From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1OlB2u-0001rB-Je for garchives@archives.gentoo.org; Tue, 17 Aug 2010 01:32:58 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 51E4BE09AA; Tue, 17 Aug 2010 01:32:52 +0000 (UTC) Received: from mail-wy0-f181.google.com (mail-wy0-f181.google.com [74.125.82.181]) by pigeon.gentoo.org (Postfix) with ESMTP id F38A9E09AA for ; Tue, 17 Aug 2010 01:32:51 +0000 (UTC) Received: by wyf28 with SMTP id 28so7790491wyf.40 for ; Mon, 16 Aug 2010 18:32:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:content-type; bh=1IYNnsLG2/8rTyEGtgdocnx7gICqZKZHLTdlfvzDGI4=; b=bafebILo+0LdnO0GXQq/bPgrP4YxM3f2wpZB8Top/T+oYXWRVe+w8fuZv5fWUocak0 NXVGUfHgtojUpxA7OkfQVZfsIdI5Wtcg1Tfg1/8i1iSSKhS1WZ0P6pqm2yFlbTZrba7q mthvpm8HMRr8VS0tkfbUQ07ZGz8zzFYRE9bCI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=sjukIX/9o9AgWSkx6kAkb+vy4bFArbm9bjNUbOOMZg/qxv9EtPD3O1RFPcIFkwePVD 9VCziGG2KqMx+QKXTJEdC8+QGTMAbEX+b0O//OKLzJF0OVe2B18owQlYWWZEEr29cC7c 3HeZ/syZnOu0saEiRRK8U+uSi0CaQC7e0AcRU= Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Received: by 10.216.185.4 with SMTP id t4mr5057236wem.87.1282008771394; Mon, 16 Aug 2010 18:32:51 -0700 (PDT) Received: by 10.216.1.199 with HTTP; Mon, 16 Aug 2010 18:32:51 -0700 (PDT) In-Reply-To: <4C69E3CD.5070108@gmail.com> References: <4C684F59.3040903@gmail.com> <201008152329.44195.alan.mckinnon@gmail.com> <4C69C1E4.9090309@gmail.com> <4C69E3CD.5070108@gmail.com> Date: Tue, 17 Aug 2010 11:32:51 +1000 Message-ID: Subject: Re: [gentoo-user] Yahoo and strange traffic. From: Adam Carter To: gentoo-user@lists.gentoo.org Content-Type: multipart/alternative; boundary=0016e64c06fe6afc7c048dfaed20 X-Archives-Salt: 7a335b23-a644-46d5-a616-d3cba2310cb7 X-Archives-Hash: 9a055b5ac29a6c23484b3ce250c9aed5 --0016e64c06fe6afc7c048dfaed20 Content-Type: text/plain; charset=ISO-8859-1 > > I just did a killall kopete and it did stop. Is there a way to "see" what > it is sending/receiving? I'm talking like is it a jpeg, some other file or > something else? > > rix portage # nmap -p 5050 -sV cs210p2.msg.sp1.yahoo.com Starting Nmap 5.21 ( http://nmap.org ) at 2010-08-17 11:27 EST Nmap scan report for cs210p2.msg.sp1.yahoo.com (98.136.48.110) Host is up (0.20s latency). PORT STATE SERVICE VERSION 5050/tcp open mmcc? 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : SF-Port5050-TCP:V=5.21%I=7%D=8/17%Time=4C69E58D%P=i686-pc-linux-gnu%r(GetR SF:equest,195,"HTTP/1\.1\x20404\x20Not\x20Found\r\nContent-Type:\x20text/h SF:tml\r\nCache-Control:\x20max-age=0,\x20must-revalidate\r\nExpires:\x20S SF:un,\x2010\x20Jun\x202007\x2012:01:01\x20GMT\r\n\r\n\r\n\r\n404\x20Not\x20Found\r\n\r\n\r\n
\r\n

Not\x20Found

\r\nTh SF:e\x20requested\x20URL\x20was\x20not\x20found\x20on\x20this\x20server\.\ SF:r\n

