«

Randell D. wrote:
> Folks,
> I have two WindowME clients - Both have Norton Internet Security 2003 and
> I've got several years within IT (predominently Unix/Linux though I have
> picked up knowledge of Windoze platforms along the way)... I have my WinMe
> clients hidden behind a router - both clients have Norton Internet AntiVirus
> + Firewall active on both machines giving them that additional bit of
> security.
>
> I checked my routers log file and notice that when booting, one of my
> clients makes a http connection to 204.221.192.198 This IP address resolves
> to "mr.net" which also has some relationship with o"nvoy.ne"t (onvoy looks
> like they bought mr.net). I've never heard of either server or service and
> don't have any software installed that I could think would be anyway related
> to them. I've checked my startup routines with msconfig and everything
> looks normal...
>
> Anybody got any ideas?
>

I just checked with Links and it's not allowing the index file to be
retrieved, which most likey means you'd have to know the proper
directory or file to pull down (like Apache's directive Options Indexes,
set to "Off") If it was my call, I'd cut it. You know the user isn't
going to know what's going on, unless they're into web development or
something, but if they're running Windows, they're mostlikely a regular
joe-average computer user that's installed something that makes a call
to that location, possibly for an ad or something. Ask'em what they're
running.

It's got a SSH on 22, maybe SSH-1, Listed as "99-Server-VI"
The http on 80 w/"AkamiGHost" HTTP Acceleration/Mirror Service + SSL
version of that

Akamighost:
<qoute>" A company that provides caching of content for its clients, you
pay them to cache your site, and then they distribute machines to ISP's
that server up content locally to isp customers. This requires less
bandwidth to be spent on the actual machine. In exchange isp's get to
use the server to cache their own content and save bandwidth in exchange
for electricity. I believe they run a modified RedHat/Apache System."
</qoute>

It's a Linux system, maybe Redhat or Debian, but's that a guess, up
since Sept. 26, 04:47:40 '03


<morespeculation> Lots of "hot" Windows crap (like Kazaa) has Spyware or
Adware loaded. _If the client knows nothing about this_, I'd say an
app he'd installed has adware in it and is calling that place to
download ads. That would explain why it's getting beyond the FW, because
the user is giving premission to the app, not knowing that the Adware is
going along for the ride. I've seen that before, but note that this is a
far-fetched guess only- dont' qoute me on that!</morespeculation>

Windows users are known to install anything! ;p (see Swen.Win32.Worm)

--
--------------nonoffensive sig.v2.2RC2?------------------------
- jayjwa 4 Spammers: mailto:
The New Atr2. PGP/GPG Keys onsite
"Why do all the noob's use RedHat,
speak 4th grade English,
and cry because their X server crashed?"
Send HTTP1.1 GET to /cgi-bin/ping-jay.cgi, my domain, 2 mail
==Atr2.Ath.Cx: Linux Tough, Powered by Slackware.=============

Folks,
I have two WindowME clients - Both have Norton Internet Security 2003 and
I've got several years within IT (predominently Unix/Linux though I have
picked up knowledge of Windoze platforms along the way)... I have my WinMe
clients hidden behind a router - both clients have Norton Internet AntiVirus
+ Firewall active on both machines giving them that additional bit of
security.

I checked my routers log file and notice that when booting, one of my
clients makes a http connection to 204.221.192.198 This IP address resolves
to "mr.net" which also has some relationship with o"nvoy.ne"t (onvoy looks
like they bought mr.net). I've never heard of either server or service and
don't have any software installed that I could think would be anyway related
to them. I've checked my startup routines with msconfig and everything
looks normal...

Anybody got any ideas?

--
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing on usenet?

