AOL Servers Probing ???

Hello,

I've been getting a number of hits on Port 80 from AOL Servers and
Proxies even without a Browser open.

Since they are not tied to an App Rule they are Blocked and they hit
some other Ports too, sometimes as high as 60,000.

Why are they Banging my Http Ports (80 and 1080) and ramdom Ports from
5000-80,000????

Since I'm Dial-up I'm not the Target but this IP Block must be.

The one's between 5000-60,000 are rare and I don't worry about them but
it seems they are AOL Servers or Proxie Servers most of the time and not
Users.

And I'm not talking about when I first go online with Dial-up where
someone else could have had the IP and I'm getting their Returns.

This example is not from a server but I had cleared my Log yesterday
after some Security Scans to check my Firewall so it's all I have right now.

Rule "Default Block HTTP Port 80" blocked (compaq,http). Details:
Inbound TCP connection
Local address,service is (compaq,http)
Remote address,service is (172.165.17.222,2122)
Process name is "N/A"

In Local Address; compaq is another way this computer lists localhost,
127.0.0.1.

N
Sat Jul 30 12:38:32 CDT 2005

On Sat, 30 Jul 2005 12:16:27 -0400, !:?) wrote:

> This example is not from a server but I had cleared my Log yesterday
> after some Security Scans to check my Firewall so it's all I have right now.

Don't clear your logs if you are using the information they contain as the
basis of a question, or complaint.

--
Norman
~Win dain a lotica, En vai tu ri, Si lo ta
~Fin dein a loluca, En dragu a sei lain
~Vi fa-ru les shutai am, En riga-lint

No
Sun Jul 31 11:20:59 CDT 2005


Hi Norm,

It wasn't a Complaint but a Question if that may be the case for one
reason or another.

I didn't think it mattered about the exact IP since I'm seeing this
often on Port 80 and it is not just Servers and Proxies but AOL Users
and other Domains that makes it look like probes.

About 50% were AOL IP Blocks and this has dropped off now to about 20%
but I'm still seeing them.

I do keep Copies of my Logs but didn't on the last one when I posted
because it was full of Probes from at least 3 Security Web Sites like
Symantec and Shields up to test my Firewall that would just be confusing
to sort through.

I saved and cleared my Log before I went to those Sites and then cleared
it again when I was done so the example I gave was in the current Log.

I can go back and dig those out if they are really needed.

The Log just shows the IP and would take time to find the ones that are
Server and Proxy IP's out of all the one's that are not because they
don't all use the 172.0.0.0 IP Block I usually see for AOL.

I see them more often when I use Trace.bat from PCHelp when I get an
Alert because it pops up I traced them many times before and notice
these are the AOL Servers and Proxies.

I wonder if there was something I have Blocked that that shouldn't and
has them trying to get the info another way using other Ports.

I don't see the Domain Servers as much now but the Proxies still show up
now and then.

I am also seeing Non AOL IP's hitting Port 80 and thought it might be my
new Browser (Netscape 7.2) but I get them even when no Browser is not
open at all.

Some of the AOL Proxies, as well as AOL Users and other IP Domains on
the other hand are also hitting me from 5000 to 60,000 that makes me
wonder what's going on.

I've Emailed requests to AOL with Logs to find out what it is but I have
yet to see a single reply in over 6 months.

I have Netscape for an ISP that is owned by AOL, so AOL is my ISP's Host.

I have all the Netscape Domain Servers they list allowed in my Firewall
but still see unlisted AOL Domain Servers looking for access.

And I had AOL for a few months before Netscape ISP where I allowed all
the AOL Servers listed but found many, were not used on that list if
any, and other Servers in AOL that are not listed asking for Access.

I kept the rules for the AOL Servers Ignored but to Flag me and Log them
if they ask for Access to see if I needed them but I don't see them.

So I'm not sure if it is because they haven't updated their Domain
Server List and Netscape is owned by AOL, but I don't seem to need them
except to stop them from Banging my Ports and filling my Logs with crap.

I'll dig back to find the Proxy IP's and list them here for you.

