Gentoo Archives: gentoo-user

From: Joshua Murphy <poisonbl@×××××.com>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] Yahoo and strange traffic.
Date: Wed, 25 Aug 2010 08:10:05
Message-Id: AANLkTi=_Ue+sicEzLvDLMdvN8aMFcyj13DK2nE-955sv@mail.gmail.com
In Reply to: Re: [gentoo-user] Yahoo and strange traffic. by Dale
1 On Tue, Aug 24, 2010 at 10:36 PM, Dale <rdalek1967@×××××.com> wrote:
2 > BRM wrote:
3 >>
4 >> Wireshark will show you the raw packet data, and decode only a little of
5 >> it -
6 >> enough to identify the general protocol, senders, etc.
7 >> So to understand the packet, you will need to understand the application
8 >> layer
9 >> protocol - in this case HTTP - yourself as Wireshark won't help you there.
10 >>
11 >> But yet, Wireshark, nmap, and nessus security scanner are the tools, less
12 >> so
13 >> nessus as it really is more of a port scanner/security hole finder than a
14 >> debug
15 >> tool for applications (it's basically an interface for nmap for those
16 >> purposes).
17 >>
18 >> HTH,
19 >>
20 >> Ben
21 >>
22 >>
23 >>
24 >
25 > If finally did it again, and is doing it as I type.  I captured some of the
26 > traffic with Wireshark.  Can someone tell me what to do with it now?  This
27 > is one frame of it:
28 >
29 > Frame 4 (881 bytes on wire, 881 bytes captured)
30 >    Arrival Time: Aug 24, 2010 21:03:35.518314000
31 >    [Time delta from previous captured frame: 0.000383000 seconds]
32 >    [Time delta from previous displayed frame: 0.000383000 seconds]
33 >    [Time since reference or first frame: 0.010995000 seconds]
34 >    Frame Number: 4
35 >    Frame Length: 881 bytes
36 >    Capture Length: 881 bytes
37 >    [Frame is marked: False]
38 >    [Protocols in frame: eth:ip:tcp:http]
39 >    [Coloring Rule Name: HTTP]
40 >    [Coloring Rule String: http || tcp.port == 80]
41 > Ethernet II, Src: ArchtekT_81:d5:d3 (00:01:53:81:d5:d3), Dst:
42 > Motorola_aa:96:e4 (00:1d:6b:aa:96:e4)
43 >    Destination: Motorola_aa:96:e4 (00:1d:6b:aa:96:e4)
44 >        Address: Motorola_aa:96:e4 (00:1d:6b:aa:96:e4)
45 >        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
46 >        .... ..0. .... .... .... .... = LG bit: Globally unique address
47 > (factory default)
48 >    Source: ArchtekT_81:d5:d3 (00:01:53:81:d5:d3)
49 >        Address: ArchtekT_81:d5:d3 (00:01:53:81:d5:d3)
50 >        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
51 >        .... ..0. .... .... .... .... = LG bit: Globally unique address
52 > (factory default)
53 >    Type: IP (0x0800)
54 > Internet Protocol, Src: 192.168.1.2 (192.168.1.2), Dst: 98.136.112.30
55 > (98.136.112.30)
56 >    Version: 4
57 >    Header length: 20 bytes
58 >    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
59 >        0000 00.. = Differentiated Services Codepoint: Default (0x00)
60 >        .... ..0. = ECN-Capable Transport (ECT): 0
61 >        .... ...0 = ECN-CE: 0
62 >    Total Length: 867
63 >    Identification: 0xe5fb (58875)
64 >    Flags: 0x02 (Don't Fragment)
65 >        0.. = Reserved bit: Not Set
66 >        .1. = Don't fragment: Set
67 >        ..0 = More fragments: Not Set
68 >    Fragment offset: 0
69 >    Time to live: 64
70 >    Protocol: TCP (0x06)
71 >    Header checksum: 0xbd48 [correct]
72 >        [Good: True]
73 >        [Bad : False]
74 >    Source: 192.168.1.2 (192.168.1.2)
75 >    Destination: 98.136.112.30 (98.136.112.30)
76 > Transmission Control Protocol, Src Port: 43281 (43281), Dst Port: http (80),
77 > Seq: 0, Ack: 1, Len: 815
78 >    Source port: 43281 (43281)
79 >    Destination port: http (80)
80 >    [Stream index: 1]
81 >    Sequence number: 0    (relative sequence number)
82 >    [Next sequence number: 815    (relative sequence number)]
83 >    Acknowledgement number: 1    (relative ack number)
84 >    Header length: 32 bytes
85 >    Flags: 0x18 (PSH, ACK)
86 >        0... .... = Congestion Window Reduced (CWR): Not set
87 >        .0.. .... = ECN-Echo: Not set
88 >        ..0. .... = Urgent: Not set
89 >        ...1 .... = Acknowledgement: Set
90 >        .... 1... = Push: Set
91 >        .... .0.. = Reset: Not set
92 >        .... ..0. = Syn: Not set
93 >        .... ...0 = Fin: Not set
94 >    Window size: 92