"jayjwa" <> wrote in message
news:...
> Randell D. wrote:
> > Folks,
> > I have two WindowME clients - Both have Norton Internet Security 2003
and
> > I've got several years within IT (predominently Unix/Linux though I have
> > picked up knowledge of Windoze platforms along the way)... I have my
WinMe
> > clients hidden behind a router - both clients have Norton Internet
AntiVirus
> > + Firewall active on both machines giving them that additional bit of
> > security.
> >
> > I checked my routers log file and notice that when booting, one of my
> > clients makes a http connection to 204.221.192.198 This IP address
resolves
> > to "mr.net" which also has some relationship with o"nvoy.ne"t (onvoy
looks
> > like they bought mr.net). I've never heard of either server or service
and
> > don't have any software installed that I could think would be anyway
related
> > to them. I've checked my startup routines with msconfig and everything
> > looks normal...
> >
> > Anybody got any ideas?
> >
>
> I just checked with Links and it's not allowing the index file to be
> retrieved, which most likey means you'd have to know the proper
> directory or file to pull down (like Apache's directive Options Indexes,
> set to "Off") If it was my call, I'd cut it. You know the user isn't
> going to know what's going on, unless they're into web development or
> something, but if they're running Windows, they're mostlikely a regular
> joe-average computer user that's installed something that makes a call
> to that location, possibly for an ad or something. Ask'em what they're
> running.
>
> It's got a SSH on 22, maybe SSH-1, Listed as "99-Server-VI"
> The http on 80 w/"AkamiGHost" HTTP Acceleration/Mirror Service + SSL
> version of that
>
> Akamighost:
> <qoute>" A company that provides caching of content for its clients, you
> pay them to cache your site, and then they distribute machines to ISP's
> that server up content locally to isp customers. This requires less
> bandwidth to be spent on the actual machine. In exchange isp's get to
> use the server to cache their own content and save bandwidth in exchange
> for electricity. I believe they run a modified RedHat/Apache System."
> </qoute>
>
> It's a Linux system, maybe Redhat or Debian, but's that a guess, up
> since Sept. 26, 04:47:40 '03
>
>
> <morespeculation> Lots of "hot" Windows crap (like Kazaa) has Spyware or
> Adware loaded. _If the client knows nothing about this_, I'd say an
> app he'd installed has adware in it and is calling that place to
> download ads. That would explain why it's getting beyond the FW, because
> the user is giving premission to the app, not knowing that the Adware is
> going along for the ride. I've seen that before, but note that this is a
> far-fetched guess only- dont' qoute me on that!</morespeculation>
>
> Windows users are known to install anything! ;p (see Swen.Win32.Worm)
>
> --
> --------------nonoffensive sig.v2.2RC2?------------------------
> - jayjwa 4 Spammers: mailto:
> The New Atr2. PGP/GPG Keys onsite
> "Why do all the noob's use RedHat,
> speak 4th grade English,
> and cry because their X server crashed?"
> Send HTTP1.1 GET to /cgi-bin/ping-jay.cgi, my domain, 2 mail
> ==Atr2.Ath.Cx: Linux Tough, Powered by Slackware.=============
>
>
>

Thanks for the prompt response - its a home network and both of the machines
are mine (well - the infected (?) machine is mine, the other one is my
girlfriends but I manage them both). Secondly, I consider myself reasonably
well switched on as I've got many years Unix/Linux and some windoze
experience... The "infected" machine doesn't have anything I'd be too
worried about and my original post did mention I rebuilt it about 5weeks ago
and it only has Macromedia Dreamweaver MX, OpenOffice.org, Outlook, an old
version of Visio and MySQL client... I dread the idea of having to rebuild
it - between the install and microsoft updates, plus anti-virus updates and
software - it will take several hours...

any other ideas? can you suggest a method on how I can sniff my own network?
I've been reading the man page for tcpdump and nmap but I'm really not
familiar with security tools...

"Randell D." <> wrote in message
news:ki7fb.7965$pl3.7020@pd7tw3no...
>
> Folks,
> I have two WindowME clients - Both have Norton Internet Security 2003 and
> I've got several years within IT (predominently Unix/Linux though I have
> picked up knowledge of Windoze platforms along the way)... I have my WinMe
> clients hidden behind a router - both clients have Norton Internet
AntiVirus
> + Firewall active on both machines giving them that additional bit of
> security.
>
> I checked my routers log file and notice that when booting, one of my
> clients makes a http connection to 204.221.192.198 This IP address
resolves
> to "mr.net" which also has some relationship with o"nvoy.ne"t (onvoy looks
> like they bought mr.net). I've never heard of either server or service
and
> don't have any software installed that I could think would be anyway
related
> to them. I've checked my startup routines with msconfig and everything
> looks normal...
>
> Anybody got any ideas?
>
> --
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
> A: Top-posting.
> Q: What is the most annoying thing on usenet?
>
>

I think it was Quicktime... I have uninstalled and rebooted a couple of
times and not seen the http connection...