The AOL Domain Servers haven't hit me in about a month now and until
they do I think that problem is solved.

Kevin

N
Sun Jul 31 16:54:42 CDT 2005

On Sun, 31 Jul 2005 12:20:59 -0400, !:?) wrote:

> It wasn't a Complaint but a Question if that may be the case for one
> reason or another.

Covered. I did mention an either, or; "...question, or complaint".

> I didn't think it mattered about the exact IP since I'm seeing this
> often on Port 80 and it is not just Servers and Proxies but AOL Users
> and other Domains that makes it look like probes.

Hmmm. I see; you posted from:

NNTP-Posting-Host: ACA56A8F.ipt.aol.com 172.165.106.143, and from:

NNTP-Posting-Host: AC8115D4.ipt.aol.com 172.129.21.212

I also see that your one probe is in the same IP address block:

ACA511DE.ipt.aol.com 172.165.17.222

And that AOL owns the /10 that all of those IP addresses come from:

=========================================================
07/31/05 14:45:06 IP block 172.165.106.143@whois.arin.net
Trying 172.165.106.143 at ARIN
Trying 172.165.106 at ARIN

OrgName: America Online
OrgID: AOL
Address: 22000 AOL Way
City: Dulles
StateProv: VA
PostalCode: 20166
Country: US

NetRange: 172.128.0.0 - 172.191.255.255
CIDR: 172.128.0.0/10
=========================================================

As for the probes from name servers; that is highly unusual. They usually
only respond to queries; but never initiate requests on their own part. You
wouldn't have your firewall configured to do DNS lookups on IP addresses in
probes, would you? I use Kerio Personal Firewall 2.1.5. This has a setting
on a tab; the setting labeled: "Enable DNS Resolving". I have it unchecked.
I don't need KPF attempting a DNS resolution on every IP address which
probes my ports. It tends to create additional, and needless, traffic.

--
Norman
~Win dain a lotica, En vai tu ri, Si lo ta
~Fin dein a loluca, En dragu a sei lain
~Vi fa-ru les shutai am, En riga-lint

No
Sun Jul 31 21:32:21 CDT 2005


> As for the probes from name servers; that is highly unusual. They usually
> only respond to queries; but never initiate requests on their own part. You
> wouldn't have your firewall configured to do DNS lookups on IP addresses in
> probes, would you? I use Kerio Personal Firewall 2.1.5. This has a setting
> on a tab; the setting labeled: "Enable DNS Resolving". I have it unchecked.
> I don't need KPF attempting a DNS resolution on every IP address which
> probes my ports. It tends to create additional, and needless, traffic.
>

No I don't allow my Firewall to do that, it's ATGuard (NIS Version 1.0).

I've seen the hit my Domain, NBName and NetBIOS but haven't seen it for
awhile.

I think it was part of Windows Update though because I was Blocking it
during the time this was happening and haven't seen it since I started
allowing it.

I found the Proxy Server too and then later found it tied to and App I
later Allowed that is for Windows Update so they may be the same cause.

I found the Info on the Proxy but I'm only listing the NSLookup as the
who Trace is too long:

-- NSLOOKUP QUERY RESULTS --

Query type: PTR IP: 205.188.146.145
Server: ns1.genext.net
Address: 66.45.212.21

Non-authoritative answer:
145.146.188.205.in-addr.arpa name = nstot.proxy.aol.com

Authoritative answers can be found from:
146.188.205.in-addr.arpa nameserver = dns-02.ns.aol.com
146.188.205.in-addr.arpa nameserver = dns-01.ns.aol.com

Query type: ANY Name: nstot.proxy.aol.com
Server: ns1.genext.net
Address: 66.45.212.21

Non-authoritative answer:
nstot.proxy.aol.com internet address = 205.188.146.145

Authoritative answers can be found from:
proxy.aol.com nameserver = dns-01.ns.aol.com
proxy.aol.com nameserver = dns-02.ns.aol.com
proxy.aol.com nameserver = dns-06.ns.aol.com
proxy.aol.com nameserver = dns-07.ns.aol.com

And Here's what I found on the Proxy when I Blocked it and I'll only
list 2 as there are so many it would be over kill to list them all.