\r\n\r\n")%r(FourOhFourRequest,195,"HTTP/1 SF:\.1\x20404\x20Not\x20Found\r\nContent-Type:\x20text/html\r\nCache-Contr SF:ol:\x20max-age=0,\x20must-revalidate\r\nExpires:\x20Sun,\x2010\x20Jun\x SF:202007\x2012:01:01\x20GMT\r\n\r\n\r\n\r\n404\x2 SF:0Not\x20Found\r\n\r\n\r\n

\r\n

Not\x20Found

\r\nThe\x20requested\x20 SF:URL\x20was\x20not\x20found\x20on\x20this\x20server\.\r\n

\r\ SF:n\r\n"); Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 112.82 seconds rix portage # Well its obviously HTTP, NFI why NMAP cant see that. So you could capture in wireshark, then docode port 5050 as HTTP. --0016e64c06fe6afc7c048dfaed20 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable


I just did a killall kopete and it did stop. =A0Is there a way to "see= " what it is sending/receiving? =A0I'm talking like is it a jpeg, = some other file or something else?


rix portage # nmap -p 5050 -sV cs210p2.msg.sp1.yahoo.com=A0
Starting Nmap 5.21 ( http://nmap.org ) at = 2010-08-17 11:27 EST
Nmap scan report for cs210p2.m= sg.sp1.yahoo.com (98.136.48.110)
Host is up (0.20s latency).
PORT= =A0=A0=A0=A0 STATE SERVICE VERSION
5050/tcp open=A0 mmcc?
1 service u= nrecognized despite returning data. If you know the service/version, please= submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit= .cgi :
SF-Port5050-TCP:V=3D5.21%I=3D7%D=3D8/17%Time=3D4C69E58D%P=3Di686-pc-linux-g= nu%r(GetR
SF:equest,195,"HTTP/1\.1\x20404\x20Not\x20Found\r\nConten= t-Type:\x20text/h
SF:tml\r\nCache-Control:\x20max-age=3D0,\x20must-reval= idate\r\nExpires:\x20S
SF:un,\x2010\x20Jun\x202007\x2012:01:01\x20GMT\r\n\r\n<html><head&= gt;\r\n<met
SF:a\x20http-equiv=3D\"content-type\"\x20conten= t=3D\"text/html;charset=3Dutf-8\"
SF:>\r\n<title>404\= x20Not\x20Found</title>\r\n</head>\r\n<body\x20text=3D#00 SF:0000\x20bgcolor=3D#ffffff>\r\n<hr><center>\r\n<H1>N= ot\x20Found</H1>\r\nTh
SF:e\x20requested\x20URL\x20was\x20not\x20f= ound\x20on\x20this\x20server\.\
SF:r\n</center><p>\r\n</b= ody></html>\r\n")%r(FourOhFourRequest,195,"HTTP/1
SF:\.1\x20404\x20Not\x20Found\r\nContent-Type:\x20text/html\r\nCache-Contr<= br>SF:ol:\x20max-age=3D0,\x20must-revalidate\r\nExpires:\x20Sun,\x2010\x20J= un\x
SF:202007\x2012:01:01\x20GMT\r\n\r\n<html><head>\r\n<= ;meta\x20http-equiv=3D\"
SF:content-type\"\x20content=3D\"text/html;charset=3Dutf-8\"= >\r\n<title>404\x2
SF:0Not\x20Found</title>\r\n</head&= gt;\r\n<body\x20text=3D#000000\x20bgcolor=3D#f
SF:fffff>\r\n<hr= ><center>\r\n<H1>Not\x20Found</H1>\r\nThe\x20requested= \x20
SF:URL\x20was\x20not\x20found\x20on\x20this\x20server\.\r\n</center>&= lt;p>\r\
SF:n</body></html>\r\n");

Service de= tection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 112.82 seconds
rix portag= e #


Well its obviously HTTP, NFI why NMAP cant see that. So you= could capture in wireshark, then docode port 5050 as HTTP.
--0016e64c06fe6afc7c048dfaed20--