"Randell D." <> wrote in message news:<2q8fb.8580$9l5.7483@pd7tw2no>...
> "jayjwa" <> wrote in message
> news:...
> > Randell D. wrote:
> > > Folks,
> > > I have two WindowME clients - Both have Norton Internet Security 2003
> and
> > > I've got several years within IT (predominently Unix/Linux though I have
> > > picked up knowledge of Windoze platforms along the way)... I have my
> WinMe
> > > clients hidden behind a router - both clients have Norton Internet
> AntiVirus
> > > + Firewall active on both machines giving them that additional bit of
> > > security.
> > >
> > > I checked my routers log file and notice that when booting, one of my
> > > clients makes a http connection to 204.221.192.198 This IP address
> resolves
> > > to "mr.net" which also has some relationship with o"nvoy.ne"t (onvoy
> looks
> > > like they bought mr.net). I've never heard of either server or service
> and
> > > don't have any software installed that I could think would be anyway
> related
> > > to them. I've checked my startup routines with msconfig and everything
> > > looks normal...
> > >
> > > Anybody got any ideas?
> > >
> >
> > I just checked with Links and it's not allowing the index file to be
> > retrieved, which most likey means you'd have to know the proper
> > directory or file to pull down (like Apache's directive Options Indexes,
> > set to "Off") If it was my call, I'd cut it. You know the user isn't
> > going to know what's going on, unless they're into web development or
> > something, but if they're running Windows, they're mostlikely a regular
> > joe-average computer user that's installed something that makes a call
> > to that location, possibly for an ad or something. Ask'em what they're
> > running.
> >
> > It's got a SSH on 22, maybe SSH-1, Listed as "99-Server-VI"
> > The http on 80 w/"AkamiGHost" HTTP Acceleration/Mirror Service + SSL
> > version of that
> >
> > Akamighost:
> > <qoute>" A company that provides caching of content for its clients, you
> > pay them to cache your site, and then they distribute machines to ISP's
> > that server up content locally to isp customers. This requires less
> > bandwidth to be spent on the actual machine. In exchange isp's get to
> > use the server to cache their own content and save bandwidth in exchange
> > for electricity. I believe they run a modified RedHat/Apache System."
> > </qoute>
> >
> > It's a Linux system, maybe Redhat or Debian, but's that a guess, up
> > since Sept. 26, 04:47:40 '03
> >
> >
> > <morespeculation> Lots of "hot" Windows crap (like Kazaa) has Spyware or
> > Adware loaded. _If the client knows nothing about this_, I'd say an
> > app he'd installed has adware in it and is calling that place to
> > download ads. That would explain why it's getting beyond the FW, because
> > the user is giving premission to the app, not knowing that the Adware is
> > going along for the ride. I've seen that before, but note that this is a
> > far-fetched guess only- dont' qoute me on that!</morespeculation>
> >
> > Windows users are known to install anything! ;p (see Swen.Win32.Worm)
> >
> > --
> > --------------nonoffensive sig.v2.2RC2?------------------------
> > - jayjwa 4 Spammers: mailto:
> > The New Atr2. PGP/GPG Keys onsite
> > "Why do all the noob's use RedHat,
> > speak 4th grade English,
> > and cry because their X server crashed?"
> > Send HTTP1.1 GET to /cgi-bin/ping-jay.cgi, my domain, 2 mail
> > ==Atr2.Ath.Cx: Linux Tough, Powered by Slackware.=============
> >
> >
> >
>
> Thanks for the prompt response - its a home network and both of the machines
> are mine (well - the infected (?) machine is mine, the other one is my
> girlfriends but I manage them both). Secondly, I consider myself reasonably
> well switched on as I've got many years Unix/Linux and some windoze
> experience... The "infected" machine doesn't have anything I'd be too
> worried about and my original post did mention I rebuilt it about 5weeks ago
> and it only has Macromedia Dreamweaver MX, OpenOffice.org, Outlook, an old
> version of Visio and MySQL client... I dread the idea of having to rebuild
> it - between the install and microsoft updates, plus anti-virus updates and
> software - it will take several hours...
>
> any other ideas? can you suggest a method on how I can sniff my own network?
> I've been reading the man page for tcpdump and nmap but I'm really not
> familiar with security tools...

