From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1OlTmc-0001Nc-DG for garchives@archives.gentoo.org; Tue, 17 Aug 2010 21:33:22 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id E150EE0BEB; Tue, 17 Aug 2010 21:32:52 +0000 (UTC) Received: from mail-ey0-f181.google.com (mail-ey0-f181.google.com [209.85.215.181]) by pigeon.gentoo.org (Postfix) with ESMTP id A3DB1E0BEB for ; Tue, 17 Aug 2010 21:32:52 +0000 (UTC) Received: by eyf6 with SMTP id 6so3358013eyf.40 for ; Tue, 17 Aug 2010 14:32:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=ndEa8RX8MMvhojRJ7cVg1U+1mOlCeQERsYqIAE3vvR4=; b=uoWuSfy93cP8tSL5Qly62VEmofstmal/FOtc4x5+u/I7c1DcLaGcQJ96QXRvO1MEEy VNUfibGwMJxR/B3u93yeLjnr1r6zJvWCoIdyvJk6JA3JQFKsVmEjglx1ljYgCplNBCXn lsD7xnTXAVNDlUg9lRhCdJFfRDZHHe7L69Ous= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; b=U0PqbcqOLtHbFt9UONrUALDOdTY5vrqtvxMkg7Oo5CJqw0C9Uh9sd0lRIwhkSHJLtV BZ3YFen8KwIM+CAruSEXeaKiZN4F0HuaFf5meLkzWkKmtVV1Kx3tnW8AoDmfK3bodp8D TfdD7EmHc55DX4pwW77K8ovgT7GtVzaSmOlOc= Received: by 10.213.10.1 with SMTP id n1mr1248951ebn.91.1282080771900; Tue, 17 Aug 2010 14:32:51 -0700 (PDT) Received: from [192.168.1.2] (adsl-0-123-240.jan.bellsouth.net [65.0.123.240]) by mx.google.com with ESMTPS id z55sm12877208eeh.15.2010.08.17.14.32.50 (version=SSLv3 cipher=RC4-MD5); Tue, 17 Aug 2010 14:32:51 -0700 (PDT) Message-ID: <4C6B0000.4060008@gmail.com> Date: Tue, 17 Aug 2010 16:32:48 -0500 From: Dale User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.11) Gecko/20100801 Gentoo/2.0.6 SeaMonkey/2.0.6 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Yahoo and strange traffic. References: <4C684F59.3040903@gmail.com> <4C6AEDF7.1020507@gmail.com> <201008172211.32089.michaelkintzios@gmail.com> In-Reply-To: <201008172211.32089.michaelkintzios@gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Archives-Salt: 28623ae7-aa94-4dde-acea-3d2c36118215 X-Archives-Hash: ede7193dbdf587f6e1c87ac2499fd476 Mick wrote: > On Tuesday 17 August 2010 21:15:51 Dale wrote: > >> Mick wrote: >> >>> On 17 August 2010 15:29, BRM wrote: >>> >>>> ----- Original Message ---- >>>> >>>> >>>>> From: Dale >>>>> >>>>> Adam Carter wrote: >>>>> >>>>>> Is this easy to do? I have no idea where to start except that >>>>>> wireshark is installed. >>>>>> >>>>>> Yep, start the capture with Capture -> Interfaces and click on the >>>>>> start >>>>>> >>>>> button next to the correct interface, then right click on one of the >>>>> packets that is to the yahoo box and choose Decode As set the port >>>>> and protocol then apply. You'll >>>>> >>>>> need to understand the semantics of HTTP for it to be of much use tho. >>>>> You had me until the last part. No semantics here. lol May see if >>>>> I can post a little and see if anyone can figure out what the heck it >>>>> is doing. I'm thinking some crazy bug or something. Maybe checking >>>>> for updates not realizing it's >>>>> >>>>> Kopete instead of a Yahoo program. >>>>> >>>> Wireshark will show you the raw packet data, and decode only a little of >>>> it - enough to identify the general protocol, senders, etc. >>>> So to understand the packet, you will need to understand the application >>>> layer protocol - in this case HTTP - yourself as Wireshark won't help >>>> you there. >>>> >>>> But yet, Wireshark, nmap, and nessus security scanner are the tools, >>>> less so nessus as it really is more of a port scanner/security hole >>>> finder than a debug tool for applications (it's basically an interface >>>> for nmap for those purposes). >>>> >>> I'm not at home to experiment and I don't use yahoo, but port 5050 is >>> typically used for mmcc = multi media conference control - does yahoo >>> offer such a service? It could be a SIP server running there for VoIP >>> between Yahoo registered users or something similar. >>> >>> The http connection could be offered as an alternative proxy >>> connection to the yahoo IM servers for users who are behind >>> restrictive firewalls. Have you asked as much in the Yahoo user >>> groups? >>> >>> The fact that the threads continue after kopete has shut down is not >>> necessarily of concern as was already explained, unless it carries on >>> and on for a long time and the flow of packets continues. I don't >>> know how yahoo VoIP works. Did you install some plugin specific for >>> yahoo services? If it imitates the Skype architecture then it >>> essentially runs proxies on clients' machines and this could be an >>> explanation for the traffic. >>> >> I don't have VoIP, Skype or that sort of thing here. Here is my Kopete >> info tho: >> >> [ebuild R ] kde-base/kopete-4.4.5-r1 USE="addbookmarks autoreplace >> contactnotes groupwise handbook highlight history nowlistening pipes >> privacy ssl statistics texteffect translator urlpicpreview yahoo >> zeroconf (-aqua) -debug -gadu -jabber -jingle (-kdeenablefinal) >> (-kdeprefix) -latex -meanwhile -msn -oscar -otr -qq -skype -sms -testbed >> -v4l2 -webpresence -winpopup" 0 kB >> >> Anything there that cold cause a problem? >> > No, I can't see anything suspicious, you don't even have skype or v4l2 > enabled, so it is unlikely that it is running some webcam stream (as part of > VoIP). > lol I don't have a webcam even if it was turned on. Sort of funny about having a camera in my bedroom. o_O I'm thinking it is Yahoo wanting to upgrade something but not realizing that I'm not using their client but using kopete. Yahoo isn't the sharpest tool in the shed you know? Dale :-) :-)