RE: Phantom connections to 216.37.13.59 & .196

From: Brian Carpenter (bcarp@wosc.edu)
Date: 06/03/02 

Date: Mon, 3 Jun 2002 13:17:06 -0500
From: "Brian Carpenter" <bcarp@wosc.edu>
To: "Lufo" <lufo@iespana.es>

I have heard a rumor that XP will keep checking with microsoft to avoid piracy.
It sends info about your hardware & software installed.
Or... Perhaps somebody installed some backdoors on your machines.
It looks like a colocated machine.. here is traceroute.
            <my lan>
         8 kcm-edge-12.inet.qwest.net (65.120.164.249) 14.977 ms 15.610 ms 14.951 ms
         9 kcm-core-03.inet.qwest.net (205.171.29.141) 15.178 ms 15.178 ms 15.111 ms
        10 chi-core-02.inet.qwest.net (205.171.8.169) 28.335 ms 28.100 ms 28.136 ms
        11 chp-brdr-01.inet.qwest.net (205.171.220.58) 29.693 ms 28.603 ms 28.496 ms
        12 205.171.4.14 (205.171.4.14) 28.414 ms 28.553 ms 28.951 ms
        13 0.so-5-0-0.XR1.CHI13.ALTER.NET (152.63.73.17) 28.185 ms 28.462 ms 28.524 ms
        14 0.so-2-2-0.XL1.CHI2.ALTER.NET (152.63.70.102) 30.602 ms 29.524 ms 29.512 ms
        15 152.63.10.18 (152.63.10.18) 30.889 ms 30.650 ms 30.524 ms
        16 0.so-4-0-0.XR1.CHI4.ALTER.NET (152.63.2.54) 31.069 ms 30.871 ms 31.057 ms
        17 195.ATM7-0.GW5.IND1.ALTER.NET (152.63.68.249) 33.600 ms 33.717 ms 33.940 ms
        18 onecall-POS-core-gw1.customer.alter.net (63.122.162.214) 34.627 ms 34.215 ms 33.734 ms
        19 Enoch-to-Cedar-OC12c.onecall.net (216.37.0.110) 33.699 ms 33.828 ms 34.337 ms
        20 OneCall-ATM-CoLo.aureate.com (216.37.1.74) 34.617 ms 34.102 ms 34.326 ms
        21 *

It seems to be in Onecall.net's lan here is what dig says.

        ; <<>> DiG 8.1 <<>> 216.37.13.59
        ;; res options: init recurs defnam dnsrch
        ;; got answer:
        ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6
        ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
        ;; QUERY SECTION:
        ;; 216.37.13.59, type = A, class = IN

        ;; AUTHORITY SECTION:
        . 1h19m44s IN SOA A.ROOT-SERVERS.NET. NSTLD.VERISIGN-GRS.COM. (
                                                2002060300 ; serial
                                                30M ; refresh
                                                15M ; retry
                                                1W ; expiry
                                                1D ) ; minimum

        ;; Total query time: 1 msec
        ;; FROM: tin.onecall.net to SERVER: default -- 207.7.18.7
        ;; WHEN: Mon Jun 3 12:57:50 2002
        ;; MSG SIZE sent: 30 rcvd: 105

Unless MS has colocated a server to do the rumored XP stuff.. Maybe has cracked a server on onecall and is using it to backdoor into your machines.

-----Original Message-----
From: Lufo [mailto:lufo@iespana.es]
Sent: Saturday, June 01, 2002 9:52 AM
To: focus-ms@securityfocus.com
Subject: Phantom connections to 216.37.13.59 & .196

Hi.
We've noticed that some of the winXP boxes inside our LAN mantain
several connections open to 216.37.13.59 & 216.37.13.196, port 80.

Those servers do not get identified with reverse dns, whois nor
traceroute.

We have thos phantom connections even in boxes without any program
except the OS itself running. Furthermore, netstat says those
connections do not exist...

Does anyone know what are those connections?

Thanks.