OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
AOL 8.0 and discover.xml

From: Louie M. (neuralcerebrallab.com)
Date: Wed Apr 02 2003 - 21:14:07 CST

A few employees recently installed AOL 8.0 on their PCs here at work and
access AOL over our company's T1 connection. Since then I noticed that a
few machines on our network were making port 80 requests to our firewall.
All machines on our network has the firewall set as the internet gateway
machine. ippl reported this:

Apr 1 13:04:33 http connection attempt from 192.168.1.12
(192.168.1.12:1112->192.168.1.1:80)
Apr 1 13:08:19 http connection attempt from 192.168.1.16
(192.168.1.16:3599->192.168.1.1:80)
Apr 1 13:17:49 http connection attempt from 192.168.1.12
(192.168.1.12:1165->192.168.1.1:80)
Apr 1 13:51:30 http connection attempt from 192.168.1.12
(192.168.1.12:1289->192.168.1.1:80)

I confirmed that the request was made when the user signed onto their aol
account. I have apache running on the firewall so that I could use demarc
to view the snort logs. I checked the apache logs and found this in my
error_log

[Tue Apr 1 13:04:35 2003] [error] [client 192.168.1.12] File does not
exist: /var/www/htdocs/aol/discover.xml
[Tue Apr 1 13:08:19 2003] [error] [client 192.168.1.16] File does not
exist: /var/www/htdocs/aol/discover.xml
[Tue Apr 1 13:17:49 2003] [error] [client 192.168.1.12] File does not
exist: /var/www/htdocs/aol/discover.xml
[Tue Apr 1 13:51:30 2003] [error] [client 192.168.1.12] File does not
exist: /var/www/htdocs/aol/discover.xml

Does anyone know what discover.xml does for aol and why is aol looking for
it on the gateway machine?

The only thing I can think of is that maybe this is similar to how MSN
messenger used SSDP to talk to the firewall to request access to the
outside world. I personally use linux as my dsl router at home so I'm
unfamiliar with commercial home routers, but I'm aware that they usually
have a web interface to configure them and maybe discover.xml might be on
these routers to auto configure port 5190 so that AOL can talk to it's
server without any configuration by the user.

A google search didn't turn up anything other than a few logs with similar
requests. If anyone could shed some light on this, it would be much
appreciated.
------------------------------------------------------------------------
Neural Nightmare "It's like Kung-fu lesson for your brain"
Head Mad Scientist http://www.cerebrallab.com/
neuralcerebrallab.com
------------------------------------------------------------------------
PGP Fingerprint 7F13 8F0D 8F29 C375 4C2B 4570 57D1 83E1
PGP Public Key available at http://www.cerebrallab.com/publickey.php