5/18/05 13:25:06 Rule ">> @ Inbound UDP Blocked @ <<" blocked
(compaq,1188). Details:
Inbound UDP packet
Local address,service is (compaq,1188)
Remote address,service is (205.188.146.145,domain)
Process name is "N/A"

5/19/05 13:54:15 Rule ">> @ Inbound UDP Blocked @ <<" blocked
(compaq,1655). Details:
Inbound UDP packet
Local address,service is (compaq,1655)
Remote address,service is (nstot.proxy.aol.com,domain)
Process name is "N/A"

And here are the one's I found that I Permitted I found that are Tied to
a Windows Update App WULOADER.EXE.

I usually Block all access to the Localhost (localhost, 0.0.0.0 and
compaq) too that I removed recently when I started using a Host File.

5/18/05 21:28:26 Rule "WULOADER.EXE UDP domain" permitted
(0.0.0.0,1075). Details:
Inbound UDP packet
Local address,service is (0.0.0.0,1075)
Remote address,service is (nstot.proxy.aol.com,domain)
Process name is "C:\WINDOWS\SYSTEM\WULOADER.EXE"
5/18/05 21:28:26 Rule "WULOADER.EXE UDP domain" permitted
(nstot.proxy.aol.com,domain). Details:
Outbound UDP packet
Local address,service is (0.0.0.0,1075)
Remote address,service is (nstot.proxy.aol.com,domain)
Process name is "C:\WINDOWS\SYSTEM\WULOADER.EXE"

Strange thing is I had nothing going out before this
(Had WULOADER.EXE and other Update Apps Blocked In and Out.)

So why would they hit my Ports and it not tied to the Windows Update App
s like WULOADER.EXE if all Outgoing was Blocked ???

Thanks for your help Norm.

If you hadn't had me go back and look I wouldn't have seen that.

Kevin

N
Mon Aug 01 01:03:43 CDT 2005

On Sun, 31 Jul 2005 22:32:21 -0400, !:?) wrote:

> Strange thing is I had nothing going out before this
> (Had WULOADER.EXE and other Update Apps Blocked In and Out.)
>
> So why would they hit my Ports and it not tied to the Windows Update App
> s like WULOADER.EXE if all Outgoing was Blocked ???
>
> Thanks for your help Norm.
>
> If you hadn't had me go back and look I wouldn't have seen that.

WRT Windows Updates, I don't have them enabled. I have a subscription to
the MSFT Security Bulletin, and a sound notification, the 3 Stooges "Bonk",
so I know when the MSFT SB has arrived. I will visit the Windows Update
site manually, at that time. So I have not had to deal with that.

I do see a lot of UDP probes to ports 1026 and 1027. I think is likely
Messenger popup spam.

I can only guess at what you are seeing on AOL/Netscape IP address ranges.
I think that those proxies are tied to regular AOL users, in some fashion.
I wonder if AOL harbors a higher percentage of naive customers who get
whacked by worms trying to spread through RPCSS, or the like?

--
Norman
~Win dain a lotica, En vai tu ri, Si lo ta
~Fin dein a loluca, En dragu a sei lain
~Vi fa-ru les shutai am, En riga-lint

No
Mon Aug 01 09:58:13 CDT 2005

Hi N. Miller,

I wonder if I should Block those again?

I was going to the Update site Manually every week or two before.

It seems Strange they would hit my Ports before this without the
WULOADER.EXE App when I have it Blocked with nothing going out.

Even Stranger, is why an AOL Proxy is using WULOADER.EXE for a Windows
Update when I would expect it should be a Microsoft Site such as this one.

Rule "Windows Update WULOADER.EXE TCP http" permitted
(crl.microsoft.com,http). Details:
Outbound TCP connection
Local address,service is (0.0.0.0,1077)
Remote address,service is (crl.microsoft.com,http)
Process name is "C:\WINDOWS\SYSTEM\WULOADER.EXE"

I think I'll make a Rule to Block that Address for now and see what happens.

