[AusNOG] Telstra's Texan Teaser - Tin Foil Stetsun anyone?

Joshua D'Alton joshua at railgun.com.au
Mon Jun 25 12:25:32 EST 2012


58.163.175.187  I assume you are all meaning? That is Telstra proxy of some
sort, as is 1.136.95.242

On Mon, Jun 25, 2012 at 12:20 PM, Terry Manderson <terry at terrym.net> wrote:

>
> My jaw dropped when I saw this.
>
> And indeed confirmed on my telstra sim and new valid url:
>
> 58.163.175.xxx - - [24/Jun/2012:21:58:46 -0400] "GET /sn.html HTTP/1.1"
> 200 340 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 5_1_1 like Mac OS X)
> AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B206
> Safari/7534.48.3"
> 50.57.190.113 - - [24/Jun/2012:21:58:47 -0400] "GET /sn.html HTTP/1.0"
> 200 341 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9)
> Gecko/2008052906 Firefox/3.0"
>
> and then to confirm carrier and not phone, swapped to a AT&T travel sim.
>
> 166.137.11.xxx - - [24/Jun/2012:22:05:50 -0400] "GET /sn.html HTTP/1.1"
> 200 378 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 5_1_1 like Mac OS X)
> AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B206
> Safari/7534.48.3"
>
> No followup GET seen.
>
> I think like everyone, I would be most interested to see an explanation of
> the additional GET from a location in the US.
>
> T.
>
>
>
> On 25/06/2012, at 10:23 AM, Nicholas Weekley wrote:
>
> > I too have discovered similar traffic...
> >
> > Legit:
> > 58.163.175.xxx /services.html 6/25/12 10:08 AM Mozilla/5.0 (iPhone; CPU
> iPhone OS 5_1_1 like Mac OS X) AppleWebKit
> >
> > CIA/NSA/Those-out-to-get-me
> > 50.56.58.47 /services.html 6/25/12 10:08 AM Mozilla/5.0 (Windows; U;
> Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906
> >
> > A quick signature scan of 50.56.58.47 identifies it as a squid proxy
> server based in Texas too. My best guess is the proxy takes time to process
> the retrieved page, so initial connections go directly to the source and
> subsequent requests to the proxy if valid caching occurs.
> >
> > Regards,
> >
> > Nicholas Weekley
> > TSM32 Pty Ltd
> >
> >
> > From: ausnog-bounces at lists.ausnog.net [mailto:
> ausnog-bounces at lists.ausnog.net] On Behalf Of Eric Pinkerton
> > Sent: Monday, 25 June 2012 09:50
> > To: ausnog at ausnog.net
> > Subject: [AusNOG] Telstra's Texan Teaser - Tin Foil Stetsun anyone?
> >
> > Ausnoggers..
> >
> > Whilst there is a lot of tin foil hattery and other spasticity on this
> WP Thread, http://forums.whirlpool.net.au/archive/1935438 - the questions
> it throws up have made me curious, esp given Telstra's official response in
> the following article "
> >
> >
> http://www.scmagazine.com.au/News/305928,telstra-says-its-not-spying-on-users.aspx
> >
> > "But in a short statement, Telstra's senior media boss Craig Middleton
> said the company's wireless network management assured that "there is
> nothing untoward in what the Whirlpool member has observed - it is a normal
> network operation" NOTHING TO SEE HEAR MOVE ALONG.
> >
> > In short, if you make a request to a web server on port 80 from a
> Telstra mobile, you'll see a request immediately after your legit request
> from the Telstra gateway that originates from a US IP address hosted at
> Rackspace.
> >
> > Legit request..
> > 58.163.xxx.xxx - - [24/Jun/2012:23:12:09 +0000] "GET /test101 HTTP/1.1"
> 404 464 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 5_1_1 like Mac OS X)
> AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B206
> Safari/7534.48.3"
> >
> > Curious identical request follows...
> > 50.57.190.97 - - [24/Jun/2012:23:12:09 +0000] "GET /test101 HTTP/1.0"
> 404 526 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9)
> Gecko/2008052906 Firefox/3.0"
> >
> > Whilst I accept this is probably benign, and can think of several
> reasons why the output of such a process might be of value to Telstra, I
> find myself less convinced than a certain senior media boss seems to be
> that this is "a normal network operation". To me normal would be to say
> pull this info straight from the proxy server.
> >
> > Also, just to be awkward, I am curious as to why a cloud provider, would
> be using what looks a lot like a cluster of VPS's in someone else's cloud
> based out of Texas ;-)
> >
> > Also why is there a black helicopter hovering above me?
> >
> > So many questions....
> >
> > Discuss!
> >
> >
> > E
> >
> > Message protected by MailGuard: e-mail anti-virus, anti-spam and content
> filtering.
> > http://www.mailguard.com.au/mg
> >
> >
> > _______________________________________________
> > AusNOG mailing list
> > AusNOG at lists.ausnog.net
> > http://lists.ausnog.net/mailman/listinfo/ausnog
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20120625/452a39d5/attachment.html>


More information about the AusNOG mailing list