Neotrace program snoops on me

Discussion in 'Computer Security' started by Tiny Toes, Feb 1, 2005.

  1. Tiny Toes

    Tiny Toes Guest

    A little way back I installed a trace program with a GUI called Neotrace
    by Neoworx inc, subsequently the program was bought out by a well-known
    security firm. I rarely use the program unless i get consistently pinged
    by a site.

    I found out that every time i use this program it tries to contact an
    address in the following range:

    216.49.80.0
    216.49.81.255

    I am somewhat annoyed at this. The whole point of shelling out money for
    the program in the first place was security and privacy!

    Short of blocking these ip addresses, which I've done, there doesn't
    seem much else to do. Any ideas? TIA.
     
    Tiny Toes, Feb 1, 2005
    #1
    1. Advertising

  2. Tiny Toes wrote:

    > A little way back I installed a trace program with a GUI called Neotrace
    > by Neoworx inc, subsequently the program was bought out by a well-known
    > security firm. I rarely use the program unless i get consistently pinged
    > by a site.
    >
    > I found out that every time i use this program it tries to contact an
    > address in the following range:
    >
    > 216.49.80.0
    > 216.49.81.255
    >
    > I am somewhat annoyed at this. The whole point of shelling out money for
    > the program in the first place was security and privacy!
    >
    > Short of blocking these ip addresses, which I've done, there doesn't
    > seem much else to do. Any ideas? TIA.


    Those addresses belong to Mcafee. What is strange is that those addresses
    are a class C but end in 0 and 255 (network IP for 216.49.80 and broadcast
    IP for 216.49.81). Unfortunately I am not familiar with the application or
    how it works. Why would they want a "phone home" subroutine in their
    software? Updates or Licenses maybe?

    I am not sure what affect blocking the addresses will have. Have you tried
    calling Mcafee?

    Michael
     
    Michael J. Pelletier, Feb 2, 2005
    #2
    1. Advertising

  3. Tiny Toes

    Vanguard Guest

    "Tiny Toes" <"mimimi"@pqw67$!.pn> wrote in message
    news:41ff689f$0$19079$...
    >A little way back I installed a trace program with a GUI called
    >Neotrace
    > by Neoworx inc, subsequently the program was bought out by a
    > well-known
    > security firm. I rarely use the program unless i get consistently
    > pinged
    > by a site.
    >
    > I found out that every time i use this program it tries to contact an
    > address in the following range:
    >
    > 216.49.80.0
    > 216.49.81.255
    >
    > I am somewhat annoyed at this. The whole point of shelling out money
    > for
    > the program in the first place was security and privacy!
    >
    > Short of blocking these ip addresses, which I've done, there doesn't
    > seem much else to do. Any ideas? TIA.
    >



    So where did you think all that data came from on showing you a map of
    the hops in the route when tracing to a target host? You could install
    a packet sniffer, like Ethereal and actually take a look to see what was
    in the traffic between you and the McAfee host.

    --
    ____________________________________________________________
    Post your replies to the newsgroup. Share with others.
    E-mail reply: Remove "NIXTHIS" and add "#VS811" to Subject.
    ____________________________________________________________
     
    Vanguard, Feb 2, 2005
    #3
  4. Vanguard wrote:

    So where did you think all that data came from on showing you a map of
    the hops in the route when tracing to a target host?  You could install 
    a packet sniffer, like Ethereal and actually take a look to see what was
    in the traffic between you and the McAfee host.

    If you are talking about the DNS names, they should have come from his DNS
    servers (queried by his DNS servers).

    Michael
     
    Michael J. Pelletier, Feb 2, 2005
    #4
  5. Tiny Toes

    Vanguard Guest

    "Michael J. Pelletier" <> wrote in message news:z4_Ld.16655$0u.175@fed1read04...
    > Vanguard wrote:
    >
    > So where did you think all that data came from on showing you a map of
    > the hops in the route when tracing to a target host? You could install
    > a packet sniffer, like Ethereal and actually take a look to see what was
    > in the traffic between you and the McAfee host.
    >
    > If you are talking about the DNS names, they should have come from his DNS
    > servers (queried by his DNS servers).
    >
    > Michael



    Yeah, so? That only gives him the IP address if he enters an IP name. How does that discover and provide the mapping info between his host and the target host? Does doing a DNS lookup tell you anything about WHERE is that hop? In a traceroute, do YOU see anything in the output that tells you WHERE is that hop? You'll have to get the mapping info for WHERE are those hops from McAfee's database.