Does RPCSS use DECOM Port 135 and Win-NT/2000 SMB Port 445 ?

Sorry it's been awhile since I did this but I seem to remember a
connection to that, Task Manager, Win Messaging and some others that
made me decide to wait before going to XP .

Thanks again for your help.

Kevin

No
Mon Aug 01 10:30:07 CDT 2005

Hi N. Miller,

Speaking of AOL Proxies, I just got a Hit on Port 80 that seems a bit
strange to me because in the Traceroute it went to a Dialup User first
then to 2 Proxies where all the rest timed out after that.

I have never seen it go through a Dialup user I'm not tracing in a
Traceroute before on another IP.

Rule "Default Block HTTP Port 80 TCP" blocked (compaq,http). Details:
Inbound TCP connection
Local address,service is (compaq,http)
Remote address,service is (AC982843.ipt.aol.com,2426)
Process name is "N/A"

-- TRACEROUTE RESULTS --
Tracing route to AC982843.ipt.aol.com [172.152.40.67]
over a maximum of 30 hops:

1 163 ms 180 ms 163 ms ipt-rtcd16.dial.aol.com [152.163.5.112]
2 179 ms 171 ms 184 ms iptfarmd-rtc-ve3.proxy.aol.com
[152.163.104.126]
3 209 ms 180 ms 156 ms ipt-rtcd10.proxy.aol.com [152.163.104.106]
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
20 * * * Request timed out.
21 * * * Request timed out.
22 * * * Request timed out.
23 * * * Request timed out.
24 * * * Request timed out.
25 * * * Request timed out.
26 * * * Request timed out.
27 * * * Request timed out.
28 * * * Request timed out.
29 * * * Request timed out.
30 * * * Request timed out.

Trace complete.

Trace Started: 11:08:17.47a
Trace Finished: 11:13:47.41a

Kevin

No
Tue Aug 02 13:23:40 CDT 2005

Hi N. Miller,

I went on Live Chat with my Netscape Tec Support I never tried before
and told them about it.
(I didn't know I had that option)

They didn't understand why AOL's Proxy Server was doing that either and
all they could do was give me an AOL Phone Number to get AOL Tec's Directly.

But as soon as I was out of the Live Chat, and before I could call that
Number, it stopped!!!!!

The Proxy was banging my Port continuously from the time I went online
until I got out of Chat.

And I didn't do anything here yet!!!!

Strange isn't it?

Kevin

N
Wed Aug 03 01:40:59 CDT 2005

On Mon, 01 Aug 2005 11:30:07 -0400, !:?) wrote:

> Hi N. Miller,
>
> Speaking of AOL Proxies, I just got a Hit on Port 80 that seems a bit
> strange to me because in the Traceroute it went to a Dialup User first
> then to 2 Proxies where all the rest timed out after that.
>
> I have never seen it go through a Dialup user I'm not tracing in a
> Traceroute before on another IP.
>
> Rule "Default Block HTTP Port 80 TCP" blocked (compaq,http). Details:
> Inbound TCP connection
> Local address,service is (compaq,http)
> Remote address,service is (AC982843.ipt.aol.com,2426)
> Process name is "N/A"
>
> -- TRACEROUTE RESULTS --
> Tracing route to AC982843.ipt.aol.com [172.152.40.67]
> over a maximum of 30 hops:
>
> 1 163 ms 180 ms 163 ms ipt-rtcd16.dial.aol.com [152.163.5.112]
> 2 179 ms 171 ms 184 ms iptfarmd-rtc-ve3.proxy.aol.com
> [152.163.104.126]
> 3 209 ms 180 ms 156 ms ipt-rtcd10.proxy.aol.com [152.163.104.106]
> 4 * * * Request timed out.

