RE: Phantom connections to 216.37.13.59 & .196
From: Yaakov Sloman (yaakov@nd.edu)Date: 06/03/02
- Previous message: Marc Fossi: "SecurityFocus Microsoft Newsletter #89"
- In reply to: Brian Carpenter: "RE: Phantom connections to 216.37.13.59 & .196"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Yaakov Sloman" <yaakov@nd.edu> To: "'Brian Carpenter'" <bcarp@wosc.edu>, "'Lufo'" <lufo@iespana.es> Date: Mon, 3 Jun 2002 16:10:24 -0500
Aureate is an Indianapolis-based spyware company. Get LavaSoft Ad-Aware
(www.lavasoft.de) and clean the machines.
> -----Original Message-----
> From: Brian Carpenter [mailto:bcarp@wosc.edu]
> Sent: Monday, June 03, 2002 1:17 PM
> To: Lufo
> Cc: focus-ms@securityfocus.com
> Subject: RE: Phantom connections to 216.37.13.59 & .196
>
>
> I have heard a rumor that XP will keep checking with
> microsoft to avoid piracy. It sends info about your hardware
> & software installed.
> Or... Perhaps somebody installed some backdoors on your
> machines. It looks like a colocated machine.. here is traceroute.
> <my lan>
> 8 kcm-edge-12.inet.qwest.net (65.120.164.249) 14.977
> ms 15.610 ms 14.951 ms
> 9 kcm-core-03.inet.qwest.net (205.171.29.141) 15.178
> ms 15.178 ms 15.111 ms
> 10 chi-core-02.inet.qwest.net (205.171.8.169) 28.335
> ms 28.100 ms 28.136 ms
> 11 chp-brdr-01.inet.qwest.net (205.171.220.58) 29.693
> ms 28.603 ms 28.496 ms
> 12 205.171.4.14 (205.171.4.14) 28.414 ms 28.553 ms 28.951 ms
> 13 0.so-5-0-0.XR1.CHI13.ALTER.NET (152.63.73.17)
> 28.185 ms 28.462 ms 28.524 ms
> 14 0.so-2-2-0.XL1.CHI2.ALTER.NET (152.63.70.102)
> 30.602 ms 29.524 ms 29.512 ms
> 15 152.63.10.18 (152.63.10.18) 30.889 ms 30.650 ms 30.524 ms
> 16 0.so-4-0-0.XR1.CHI4.ALTER.NET (152.63.2.54) 31.069
> ms 30.871 ms 31.057 ms
> 17 195.ATM7-0.GW5.IND1.ALTER.NET (152.63.68.249)
> 33.600 ms 33.717 ms 33.940 ms
> 18 onecall-POS-core-gw1.customer.alter.net
> (63.122.162.214) 34.627 ms 34.215 ms
> 33.734 ms
> 19 Enoch-to-Cedar-OC12c.onecall.net (216.37.0.110)
> 33.699 ms 33.828 ms 34.337 ms
> 20 OneCall-ATM-CoLo.aureate.com (216.37.1.74) 34.617
> ms 34.102 ms 34.326 ms
> 21 *
>
> It seems to be in Onecall.net's lan here is what dig says.
>
> ; <<>> DiG 8.1 <<>> 216.37.13.59
> ;; res options: init recurs defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1,
> ADDITIONAL: 0
> ;; QUERY SECTION:
> ;; 216.37.13.59, type = A, class = IN
>
> ;; AUTHORITY SECTION:
> . 1h19m44s IN SOA
> A.ROOT-SERVERS.NET. NSTLD.VERISIGN-GRS.COM. (
> 2002060300 ; serial
> 30M
> ; refresh
> 15M ; retry
> 1W ; expiry
> 1D )
> ; minimum
>
>
> ;; Total query time: 1 msec
> ;; FROM: tin.onecall.net to SERVER: default -- 207.7.18.7
> ;; WHEN: Mon Jun 3 12:57:50 2002
> ;; MSG SIZE sent: 30 rcvd: 105
>
>
> Unless MS has colocated a server to do the rumored XP stuff..
> Maybe has cracked a server on onecall and is using it to
> backdoor into your machines.
>
> -----Original Message-----
> From: Lufo [mailto:lufo@iespana.es]
> Sent: Saturday, June 01, 2002 9:52 AM
> To: focus-ms@securityfocus.com
> Subject: Phantom connections to 216.37.13.59 & .196
>
>
> Hi.
> We've noticed that some of the winXP boxes inside our LAN
> mantain several connections open to 216.37.13.59 &
> 216.37.13.196, port 80.
>
> Those servers do not get identified with reverse dns, whois
> nor traceroute.
>
> We have thos phantom connections even in boxes without any
> program except the OS itself running. Furthermore, netstat
> says those connections do not exist...
>
> Does anyone know what are those connections?
>
>
> Thanks.
>
>
- Previous message: Marc Fossi: "SecurityFocus Microsoft Newsletter #89"
- In reply to: Brian Carpenter: "RE: Phantom connections to 216.37.13.59 & .196"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
