TIME_WAIT -
tcp 0 0 192.168.1.2:43405 rdis.msg.vip.sp1.y:http
TIME_WAIT -
tcp 0 0 192.168.1.2:43483 rdis.msg.vip.sp1.y:http
TIME_WAIT -
tcp 0 0 192.168.1.2:43563 rdis.msg.vip.sp1.y:http
TIME_WAIT -
tcp 0 0 192.168.1.2:43487 rdis.msg.vip.sp1.y:http
TIME_WAIT -
tcp 0 0 192.168.1.2:43483 rdis.msg.vip.sp1.y:http
TIME_WAIT -
tcp 0 0 192.168.1.2:43563 rdis.msg.vip.sp1.y:http
TIME_WAIT -
tcp 0 0 192.168.1.2:43487 rdis.msg.vip.sp1.y:http
TIME_WAIT -


One other question, if this is kopete, how does it keep
sending/receiving after I have closed the kopete app?


This is weird. Kopete and Yahoo have not done this before.

Dale

:-) :-)
 
Old 08-16-2010, 11:39 PM
Adam Carter
 
Default Yahoo and strange traffic.

root@smoker / # netstat -p

Active Internet connections (w/o servers)

Proto Recv-Q Send-Q Local Address * * * * * Foreign Address * * * * State * * * PID/Program name

tcp * * * *0 * * *0 192.168.1.2:43577 * * * rdis.msg.vip.sp1.y:http TIME_WAIT * -

tcp * * * *0 * * *0 192.168.1.2:43438 * * * rdis.msg.vip.sp1.y:http TIME_WAIT * -

tcp * * * *0 * * *0 192.168.1.2:52423 * * * cs204p1.msg.sp1.ya:5050 ESTABLISHED 9968/kopete

tcp * * * *0 * * *0 192.168.1.2:43490 * * * rdis.msg.vip.sp1.y:http TIME_WAIT * -

tcp * * * *0 * * *1 192.168.1.2:43586 * * * rdis.msg.vip.sp1.y:http SYN_SENT * *18971/kopeteFc9968.

tcp * * * *0 * * *0 localhost:60971 * * * * localhost:nut * * * * * ESTABLISHED 9578/upsmon

tcp * * * *1 * * *1 192.168.1.2:43584 * * * rdis.msg.vip.sp1.y:http CLOSING * * -

tcp * * * *0 * * *0 192.168.1.2:43558 * * * rdis.msg.vip.sp1.y:http TIME_WAIT * -

tcp * * * *0 * * *0 192.168.1.2:48301 * * * cs201p1.msg.sp1.ya:5050 ESTABLISHED 9968/kopete

tcp * * * *0 * * *0 192.168.1.2:43523 * * * rdis.msg.vip.sp1.y:http TIME_WAIT * -

tcp * * * *0 * * *0 localhost:nut * * * * * localhost:60971 * * * * ESTABLISHED 9640/upsd

tcp * * * *0 * * *0 192.168.1.2:42517 * * * cs215p2.msg.ac4.ya:5050 ESTABLISHED 9968/kopete

tcp * * * *0 * * *0 192.168.1.2:43462 * * * rdis.msg.vip.sp1.y:http TIME_WAIT * -

tcp * * * *0 * * *0 192.168.1.2:43516 * * * rdis.msg.vip.sp1.y:http TIME_WAIT * -

tcp * * * *0 * * *0 192.168.1.2:43479 * * * rdis.msg.vip.sp1.y:http TIME_WAIT * -

tcp * * * *0 * * *0 192.168.1.2:43405 * * * rdis.msg.vip.sp1.y:http TIME_WAIT * -

tcp * * * *0 * * *0 192.168.1.2:43483 * * * rdis.msg.vip.sp1.y:http TIME_WAIT * -

tcp * * * *0 * * *0 192.168.1.2:43563 * * * rdis.msg.vip.sp1.y:http TIME_WAIT * -

tcp * * * *0 * * *0 192.168.1.2:43487 * * * rdis.msg.vip.sp1.y:http TIME_WAIT * -

tcp * * * *0 * * *0 192.168.1.2:43483 * * * rdis.msg.vip.sp1.y:http TIME_WAIT * -

tcp * * * *0 * * *0 192.168.1.2:43563 * * * rdis.msg.vip.sp1.y:http TIME_WAIT * -

tcp * * * *0 * * *0 192.168.1.2:43487 * * * rdis.msg.vip.sp1.y:http TIME_WAIT * -



One other question, if this is kopete, how does it keep sending/receiving after I have closed the kopete app?


Since you're closing Kopete gracefully its probably decided to let those threads complete what they're doing before shutting them down. If you kill -9'd them instead (that is send them the KILL signal instead of the TERM signal) they'd go away immediately.
 
Old 08-17-2010, 01:20 AM
Dale
 
Default Yahoo and strange traffic.