    --
    ____________________________________________________________
    Post your replies to the newsgroup. Share with others.
    E-mail reply: Remove "NIXTHIS" and add "#VS811" to Subject.
    ____________________________________________________________
     
    Vanguard, Feb 2, 2005
    #5
  6. Vanguard wrote:

    > "Michael J. Pelletier" <> wrote in message
    > news:z4_Ld.16655$0u.175@fed1read04...
    >> Vanguard wrote:
    >>
    >> So where did you think all that data came from on showing you a map of
    >> the hops in the route when tracing to a target host? You could install
    >> a packet sniffer, like Ethereal and actually take a look to see what was
    >> in the traffic between you and the McAfee host.
    >>
    >> If you are talking about the DNS names, they should have come from his
    >> DNS servers (queried by his DNS servers).
    >>
    >> Michael

    >
    >
    > Yeah, so? That only gives him the IP address if he enters an IP name.
    > How does that discover and provide the mapping info between his host and
    > the target host?


    Reverse DNS lookups

    > Does doing a DNS lookup tell you anything about WHERE is
    > that hop?


    Traceroute has been around since about 1988. Here is my very, very basic
    explanation:

    1) A client starts a traceroute to some computer. It works by incrementing
    the TTL field in the IP packet by one. Starting at 1

    2) When a node, router, firewall (note that is not always the case) receives
    the IP packet it will decrement it. The IP packet will result to zero when
    "mapping" the furthest node at any given time. The furthest node will
    discard the IP packet because it has been expired (TTL = 0). Note TTL
    (means Time To Live). The packet is not silently discarded though, the node
    that dropped the packet because the TTL resulted in a 0 value will send
    back a message with it's IP address.

    3) The client, who started the traceroute, will do a reverse DNS lookup on
    the IP to get it's name (if it has a name in DNS that is).

    Now, if you are using the command line version of traceroute (or tracert in
    windows) you will get a line-by-line representation of the path from you to
    the other node.

    There have been some graphical clients I have seen in the past that add all
    sorts of icons and graphics but the basics are the same.

    On the command line try:
    In windows try: tracert www.yahoo.com
    In Linux/BSD/UNIX try: traceroute www.yahoo.com


    > In a traceroute, do YOU see anything in the output that tells
    > you WHERE is that hop? You'll have to get the mapping info for WHERE are
    > those hops from McAfee's database.
    >


    First no need to yell man, chill. Second, not sure if McAfee would want to
    provide reverse DNS mapping for everyone especially when we all get if for
    free anyway.

    Michael
     
    Michael J. Pelletier, Feb 2, 2005
    #6
  7. Tiny Toes

    Jim Watt Guest

    On Tue, 01 Feb 2005 18:01:37 -0800, "Michael J. Pelletier"
    <> wrote:

    >Unfortunately I am not familiar with the application or
    >how it works.


    Then why try and answer a question where as usual you know ****
    all.

    Neotrace was distributed as a sort of shareware deal where
    you were encouraged to pay money for an updated version and
    it downloaded map information and upgrades from its company
    site. The product was bought by McAfee and seems to have
    been dumped, but presumably the adddress in the legacy program
    belongs to them now.

    As the program worked quite well and did not expire, I'd carry on
    using it and don't worry about any activity as its not a problem.

    Unless anyone can suggest a good freeware replacement for it?

    The earlier version of Neotrace had a nicer interface than the later
    one where I think they were keener to sell the full version so cut the
    free one down a lot.

    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Feb 2, 2005
    #7
  8. Tiny Toes

    Jim Watt Guest

    On Wed, 2 Feb 2005 01:00:03 -0600, "Vanguard"
    <> wrote:

    >Yeah, so? That only gives him the IP address if he enters an IP name.
    >How does that discover and provide the mapping info between his host and the target host?