First hop is your Netscape gateway. Is that what you mean by going to a
"Dialup User" first? Look here:

| 08/02/05 23:09:45 Slow traceroute AC982843.ipt.aol.com
| Trace AC982843.ipt.aol.com (172.152.40.67) ...
| 64.174.91.254 RTT: 69ms TTL:170 (adsl-64-174-91-254.dsl.sntc01.pacbell.net ok)
| 63.203.51.65 RTT: 54ms TTL:170 (dist1-vlan60.sntc01.pbi.net ok)
| 63.203.35.17 RTT: 55ms TTL:170 (bb1-g1-0.sntc01.pbi.net ok)
| 151.164.40.166 RTT: 110ms TTL:170 (bb2-p9-0.sntc01.sbcglobal.net ok)
| 151.164.241.193 RTT: 55ms TTL:170 (core2-p6-1.crscca.sbcglobal.net ok)
| 151.164.40.62 RTT: 68ms TTL:170 (bb1-p8-0.crscca.sbcglobal.net ok)
| 151.164.41.109 RTT: 82ms TTL:170 (ex2-p5-0.eqsjca.sbcglobal.net ok)
| 151.164.191.66 RTT: 69ms TTL:170 (ex1-p10-0.eqsjca.sbcglobal.net ok)
| 151.164.248.74 RTT: 69ms TTL:170 (asn1668-aol.eqsjca.sbcglobal.net ok)
| 66.185.150.80 RTT: 54ms TTL:170 (bb1-sjg-P0-0.atdn.net bogus rDNS: host not found [authoritative])
| 66.185.153.58 RTT: 124ms TTL:170 (bb1-ash-P14-0.atdn.net bogus rDNS: host not found [authoritative])
| 66.185.152.157 RTT: 137ms TTL:170 (bb1-rtc-P4-0.atdn.net bogus rDNS: host not found [authoritative])
| 66.185.140.97 RTT: 124ms TTL:170 (pop1-rtc-P14-0.atdn.net bogus rDNS: host not found [authoritative])
| 66.185.140.130 RTT: 137ms TTL:170 (wc1-rtc.atdn.net bogus rDNS: host not found [authoritative])
| 172.30.81.58 RTT: 137ms TTL:170 (No rDNS)
| 152.163.104.106 RTT: 206ms TTL:170 (ipt-rtcd10.proxy.aol.com ok)
| * * * failed

My first hop appears to be going to an SBC (PacBell) DSL user; but is it?
Really? Traceroute's first packet is sent to the router closest to you. In
this case, the pacbell.net DNS name indicates an SBC router facing my
Internet connection. My Netgear doesn't show in the first hop. Sometimes
traceroute will display your own IP address in the first hop; I see that
when I run a traceroute through my SMC Barricade:

| 08/02/05 23:17:56 Slow traceroute AC982843.ipt.aol.com
| Trace AC982843.ipt.aol.com (172.152.40.67) ...
| 192.168.102.3 RTT: 0ms TTL:170 (Mayuko ok)
| 209.244.43.94 RTT: 178ms TTL:170 (nas30.SanJose1.Level3.net ok)
| 63.215.15.3 RTT: 193ms TTL:170 (ge-7-0-2.core2.SanJose1.Level3.net ok)
| 4.68.123.161 RTT: 179ms TTL:170 (ae-1-56.bbr2.SanJose1.Level3.net ok)
| 209.247.10.130 RTT: 247ms TTL:170 (as-2-0.bbr2.Washington1.Level3.net ok)
| 4.68.121.162 RTT: 247ms TTL:170 (ge-4-0-0-56.gar1.Washington1.Level3.net ok)
| 66.185.139.85 RTT: 247ms TTL:170 (pop1-vie-P6-0.atdn.net bogus rDNS: host not found [authoritative])
| 66.185.139.80 RTT: 439ms TTL:170 (bb1-vie-P0-0.atdn.net bogus rDNS: host not found [authoritative])
| 66.185.152.160 RTT: 302ms TTL:170 (bb1-rtc-P5-0.atdn.net bogus rDNS: host not found [authoritative])
| 66.185.140.97 RTT: 247ms TTL:170 (pop1-rtc-P14-0.atdn.net bogus rDNS: host not found [authoritative])
| 66.185.134.178 RTT: 247ms TTL:170 (wc1-rtc-S2-3-0.atdn.net bogus rDNS: host not found [authoritative])
| 172.30.81.58 RTT: 247ms TTL:170 (No rDNS)
| 152.163.104.106 RTT: 248ms TTL:170 (ipt-rtcd10.proxy.aol.com ok)
| * * * failed
| * * * failed
| * 152.163.104.106 RTT: 124ms TTL:170 (ipt-rtcd10.proxy.aol.com ok)
| * * * failed

