Re: WinME w/NortonAV boots with http to foreign IP address
From: Randell D. (you.can.email.me.at.randelld_at_yahoo.com)
Date: 10/03/03
- Next message: jayjwa: "Re: No.....It's not Christina Aguilera Nude 5529"
- Previous message: jayjwa: "Re: WinME w/NortonAV boots with http to foreign IP address"
- In reply to: jayjwa: "Re: WinME w/NortonAV boots with http to foreign IP address"
- Next in thread: sponge: "Re: WinME w/NortonAV boots with http to foreign IP address"
- Reply: sponge: "Re: WinME w/NortonAV boots with http to foreign IP address"
- Reply: jayjwa: "Re: WinME w/NortonAV boots with http to foreign IP address"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 03 Oct 2003 06:11:10 GMT
"jayjwa" <jayjwa@hotspam.microsoftsux.suk> wrote in message
news:vnq3tbiantuk61@corp.supernews.com...
> Randell D. wrote:
> > Folks,
> > I have two WindowME clients - Both have Norton Internet Security 2003
and
> > I've got several years within IT (predominently Unix/Linux though I have
> > picked up knowledge of Windoze platforms along the way)... I have my
WinMe
> > clients hidden behind a router - both clients have Norton Internet
AntiVirus
> > + Firewall active on both machines giving them that additional bit of
> > security.
> >
> > I checked my routers log file and notice that when booting, one of my
> > clients makes a http connection to 204.221.192.198 This IP address
resolves
> > to "mr.net" which also has some relationship with o"nvoy.ne"t (onvoy
looks
> > like they bought mr.net). I've never heard of either server or service
and
> > don't have any software installed that I could think would be anyway
related
> > to them. I've checked my startup routines with msconfig and everything
> > looks normal...
> >
> > Anybody got any ideas?
> >
>
> I just checked with Links and it's not allowing the index file to be
> retrieved, which most likey means you'd have to know the proper
> directory or file to pull down (like Apache's directive Options Indexes,
> set to "Off") If it was my call, I'd cut it. You know the user isn't
> going to know what's going on, unless they're into web development or
> something, but if they're running Windows, they're mostlikely a regular
> joe-average computer user that's installed something that makes a call
> to that location, possibly for an ad or something. Ask'em what they're
> running.
>
> It's got a SSH on 22, maybe SSH-1, Listed as "99-Server-VI"
> The http on 80 w/"AkamiGHost" HTTP Acceleration/Mirror Service + SSL
> version of that
>
> Akamighost:
> <qoute>" A company that provides caching of content for its clients, you
> pay them to cache your site, and then they distribute machines to ISP's
> that server up content locally to isp customers. This requires less
> bandwidth to be spent on the actual machine. In exchange isp's get to
> use the server to cache their own content and save bandwidth in exchange
> for electricity. I believe they run a modified RedHat/Apache System."
> </qoute>
>
> It's a Linux system, maybe Redhat or Debian, but's that a guess, up
> since Sept. 26, 04:47:40 '03
>
>
> <morespeculation> Lots of "hot" Windows crap (like Kazaa) has Spyware or
> Adware loaded. _If the client knows nothing about this_, I'd say an
> app he'd installed has adware in it and is calling that place to
> download ads. That would explain why it's getting beyond the FW, because
> the user is giving premission to the app, not knowing that the Adware is
> going along for the ride. I've seen that before, but note that this is a
> far-fetched guess only- dont' qoute me on that!</morespeculation>
>
> Windows users are known to install anything! ;p (see Swen.Win32.Worm)
>
> --
> --------------nonoffensive sig.v2.2RC2?------------------------
> - jayjwa 4 Spammers: mailto: listme@listme.dsbl.org
> The New Atr2. PGP/GPG Keys onsite
> "Why do all the noob's use RedHat,
> speak 4th grade English,
> and cry because their X server crashed?"
> Send HTTP1.1 GET to /cgi-bin/ping-jay.cgi, my domain, 2 mail
> ==Atr2.Ath.Cx: Linux Tough, Powered by Slackware.=============
>
>
>
Thanks for the prompt response - its a home network and both of the machines
are mine (well - the infected (?) machine is mine, the other one is my
girlfriends but I manage them both). Secondly, I consider myself reasonably
well switched on as I've got many years Unix/Linux and some windoze
experience... The "infected" machine doesn't have anything I'd be too
worried about and my original post did mention I rebuilt it about 5weeks ago
and it only has Macromedia Dreamweaver MX, OpenOffice.org, Outlook, an old
version of Visio and MySQL client... I dread the idea of having to rebuild
it - between the install and microsoft updates, plus anti-virus updates and
software - it will take several hours...
any other ideas? can you suggest a method on how I can sniff my own network?
I've been reading the man page for tcpdump and nmap but I'm really not
familiar with security tools...
- Next message: jayjwa: "Re: No.....It's not Christina Aguilera Nude 5529"
- Previous message: jayjwa: "Re: WinME w/NortonAV boots with http to foreign IP address"
- In reply to: jayjwa: "Re: WinME w/NortonAV boots with http to foreign IP address"
- Next in thread: sponge: "Re: WinME w/NortonAV boots with http to foreign IP address"
- Reply: sponge: "Re: WinME w/NortonAV boots with http to foreign IP address"
- Reply: jayjwa: "Re: WinME w/NortonAV boots with http to foreign IP address"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