    It maintains a cache of data and it queries whois servers to find
    out the details of where the IP's are supposed to be located

    It was a good idea for an integrated tracert and performance
    monitoring tool with a GUI One of my clients used to run it all
    day long to monitor the ping times down his VPN.
    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Feb 2, 2005
    #8
  9. Tiny Toes

    Vanguard Guest

    "Michael J. Pelletier" <> wrote in message news:HG0Md.16674$0u.161@fed1read04...
    > Vanguard wrote:
    >
    >> "Michael J. Pelletier" <> wrote in message
    >> news:z4_Ld.16655$0u.175@fed1read04...
    >>> Vanguard wrote:
    >>>
    >>> So where did you think all that data came from on showing you a map of
    >>> the hops in the route when tracing to a target host? You could install
    >>> a packet sniffer, like Ethereal and actually take a look to see what was
    >>> in the traffic between you and the McAfee host.
    >>>
    >>> If you are talking about the DNS names, they should have come from his
    >>> DNS servers (queried by his DNS servers).
    >>>
    >>> Michael

    >>
    >>
    >> Yeah, so? That only gives him the IP address if he enters an IP name.
    >> How does that discover and provide the mapping info between his host and
    >> the target host?

    >
    > Reverse DNS lookups


    Show me the output of *your* nslookup (or whatever you use to retrieve DNS records). I'd like to see the location information provided in those records. Getting an IP name for an IP address (rDNS) or an IP address for an IP name says nothing about *location*.

    >> Does doing a DNS lookup tell you anything about *where* is
    >> that hop?

    >
    > Traceroute has been around since about 1988. Here is my very, very basic
    > explanation:

    <snip - yadda yadda yadda - nothing to do with showing a map of locations>

    Do a traceroute. What do you see? Which field shows the *location* of each hop? You see an IP address or IP name in the hops. Okay, so what country is that hop in? What state? What city? That info is NOT provided in a traceroute.

    > There have been some graphical clients I have seen in the past that add all
    > sorts of icons and graphics but the basics are the same.


    Yes, some show a nice little tree or node map. Node maps still do NOT show you *location*. They just show the logical connections whether they be a foot away to the next device or thousands of miles apart. Node 1 connects to node 2 which connects to node 3 and so on. Okay, but *where* is node N? Los Angeles? New York? Vienna? Hong Kong?

    The problem that I've seen with providing a *geographical* map of the nodes is the locations are often not correct. Tracing to, say, cpe-024-210-105-245.twmi.rr.com (the spammer's IP name in his spam post in 24hoursupport.helpdesk newsgroup) who is in Michigan traces instead to Virginia. Once the boundary host is hit for Road Runner, that's as far as you get so the geographical map isn't that helpful. You can see an example of the geophraphical mapping of nodes in the trace by using the freebie http://www.mycooltools.com (you need to register so use an e-mail alias).
     
    Vanguard, Feb 2, 2005
    #9
  10. Tiny Toes

    Vanguard Guest

    "Jim Watt" <_way> wrote in message news:...
    > On Wed, 2 Feb 2005 01:00:03 -0600, "Vanguard"
    > <> wrote:
    >
    >>Yeah, so? That only gives him the IP address if he enters an IP name.
    >>How does that discover and provide the mapping info between his host and the target host?

    >
    > It maintains a cache of data and it queries whois servers to find
    > out the details of where the IP's are supposed to be located


    By "it" do you mean McAfee's cache of data? DNS lookups and traceroutes don't return WhoIs info (or do they with some other parameter?), so I have to go lookup the WhoIs records separately myself to find out WHERE that hop in the route *might* be located. So NeoTrace and VisualRoute apparently try to combine the two step (traceroute and whois lookup) into a graphical application showing a geographical map of the route.
     
    Vanguard, Feb 2, 2005
    #10
  11. Tiny Toes

    Vanguard Guest

    "Jim Watt" <_way> wrote in message news:...
    > On Tue, 01 Feb 2005 18:01:37 -0800, "Michael J. Pelletier"
    > <> wrote:
    >
    >>Unfortunately I am not familiar with the application or
    >>how it works.

    >
    > Then why try and answer a question where as usual you know ****
    > all.
    >
    > Neotrace was distributed as a sort of shareware deal where
    > you were encouraged to pay money for an updated version and
    > it downloaded map information and upgrades from its company
    > site. The product was bought by McAfee and seems to have
    > been dumped, but presumably the adddress in the legacy program
    > belongs to them now.
    >
    > As the program worked quite well and did not expire, I'd carry on
    > using it and don't worry about any activity as its not a problem.
    >
    > Unless anyone can suggest a good freeware replacement for it?
    >
    > The earlier version of Neotrace had a nicer interface than the later
    > one where I think they were keener to sell the full version so cut the
    > free one down a lot.



    Neotrace became Visual Trace after McAfee bought it which is in their Internet Security package (from their user guide at http://us.mcafee.com/common/en-us/redirects/mis/userGuide.asp).