Well, hopefully you fixed it. However, as far as sniffing goes, try
Ethereal (http://www.ethereal.com). Make sure to download the WinPcap
driver, v3.0. Use TCPView
(http://www.sysinternals.com/ntw2k/source/tcpview.shtml) to ID
processes.

Sponge
Sponge's Secure Solutions
www.geocities.com/yosponge
My new email: yosponge2 et yahoo dot com

Randell D. wrote:

>
> Thanks for the prompt response - its a home network and both of the machines
> are mine (well - the infected (?) machine is mine, the other one is my
> girlfriends but I manage them both). Secondly, I consider myself reasonably
> well switched on as I've got many years Unix/Linux and some windoze
> experience... The "infected" machine doesn't have anything I'd be too
> worried about and my original post did mention I rebuilt it about 5weeks ago
> and it only has Macromedia Dreamweaver MX, OpenOffice.org, Outlook, an old
> version of Visio and MySQL client... I dread the idea of having to rebuild
> it - between the install and microsoft updates, plus anti-virus updates and
> software - it will take several hours...
>
> any other ideas? can you suggest a method on how I can sniff my own network?
> I've been reading the man page for tcpdump and nmap but I'm really not
> familiar with security tools...
>
>

Oh. When you said "client", I'm picturing client as in one who
subscribes to a service, as in this case, like an ISP. I'm not say
they're infected, Spyware (if it IS that, but remember, that's just a
stab, more searching needs to be done to be conclusive).

Sniffing, you have to know what you're looking at when you do that, but
nmap's easy and can be used to show open ports, and now, since last
version, some daemon ID'ing. There's better tools for ID'ing stuff,
there's a Vmap & Amap too, and for really big jobs, I've got a Nessus
daemon sitting onsite.
I'd check and see what's being sent back from that site before I went
and put hours into rebuilds, it may be nothing. Again, more info is
needed. Who ever they were though, I got scanned out of it, but that's
common- I get about 3-5 "stealth" scans a day. They broke off early, I
don't know why, and I haven't seen anymore of them today.

--
--------------nonoffensive sig.v2.2RC2?------------------------
- jayjwa 4 Spammers: mailto:
The New Atr2. PGP/GPG Keys onsite
"Why do all the noob's use RedHat,
speak 4th grade English,
and cry because their X server crashed?"
Send HTTP1.1 GET to /cgi-bin/ping-jay.cgi, my domain, 2 mail
==Atr2.Ath.Cx: Linux Tough, Powered by Slackware.=============

Randell D. wrote:

> I think it was Quicktime... I have uninstalled and rebooted a couple of
> times and not seen the http connection...
>
>


Maybe it was accessing a cache, like in the discription I found. I hate
when programs do stuff without your knowlege of it; that's another
reason I moved to Linux. If you run a FW on Windows, you have just as
much stuff trying to get out as you do trying to get in!

--
--------------nonoffensive sig.v2.2RC2?------------------------
- jayjwa 4 Spammers: mailto:
The New Atr2. PGP/GPG Keys onsite
"Why do all the noob's use RedHat,
speak 4th grade English,
and cry because their X server crashed?"
Send HTTP1.1 GET to /cgi-bin/ping-jay.cgi, my domain, 2 mail
==Atr2.Ath.Cx: Linux Tough, Powered by Slackware.=============