Adam Carter wrote:


root@smoker / # netstat -p
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address
State PID/Program name
tcp 0 0 192.168.1.2:43577 <http://192.168.1.2:43577>
rdis.msg.vip.sp1.y:http TIME_WAIT -
tcp 0 0 192.168.1.2:43438 <http://192.168.1.2:43438>
rdis.msg.vip.sp1.y:http TIME_WAIT -
tcp 0 0 192.168.1.2:52423 <http://192.168.1.2:52423>
cs204p1.msg.sp1.ya:5050 ESTABLISHED 9968/kopete
tcp 0 0 192.168.1.2:43490 <http://192.168.1.2:43490>
rdis.msg.vip.sp1.y:http TIME_WAIT -
tcp 0 1 192.168.1.2:43586 <http://192.168.1.2:43586>
rdis.msg.vip.sp1.y:http SYN_SENT 18971/kopeteFc9968.
tcp 0 0 localhost:60971 localhost:nut
ESTABLISHED 9578/upsmon
tcp 1 1 192.168.1.2:43584 <http://192.168.1.2:43584>
rdis.msg.vip.sp1.y:http CLOSING -
tcp 0 0 192.168.1.2:43558 <http://192.168.1.2:43558>
rdis.msg.vip.sp1.y:http TIME_WAIT -
tcp 0 0 192.168.1.2:48301 <http://192.168.1.2:48301>
cs201p1.msg.sp1.ya:5050 ESTABLISHED 9968/kopete
tcp 0 0 192.168.1.2:43523 <http://192.168.1.2:43523>
rdis.msg.vip.sp1.y:http TIME_WAIT -
tcp 0 0 localhost:nut localhost:60971
ESTABLISHED 9640/upsd
tcp 0 0 192.168.1.2:42517 <http://192.168.1.2:42517>
cs215p2.msg.ac4.ya:5050 ESTABLISHED 9968/kopete
tcp 0 0 192.168.1.2:43462 <http://192.168.1.2:43462>
rdis.msg.vip.sp1.y:http TIME_WAIT -
tcp 0 0 192.168.1.2:43516 <http://192.168.1.2:43516>
rdis.msg.vip.sp1.y:http TIME_WAIT -
tcp 0 0 192.168.1.2:43479 <http://192.168.1.2:43479>
rdis.msg.vip.sp1.y:http TIME_WAIT -
tcp 0 0 192.168.1.2:43405 <http://192.168.1.2:43405>
rdis.msg.vip.sp1.y:http TIME_WAIT -
tcp 0 0 192.168.1.2:43483 <http://192.168.1.2:43483>
rdis.msg.vip.sp1.y:http TIME_WAIT -
tcp 0 0 192.168.1.2:43563 <http://192.168.1.2:43563>
rdis.msg.vip.sp1.y:http TIME_WAIT -
tcp 0 0 192.168.1.2:43487 <http://192.168.1.2:43487>
rdis.msg.vip.sp1.y:http TIME_WAIT -
tcp 0 0 192.168.1.2:43483 <http://192.168.1.2:43483>
rdis.msg.vip.sp1.y:http TIME_WAIT -
tcp 0 0 192.168.1.2:43563 <http://192.168.1.2:43563>
rdis.msg.vip.sp1.y:http TIME_WAIT -
tcp 0 0 192.168.1.2:43487 <http://192.168.1.2:43487>
rdis.msg.vip.sp1.y:http TIME_WAIT -


One other question, if this is kopete, how does it keep
sending/receiving after I have closed the kopete app?

Since you're closing Kopete gracefully its probably decided to let
those threads complete what they're doing before shutting them down.
If you kill -9'd them instead (that is send them the KILL signal
instead of the TERM signal) they'd go away immediately.


That may be true. Thing is, it is still sending and receiving traffic
even after all this time. I'm wondering what it is or if it is a bug or
something.


I just did a killall kopete and it did stop. Is there a way to "see"
what it is sending/receiving? I'm talking like is it a jpeg, some other
file or something else?


Dale

:-) :-)
 
Old 08-17-2010, 01:32 AM
Adam Carter
 
Default Yahoo and strange traffic.

I just did a killall kopete and it did stop. *Is there a way to "see" what it is sending/receiving? *I'm talking like is it a jpeg, some other file or something else?



rix portage # nmap -p 5050 -sV cs210p2.msg.sp1.yahoo.com*

Starting Nmap 5.21 ( http://nmap.org ) at 2010-08-17 11:27 EST

Nmap scan report for cs210p2.msg.sp1.yahoo.com (98.136.48.110)
Host is up (0.20s latency).
PORT**** STATE SERVICE VERSION
5050/tcp open* mmcc?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :

SF-Port5050-TCP:V=5.21%I=7%D=8/17%Time=4C69E58D%P=i686-pc-linux-gnu%r(GetR
SF:equest,195,"HTTP/1.1x20404x20Notx20Found
Content-Type:x20text/h
SF:tml
Cache-Control:x20max-age=0,x20must-revalidate
Expires:x20S

SF:un,x2010x20Junx202007x2012:01:01x20GMT

<html><head>
<met
SF:ax20http-equiv="content-type"x20content="text/html;charset=utf-8"
SF:>
<title>404x20Notx20Found</title>
</head>
<bodyx20text=#00

SF:0000x20bgcolor=#ffffff>
<hr><center>
<H1>Notx20Found</H1>
Th
SF:ex20requestedx20URLx20wasx20notx20foundx20onx20 thisx20server.
SF:r
</center><p>
</body></html>
")%r(FourOhFourRequest,195,"HTTP/1

SF:.1x20404x20Notx20Found
Content-Type:x20text/html
Cache-Contr
SFl:x20max-age=0,x20must-revalidate
Expires:x20Sun,x2010x20Junx
SF:202007x2012:01:01x20GMT

<html><head>
<metax20http-equiv="

SF:content-type"x20content="text/html;charset=utf-8">
<title>404x2
SF:0Notx20Found</title>
</head>
<bodyx20text=#000000x20bgcolor=#f
SF:fffff>
<hr><center>
<H1>Notx20Found</H1>
Thex20requestedx20

SF:URLx20wasx20notx20foundx20onx20thisx20server.
</center><p>
SF:n</body></html>
");

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 112.82 seconds
rix portage #


Well its obviously HTTP, NFI why NMAP cant see that. So you could capture in wireshark, then docode port 5050 as HTTP.
 

Thread Tools




All times are GMT. The time now is 11:21 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org