    I use Visualware's VisualRoute (go to http://www.mycooltools.com/). It's free. Nothing to download. Just use a browser.
     
    Vanguard, Feb 2, 2005
    #11
  12. Tiny Toes

    Tiny Toes Guest

    Vanguard wrote:
    >
    > "Jim Watt" <_way> wrote in message news:...
    > > On Wed, 2 Feb 2005 01:00:03 -0600, "Vanguard"
    > > <> wrote:
    > >
    > >>Yeah, so? That only gives him the IP address if he enters an IP name.
    > >>How does that discover and provide the mapping info between his host and the target host?

    > >
    > > It maintains a cache of data and it queries whois servers to find
    > > out the details of where the IP's are supposed to be located

    >
    > By "it" do you mean McAfee's cache of data? DNS lookups and traceroutes don't return WhoIs info (or do they with some other parameter?), so I have to go lookup the WhoIs records separately myself to find out WHERE that hop in the route *might* be located. So NeoTrace and VisualRoute apparently try to combine the two step (traceroute and whois lookup) into a graphical application showing a geographical map of the route.


    Thanks to all the posts. To clarify, the version I use is: Neotrace Pro
    v3.1.9.0., purchased in 2001. As already noted in this thread, it gives
    a GUI of the nodes traversed between the client and the looked-up IP
    address. There's also a wealth of of look-up options.

    Everytime I run it, even /before/ I do any look-ups, it send /something/
    back to McAfee. Anyway this /something/ is blocked now. But if anyone
    out there has this program and the technical withal to find out what is
    sent i'd be oblged.
     
    Tiny Toes, Feb 2, 2005
    #12
  13. Tiny Toes

    Leythos Guest

    On Wed, 02 Feb 2005 15:19:30 +0000, Tiny Toes wrote:

    >
    >
    > Vanguard wrote:
    >>
    >> "Jim Watt" <_way> wrote in message news:...
    >> > On Wed, 2 Feb 2005 01:00:03 -0600, "Vanguard"
    >> > <> wrote:
    >> >
    >> >>Yeah, so? That only gives him the IP address if he enters an IP name.
    >> >>How does that discover and provide the mapping info between his host and the target host?
    >> >
    >> > It maintains a cache of data and it queries whois servers to find
    >> > out the details of where the IP's are supposed to be located

    >>
    >> By "it" do you mean McAfee's cache of data? DNS lookups and traceroutes don't return WhoIs info (or do they with some other parameter?), so I have to go lookup the WhoIs records separately myself to find out WHERE that hop in the route *might* be located. So NeoTrace and VisualRoute apparently try to combine the two step (traceroute and whois lookup) into a graphical application showing a geographical map of the route.

    >
    > Thanks to all the posts. To clarify, the version I use is: Neotrace Pro
    > v3.1.9.0., purchased in 2001. As already noted in this thread, it gives
    > a GUI of the nodes traversed between the client and the looked-up IP
    > address. There's also a wealth of of look-up options.
    >
    > Everytime I run it, even /before/ I do any look-ups, it send /something/
    > back to McAfee. Anyway this /something/ is blocked now. But if anyone
    > out there has this program and the technical withal to find out what is
    > sent i'd be oblged.


    I use a licensed copy of VisualRoute and it's setup to pull the latest
    global information from the VR vendor. Could it be the same for yours?

    --

    remove 999 in order to email me
     
    Leythos, Feb 2, 2005
    #13
  14. Tiny Toes

    Jim Watt Guest

    On Wed, 2 Feb 2005 06:08:15 -0600, "Vanguard"
    <> wrote:

    >"Jim Watt" <_way> wrote in message news:...
    >> On Wed, 2 Feb 2005 01:00:03 -0600, "Vanguard"
    >> <> wrote:
    >>
    >>>Yeah, so? That only gives him the IP address if he enters an IP name.
    >>>How does that discover and provide the mapping info between his host and the target host?

    >>
    >> It maintains a cache of data and it queries whois servers to find
    >> out the details of where the IP's are supposed to be located

    >
    >By "it" do you mean McAfee's cache of data? DNS lookups and traceroutes don't return
    >WhoIs info (or do they with some other parameter?), so I have to go lookup the WhoIs records
    >separately myself to find out WHERE that hop in the route *might* be located.
    >So NeoTrace and VisualRoute apparently try to combine the two step
    >(traceroute and whois lookup) into a graphical application showing a
    >geographical map of the route.