95 >    Checksum: 0x0d09 [validation disabled]
96 >        [Good Checksum: False]
97 >        [Bad Checksum: False]
98 >    Options: (12 bytes)
99 >        NOP
100 >        NOP
101 >        Timestamps: TSval 177975147, TSecr 3960038659
102 >    [SEQ/ACK analysis]
103 >        [Number of bytes in flight: 815]
104 > Hypertext Transfer Protocol
105 >    GET /v1/displayImage/custom/yahoo/<screen name was here>?redirect=0
106 > HTTP/1.1\r\n
107 >        [Expert Info (Chat/Sequence): GET
108 > /v1/displayImage/custom/yahoo/<screen name was here>?redirect=0
109 > HTTP/1.1\r\n]
110 >            [Message: GET /v1/displayImage/custom/yahoo/<screen name was
111 > here>?redirect=0 HTTP/1.1\r\n]
112 >            [Severity level: Chat]
113 >            [Group: Sequence]
114 >        Request Method: GET
115 >        Request URI: /v1/displayImage/custom/yahoo/<screen name was
116 > here>?redirect=0
117 >        Request Version: HTTP/1.1
118 >    Host: rest-img.msg.yahoo.com\r\n
119 >    Connection: close\r\n
120 >    User-Agent: Mozilla/5.0 (compatible; Konqueror/4.4; Linux
121 > 2.6.30-gentoo-r8; X11; i686; en_US) KHTML/4.4.5 (like Gecko)\r\n
122 >    Accept: text/html, image/jpeg;q=0.9, image/png;q=0.9, text/*;q=0.9,
123 > image/*;q=0.9, */*;q=0.8\r\n
124 >    Accept-Encoding: x-gzip, x-deflate, gzip, deflate\r\n
125 >    Accept-Charset: iso-8859-1, utf-8;q=0.5, *;q=0.5\r\n
126 >    Accept-Language: en-US, en\r\n
127 >    [truncated] Cookie: B=ailkv295qsqnr&b=3&s=dn;
128 > Y=v=1&n=bt77n8119ils3&l=30b4a_rzwx/o&p=m2316qt013000000&jb=16|47|&r=eg&lg=en-US&intl=us&np=1;
129 > T=z=b/fcMBbF1cMBqnoHCK8Lm6qNDAxBjU0NDE0MjVPMzI-&a=YAE&sk=DAAgQw54KM2VAc&ks=EAAQtPQ3LsapOyL9MIqyK3.8
130 >    \r\n
131 >
132 > No.     Time        Source                Destination           Protocol
133 > Info
134 >      5 0.152339    98.136.112.30         192.168.1.2           HTTP
135 > HTTP/1.1 401 Authorization Required  (text/html)
136 >
137 >
138 > I changed the screen name to protect the innocent.  She is a red head with
139 > attitude.  Anyway, looking at more than one frame here, it looks like it is
140 > trying to get info, image perhaps, for that contact but it fails so it keeps
141 > trying.  Been going at it for half hour or more so far.  It looks to me like
142 > Yahoo would eventually say "bugger off"!!  LOL
143 >
144 > I remember that Yahoo removed images and some kind of profile thingy a while
145 > back.  Could that be what it is trying to find but that no longer exists?
146 >
147 > Thoughts?
148 >
149 > Dale
150 >
151 > :-)  :-)
152
153 Well, glancing at the GET request it's making there, as well as the
154 API google points me to when I look it up...
155
156 http://developer.yahoo.com/messenger/guide/ch03s02.html#d4e4628
157
158 You're right that it's after an image from their profile, but the
159 cause of the failure appears to be related to some sort of credentials
160 Yahoo wants the messenger to provide. You might poke Kopete's
161 bugtracker to see if they've a related bug on file already, and if
162 they don't, throw one their way.
163
164 The API Yahoo appears to be using there (based on a response I got
165 back in poking lightly) is, or is based on, OAuth, which according to
166 this:
167
168 http://oauth.net/core/1.0/#http_codes
169
170 specifies that a request should give a 401 response (Authorization
171 Required vs Unauthorized is purely the choice of phrase used in the
172 program decoding the numerical code, i.e. wireshark in your example of
173 it there) in the following cases:
174
175 HTTP 401 Unauthorized
176 * Invalid Consumer Key
177 * Invalid / expired Token
178 * Invalid signature
179 * Invalid / used nonce
180
181 Yahoo, essentially, *does* give a "bugger off"!! with that response,
182 but Kopete simply takes it, considers it a brief instant, then decides
183 "Maybe the answer will change if I try again *now*!"... at which point
184 it proceeds to introduce its proverbial cranium to the proverbial
185 brick and mortar vertical surface one might term "the wall."
186 Repeatedly.
187
188 --
189 Poison [BLX]
190 Joshua M. Murphy

Replies

Subject Author
Re: [gentoo-user] Yahoo and strange traffic. Dale <rdalek1967@×××××.com>