From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1OlYvo-0000t5-AN for garchives@archives.gentoo.org; Wed, 18 Aug 2010 03:03:12 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id E0F6CE097B for ; Wed, 18 Aug 2010 03:03:11 +0000 (UTC) Received: from web51902.mail.re2.yahoo.com (web51902.mail.re2.yahoo.com [206.190.48.65]) by pigeon.gentoo.org (Postfix) with SMTP id 8B2A7E0810 for ; Wed, 18 Aug 2010 02:09:18 +0000 (UTC) Received: (qmail 460 invoked by uid 60001); 18 Aug 2010 02:09:18 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1282097358; bh=UQ4OuvijQt95Cp1EVNgttSHcfyEEuX2AV6QWnby5A+Y=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=dpyxpoZH75xgx9aEqluXYGrg4zNBajgYSknObJ4DVoLZqIMyG9c4jWJKVQzWlRvjocwgkU1UzmHOiNfE2C7CxFOZBWe8NBThvylzrDrv4IP8zHOE8Ee9mc5IzlaIUjD7gke842goJxCl2XVAdDLNJ0b/dU75iFnBS8UJeNRQkw8= DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=QaOtoce4i1t5oTKVUqjuToSd5wmmDf5KTa3w67supeUM/XzfqM2t9dNRJvMkjgDNH28LQHWPo3in+8Hn4hZj4myeSPwRHSWB+BuYTQqdnFmVqqm9u3VngfSDm91UgUyNcOGkFMJ8S2lUDI6ZRYGjTdMgXVwHlRaTukWxip0tjAM=; Message-ID: <315581.361.qm@web51902.mail.re2.yahoo.com> X-YMail-OSG: D45mf0YVM1l6BgvqSCupSkyk8ZmUlwzUqEy5cxrZFT690.0 UTyKAGiFFjidRm5ykkvQ_JYBWzpekI27Pvk_TWJKLHpAdqCkn3Bdvmr65k85 ro18e62PC8T4ufoS.WpyRWmFtJ2J75pjnctud2NP4hlOPfDZI2V5CwyZqioT UzpgnsqAEJUK9j4Pt4qhg_xzCh51qPeG_ChHnb_2xolCsesghi6X7X1O6RYv mOOPzF0i4hn5AXOH_p6Lr2Di.3i_4XdWzXt0PzpP0aUAI9Hh0Gu05iCZNp8O OUAZDTSEpRDqp_XGNcaQPmF4MmW_HnCfhTPEKFDh_z2UvZI1ljuCojl4CM.8 UUC4ok2DVCAfh Received: from [98.25.201.229] by web51902.mail.re2.yahoo.com via HTTP; Tue, 17 Aug 2010 19:09:17 PDT X-Mailer: YahooMailRC/470 YahooMailWebService/0.8.105.279950 References: <4C684F59.3040903@gmail.com> <4C6AEDF7.1020507@gmail.com> <201008172211.32089.michaelkintzios@gmail.com> <4C6B0000.4060008@gmail.com> Date: Tue, 17 Aug 2010 19:09:17 -0700 (PDT) From: BRM Subject: Re: [gentoo-user] Yahoo and strange traffic. To: gentoo-user@lists.gentoo.org In-Reply-To: <4C6B0000.4060008@gmail.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Archives-Salt: 4fd6a824-eaf1-4762-85e1-dd32759a5342 X-Archives-Hash: f92f034a30f3d601a5acf1930f7b3df2 ----- Original Message ---- > From: Dale > Mick wrote: > > On Tuesday 17 August 2010 21:15:51 Dale wrote: > >> Mick wrote: > >>> On 17 August 2010 15:29, BRM wrote: > >>>> ----- Original Message ---- > >>>>> From: Dale > >>>>> Adam Carter wrote: > >>>>>> Is this easy to do? I have no idea where to start except that > >>>>>> wireshark is installed. > >>>>>> Yep, start the capture with Capture -> Interfaces and click on the > >>>>>> start > >>>>> button next to the correct interface, then right click on one of the > >>>>> packets that is to the yahoo box and choose Decode As set the port > >>>>> and protocol then apply. You'll > >>>>> need to understand the semantics of HTTP for it to be of much use tho. > >>>>> You had me until the last part. No semantics here. lol May see if > >>>>> I can post a little and see if anyone can figure out what the heck it > >>>>> is doing. I'm thinking some crazy bug or something. Maybe checking > >>>>> for updates not realizing it's > >>>>> Kopete instead of a Yahoo program. > >>>> Wireshark will show you the raw packet data, and decode only a little of > >>>> it - enough to identify the general protocol, senders, etc. > >>>> So to understand the packet, you will need to understand the application > >>>> layer protocol - in this case HTTP - yourself as Wireshark won't help > >>>> you there. > >>>> But yet, Wireshark, nmap, and nessus security scanner are the tools, > >>>> less so nessus as it really is more of a port scanner/security hole > >>>> finder than a debug tool for applications (it's basically an interface > >>>> for nmap for those purposes). > >>> I'm not at home to experiment and I don't use yahoo, but port 5050 is > >>> typically used for mmcc = multi media conference control - does yahoo > >>> offer such a service? It could be a SIP server running there for VoIP > >>> between Yahoo registered users or something similar. > >>> The http connection could be offered as an alternative proxy > >>> connection to the yahoo IM servers for users who are behind > >>> restrictive firewalls. Have you asked as much in the Yahoo user > >>> groups? > >>> The fact that the threads continue after kopete has shut down is not > >>> necessarily of concern as was already explained, unless it carries on > >>> and on for a long time and the flow of packets continues. I don't > >>> know how yahoo VoIP works. Did you install some plugin specific for > >>> yahoo services? If it imitates the Skype architecture then it > >>> essentially runs proxies on clients' machines and this could be an > >>> explanation for the traffic. > >> I don't have VoIP, Skype or that sort of thing here. Here is my Kopete > >> info tho: > >> [ebuild R ] kde-base/kopete-4.4.5-r1 USE="addbookmarks autoreplace > >> contactnotes groupwise handbook highlight history nowlistening pipes > >> privacy ssl statistics texteffect translator urlpicpreview yahoo > >> zeroconf (-aqua) -debug -gadu -jabber -jingle (-kdeenablefinal) > >> (-kdeprefix) -latex -meanwhile -msn -oscar -otr -qq -skype -sms -testbed > >> -v4l2 -webpresence -winpopup" 0 kB > >> Anything there that cold cause a problem? > > No, I can't see anything suspicious, you don't even have skype or v4l2 > > enabled, so it is unlikely that it is running some webcam stream (as part of > > VoIP). > I'm thinking it is Yahoo wanting to upgrade something but not realizing > that I'm not using their client but using kopete. Yahoo isn't the > sharpest tool in the shed you know? I doubt that's the case. I use Pidgin with Yahoo, and haven't had that kind of thing so far as I'm aware. Ben