    That sounds a good explanation of what it does; however Neotrace
    did maintain a local cache of IP addresses which needed to be
    manually purged on occasion.


    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Feb 2, 2005
    #14
  15. Tiny Toes

    Vanguard Guest

    "Leythos" <> wrote in message news:p...
    > On Wed, 02 Feb 2005 15:19:30 +0000, Tiny Toes wrote:
    >
    > I use a licensed copy of VisualRoute and it's setup to pull the latest
    > global information from the VR vendor. Could it be the same for yours?


    That's what I figured, that the client *program* had to get updates as whois/geographical records or maybe just checking if there is an update to the program. Neotrace is now Visual Trace at McAfee which is a component in their Internet Suite product. The OP should ask McAfee at http://ts.mcafeehelp.com/?siteID=1&resolution=1024x768 (pick a product, category, and whatever to eventually get a button for Live Chat) or visit their forums at http://ts.mcafeehelp.com/mymcafeehelp.asp for a community more focused on the product he is using.
     
    Vanguard, Feb 2, 2005
    #15
  16. On Wed, 02 Feb 2005 10:44:48 +0100, Jim Watt <_way>
    wrote:

    >On Tue, 01 Feb 2005 18:01:37 -0800, "Michael J. Pelletier"
    ><> wrote:
    >
    >>Unfortunately I am not familiar with the application or
    >>how it works.

    >
    >Then why try and answer a question where as usual you know ****
    >all.
    >
    >Neotrace was distributed as a sort of shareware deal where
    >you were encouraged to pay money for an updated version and
    >it downloaded map information and upgrades from its company
    >site. The product was bought by McAfee and seems to have
    >been dumped, but presumably the adddress in the legacy program
    >belongs to them now.
    >
    >As the program worked quite well and did not expire, I'd carry on
    >using it and don't worry about any activity as its not a problem.
    >
    >Unless anyone can suggest a good freeware replacement for it?
    >


    Maybe this?
    http://www.hlembke.de/prod/3dtraceroute/

    HiS
     
    Hassan I Sahba, Feb 7, 2005
    #16
  17. Tiny Toes

    Don Kelloway Guest

    "Tiny Toes" <"mimimi"@pqw67$!.pn> wrote in message
    news:41ff689f$0$19079$...
    >A little way back I installed a trace program with a GUI called Neotrace
    > by Neoworx inc, subsequently the program was bought out by a well-known
    > security firm. I rarely use the program unless i get consistently pinged
    > by a site.
    >
    > I found out that every time i use this program it tries to contact an
    > address in the following range:
    >
    > 216.49.80.0
    > 216.49.81.255
    >
    > I am somewhat annoyed at this. The whole point of shelling out money for
    > the program in the first place was security and privacy!
    >
    > Short of blocking these ip addresses, which I've done, there doesn't
    > seem much else to do. Any ideas? TIA.
    >


    NeoTrace as well as NeoLite (both from NeoWorx) were bought by McAfee in
    December, 2001. Though NeoTrace later became known as McAfee Visual Trace,
    what was NeoLite disappeared from the planet.

    Now in regards to the subject of NeoTrace establishing an outbound
    connection to McAfee (216.49.80.0 through 216.49.81.255) I don't think
    there's anything insecure about it updating a cookie and from a quick packet
    capture that is all it's doing.

    In summary and if you want to prevent this from occurring, simply continue
    blocking all outbound connectivity to the netblock in question and be done
    with it.

    --
    Best regards, from Don Kelloway of Commodon Communications
    Visit http://www.commodon.com to learn about the "Threats to Your Security
    on the Internet".
     
    Don Kelloway, Feb 10, 2005
    #17
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jeffrey Lennon

    Program Error - Uninstalling a Program

    Jeffrey Lennon, Jul 12, 2004, in forum: Computer Support
    Replies:
    4
    Views:
    541
  2. Robert11
    Replies:
    6
    Views:
    1,358
    nota chance
    Aug 2, 2004
  3. PDAMan
    Replies:
    4
    Views:
    502
    Frank E. Lockett
    Oct 6, 2004
  4. Joe Swart [MSFT]
    Replies:
    10
    Views:
    1,700
    Bill Sharpe
    May 11, 2005
  5. Joe Swart [MSFT]
    Replies:
    1
    Views:
    2,282
    Billie Volkova
    May 11, 2005
Loading...

Share This Page