無意發現Windows Live Messenger開了多條HTTP連線到一台Seednet撥接IP的主機

理論上Live Messenger連線的對象應是世界性的Server才對,怎麼會是台來自Seednet撥接網路的機器呢?
試著telnet連上這台機器的80 Port、21 Port及25 Port,都是螢幕全黑後輸入任何字元後被斷線,看來需要特殊規格的Client端才能連。

由以上這些線索,讓我不禁懷疑,該不會是中了木馬吧? 莫非這台是後門程式通訊用的閘道想到這裡,神經都繃了起來!
用Ethereal眼睜睜看著它建連線卻抓不到封包,又更讓人冒冷汗。難道這木馬還有特殊的匿蹤功能,Hook了API後為自己作隱身
又找了個免費軟體VisualSniffer,並重新啟動Live Messenger(或許Ethereal就是卡在Live Messenger沒重啟才沒抓到),總算看到傳輸的Request了,是一堆menu_*.xml。不過該台主機一直傳回HTTP 304 Not Modified,所以也看不出XML內容是什麼。將IE Cache清空後,再試一次,menu*.xml的內容終於現形了。

由XML中的圖檔追下來,才發現這是所謂動畫快遞(Winks)下載目錄的選項資料。


最後證實,原來是虛驚一場。只是為什麼跟Messenger相關的服務卻用的是Seednet撥接上網的Server,真不知其中有什麼祕辛
 

Comments

# by Peter Yen

I think the mysterious seednet servers are akamai server serving static content. Akamai's edge computing service allows users worldwide to get the content from a server that's closet to them. Edge computing addresses the latency users experience between msn and a web server while downloading contents over the internet. By having web servers located in distributed geographically location this network latency can be reduced significantly. <BR/><BR/>I wrote a simle brutal force script to find out all the static images hosted on these akamai servers.<BR/><BR/>#!/bin/bash<BR/><BR/><BR/>LIMIT=20000<BR/><BR/>for ((a=1; a <= LIMIT ; a++)) # Double parentheses, and "LIMIT" with no "$".<BR/>do<BR/> curl -I -s http://akamai.meegos.com/images/$a.gif|grep "200 OK" <BR/> if [ "$?" -eq "0" ]<BR/> then<BR/> echo $a<BR/> fi<BR/>done<BR/><BR/>echo; echo<BR/><BR/>and found a few other images related to msn <BR/><BR/>10003<BR/>10004<BR/>10005<BR/>10009<BR/>10067<BR/>10069<BR/>10073<BR/>10074<BR/>10096<BR/>10097<BR/>10103<BR/>10107<BR/>10109<BR/>10119<BR/>10144<BR/>10350<BR/>10398<BR/>10444<BR/>10507<BR/>10609<BR/>10615<BR/>10619<BR/>10696<BR/>10904<BR/>10936<BR/>10938<BR/>10939<BR/>10941<BR/>10944<BR/>10953<BR/>10955<BR/>10971<BR/>11022<BR/>11024<BR/>11025<BR/>11031<BR/>11036<BR/>11128

# by Darkthread

Awesome! thanks for your information and I just wrote <A HREF="http://darkthread.blogspot.com/2006/07/live-messenger.html" REL="nofollow">another post</A> about Akamai.<BR/>Your script is cool and remind me of the power of shell script.

Post a comment