Hosting Provided By

AOL 8.0 and discover.xml

From: Louie M. <neural(at)cerebrallab.com>
Date: Wed Apr 02 2003 - 22:14:07 EST

A few employees recently installed AOL 8.0 on their PCs here at work and access AOL over our company's T1 connection. Since then I noticed that a few machines on our network were making port 80 requests to our firewall. All machines on our network has the firewall set as the internet gateway machine. ippl reported this:

Apr 1 13:04:33 http connection attempt from 192.168.1.12
(192.168.1.12:1112->192.168.1.1:80)

Apr 1 13:08:19 http connection attempt from 192.168.1.16
(192.168.1.16:3599->192.168.1.1:80)

Apr 1 13:17:49 http connection attempt from 192.168.1.12
(192.168.1.12:1165->192.168.1.1:80)

Apr 1 13:51:30 http connection attempt from 192.168.1.12
(192.168.1.12:1289->192.168.1.1:80)

I confirmed that the request was made when the user signed onto their aol account. I have apache running on the firewall so that I could use demarc to view the snort logs. I checked the apache logs and found this in my error_log

[Tue Apr 1 13:04:35 2003] [error] [client 192.168.1.12] File does not exist: /var/www/htdocs/aol/discover.xml
[Tue Apr 1 13:08:19 2003] [error] [client 192.168.1.16] File does not exist: /var/www/htdocs/aol/discover.xml
[Tue Apr 1 13:17:49 2003] [error] [client 192.168.1.12] File does not exist: /var/www/htdocs/aol/discover.xml
[Tue Apr 1 13:51:30 2003] [error] [client 192.168.1.12] File does not exist: /var/www/htdocs/aol/discover.xml

Does anyone know what discover.xml does for aol and why is aol looking for it on the gateway machine?

The only thing I can think of is that maybe this is similar to how MSN messenger used SSDP to talk to the firewall to request access to the outside world. I personally use linux as my dsl router at home so I'm unfamiliar with commercial home routers, but I'm aware that they usually have a web interface to configure them and maybe discover.xml might be on these routers to auto configure port 5190 so that AOL can talk to it's server without any configuration by the user.

A google search didn't turn up anything other than a few logs with similar requests. If anyone could shed some light on this, it would be much appreciated.

Neural Nightmare  	       "It's like Kung-fu lesson for your brain"
Head Mad Scientist			     
http://www.cerebrallab.com/

neural@cerebrallab.com

PGP Fingerprint 7F13 8F0D 8F29 C375 4C2B 4570 57D1 83E1 PGP Public Key available at http://www.cerebrallab.com/publickey.php Received on Thu Apr 3 12:57:41 2003

This message: [ Message body ]
Next message: Andrew Brown: "Re: Webserver CVS (In)Security"
Previous message: Blue Boar: "Re: Generating Hex Numbers to brute force rs_iis.c"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:38 EDT

Do you need help?