I built a route through Level3, then dialed the modem on my SMC Barricade
7004BR for this trace; the first hop is the Barricade. Those AOL proxies
you are seeing are routers sending your packets on to the destination. Your
traceroute is staying within the AOL network. Both of mine start on
different networks (SBC dial-up POPs are through lines leased from Level3
in my region), but converge on the same peering point: 172.30.81.58. That
one has to be an AOL proxy, it is sending packets back to me with an RFC
1918 reserved IP address. I can't run a traceroute to that router.
Hmmm...oh, I forgot, my other network is in 172.29.0.0/16; I can't run a
tracroute out of that subnet into 172.30.0.0/16:

| 08/02/05 23:36:26 Slow traceroute 172.30.81.58
| Trace 172.30.81.58 ...
| 64.174.91.254 RTT: 42ms TTL:170 (adsl-64-174-91-254.dsl.sntc01.pacbell.net ok)
| 63.203.35.65 RTT: 41ms TTL:170 (dist1-vlan50.sntc01.pbi.net ok)
| * * * failed

In a Windows traceroute ICMP packets are sent with increasing hop counts.
First hop packet only goes to the router closest to your connection. Notice
that my last hop which resulted in return packets, in each of my traces, is
the same router as your last hop. AOL is a large network, and probably
doesn't want to waste time sending responses to ICMP packets, so there are
a lot of hops which say, "failed". My last successful trace on my dial-up
connection failed twice, then responded.

I really do not think that all of those "proxy.aol.com" names are proxies,
as you normally think of them. They are responding to the ICMP packets as
routers in all of the cases above.

Anyway, as much fun as I am having, traceroutes are not very useful for
trying to figure out what those probes you are seeing mean. You need to run
something like Ethereal, and capture those probe packets to get some idea
of what is happening.

--
Norman
~Win dain a lotica, En vai tu ri, Si lo ta
~Fin dein a loluca, En dragu a sei lain
~Vi fa-ru les shutai am, En riga-lint

N
Wed Aug 03 01:46:43 CDT 2005

On Tue, 02 Aug 2005 14:23:40 -0400, !:?) wrote:

> Hi N. Miller,
>
> I went on Live Chat with my Netscape Tec Support I never tried before
> and told them about it.
> (I didn't know I had that option)
>
> They didn't understand why AOL's Proxy Server was doing that either and
> all they could do was give me an AOL Phone Number to get AOL Tec's Directly.
>
> But as soon as I was out of the Live Chat, and before I could call that
> Number, it stopped!!!!!
>
> The Proxy was banging my Port continuously from the time I went online
> until I got out of Chat.
>
> And I didn't do anything here yet!!!!
>
> Strange isn't it?

Maybe not. Was that live chat an AOL, or Netscape function? I would expect
that there were return packets from the chat server. Question: Are you
looking at software firewall logs from behind a router? Consider my rig;
Netgear FR114P routing a DSL connection to two computers. Running Kerio
Personal Firewall 2.1.5 on both computers. Something like that? In the cse
of a software firewall behind a router, you can run into a weird situation
where the router keeps a port active longer than the firewall. If that
happens, the router will pass a return packet, but the firewall will block
it.

When you are in a chat, the packets for replies have to come back to your
computer. If you are behind a router, then the router has to allow them
through as solicited packets. Same for the firewall. If the firewall closes
off the port before the router does, the firewall will log the packet as
unsolicited. If you have a router, but you put the computer with the chat
in the router's DMZ, the router won't stop the packets at all; everything
will then come to the firewall.

--
Norman
~Win dain a lotica, En vai tu ri, Si lo ta
~Fin dein a loluca, En dragu a sei lain
~Vi fa-ru les shutai am, En riga-lint