Suspicious Firefox 1.0 PR Communications

Discussion in 'Firefox' started by boris, Oct 16, 2004.

  1. boris

    boris Guest

    Whenever I start Firefox 1.0 PR I get a warning from my firewall software
    (McAfee) that it is communicating with the following:

    64.79.164.25
    streak.fimc.net

    The communication uses different ports each time.

    Does anyone know why my browser would communicate with fimc.net each time
    it opens?

    Seems like *spying* to me. I see absolutely no need for it.

    The only "extensions" I have are the DOM one that comes with Firefox, Sun
    Java, and Macromedia Flash. Nothing else.

    Google is my homepage - www.google.com.

    If anyone has any ideas why this is happening your thoughts would be
    appreciated.
     
    boris, Oct 16, 2004
    #1
    1. Advertising

  2. boris

    Adrian Guest

    boris wrote:

    > Whenever I start Firefox 1.0 PR I get a warning from my firewall software
    > (McAfee) that it is communicating with the following:
    >
    > 64.79.164.25
    > streak.fimc.net
    >
    > The communication uses different ports each time.
    >
    > Does anyone know why my browser would communicate with fimc.net each time
    > it opens?
    >
    > Seems like *spying* to me. I see absolutely no need for it.
    >
    > The only "extensions" I have are the DOM one that comes with Firefox, Sun
    > Java, and Macromedia Flash. Nothing else.
    >
    > Google is my homepage - www.google.com.
    >
    > If anyone has any ideas why this is happening your thoughts would be
    > appreciated.
    >


    Have you run any anti-spyware software?

    Like "SpyBot - Search and Destroy"

    If not, give it a go.

    --
    ~Adrian

    To contact me remove:
    [takethisout] from my address.
     
    Adrian, Oct 16, 2004
    #2
    1. Advertising

  3. boris

    Brian Guest

    (On 10/16/2004 9:35 AM) boris wrote:
    |~~> Note X-Posting

    > Whenever I start Firefox 1.0 PR I get a warning from my firewall software
    > (McAfee) that it is communicating with the following:
    >
    > 64.79.164.25
    > streak.fimc.net
    >
    > The communication uses different ports each time.


    Where is the 'random port'? Is it local or remote?

    > Does anyone know why my browser would communicate with fimc.net each time
    > it opens?
    >
    > Seems like *spying* to me. I see absolutely no need for it.


    Noted. *Seems* like spying to you, but yet you have no idea what it is
    doing. Good opinion.

    --
    Brian

    Email Info--
    http://68.1.17.8/p0nykiller/email.htm
     
    Brian, Oct 16, 2004
    #3
  4. boris

    Tony Raven Guest

    boris wrote:
    > Whenever I start Firefox 1.0 PR I get a warning from my firewall software
    > (McAfee) that it is communicating with the following:
    >
    > 64.79.164.25
    > streak.fimc.net
    >


    Seems like it contacting First MediaWorks
    http://www.firstmediaworks.com/media/default.asp

    Not sure what it is doing but they are not listed in SBL/XBLs and seem
    legit. Do you have any internet broadcast applications or plugins running?

    If you are worried just set up a permanent block on that IP on your
    firewall. If you notice something not working then you will have likely
    found its origin.

    Tony
     
    Tony Raven, Oct 16, 2004
    #4
  5. boris

    Hawkeye Guest

    On Sat, 16 Oct 2004 16:15:12 +0100, Tony Raven <>
    wrote:

    >boris wrote:
    >> Whenever I start Firefox 1.0 PR I get a warning from my firewall software
    >> (McAfee) that it is communicating with the following:
    >>
    >> 64.79.164.25
    >> streak.fimc.net
    >>

    >
    >Seems like it contacting First MediaWorks



    From a WHOIS search:

    64.79.164.25
    Record Type: IP Address


    OrgName: Savvis
    OrgID: SAVVI-2
    Address: 3300 Regency Parkway
    City: Cary
    StateProv: NC
    PostalCode: 27511
    Country: US
     
    Hawkeye, Oct 16, 2004
    #5
  6. boris

    Tony Raven Guest

    Hawkeye wrote:
    > On Sat, 16 Oct 2004 16:15:12 +0100, Tony Raven <>
    > wrote:
    >
    >
    >>boris wrote:
    >>
    >>>Whenever I start Firefox 1.0 PR I get a warning from my firewall software
    >>>(McAfee) that it is communicating with the following:
    >>>
    >>>64.79.164.25
    >>>streak.fimc.net
    >>>

    >>
    >>Seems like it contacting First MediaWorks

    >
    >
    >
    > From a WHOIS search:
    >
    > 64.79.164.25
    > Record Type: IP Address
    >
    >
    > OrgName: Savvis
    > OrgID: SAVVI-2
    > Address: 3300 Regency Parkway
    > City: Cary
    > StateProv: NC
    > PostalCode: 27511
    > Country: US
    >
    >


    Savvis is the network owner but that particular node is listed on a
    traceback as:

    NetRange: 64.79.160.0 - 64.79.175.255
    CIDR: 64.79.160.0/20
    NetName: SAVVIS
    NetHandle: NET-64-79-160-0-1
    Parent: NET-64-0-0-0-0
    NetType: Direct Allocation
    NameServer: DNS01.SAVVIS.NET
    NameServer: DNS02.SAVVIS.NET
    NameServer: DNS03.SAVVIS.NET
    NameServer: DNS04.SAVVIS.NET
    Comment:
    RegDate:
    Updated: 2004-10-07

    OrgAbuseHandle: ABUSE11-ARIN
    OrgAbuseName: Abuse
    OrgAbusePhone: +1-877-393-7878
    OrgAbuseEmail:

    OrgNOCHandle: NOC99-ARIN
    OrgNOCName: Network Operations Center
    OrgNOCPhone: +1-800-213-5127
    OrgNOCEmail:

    OrgTechHandle: UIAA-ARIN
    OrgTechName: US IP Address Administration
    OrgTechPhone: +1-888-638-6771
    OrgTechEmail:

    # ARIN WHOIS database, last updated 2004-10-15 19:10
    # Enter ? for additional hints on searching ARIN's WHOIS database.

    Rwhois server data:

    %rwhois V-1.5:001ab7:00 rwhois.exodus.net (Exodus Communications)
    network:Class-Name:network
    network:Auth-Area:0.0.0.0/0
    network:Network-Name:64.79.164.0
    network:IP-Network:64.79.164.0/23
    network:Organization;I:First Media Works
    network:Name;I:Michael Gibbs
    network:Email;I:
    network:Street;I:1060 Calle Cordillera
    Suite 101
    network:City;I:San Clemente
    network:State;I:CA
    network:postal-Code;I:92673
    network:Country-Code;I:USA

    network:Class-Name:network
    network:Auth-Area:0.0.0.0/0
    network:Network-Name:64.79.160.0
    network:IP-Network:64.79.160.0/20
    network:Organization;I:Exodus IDC - LA/OC2
    network:Name;I:Exodus IP Address Administrator
    network:Email;I:
    network:Street;I:17836 Gillette Avenue
    network:City;I:Irvine
    network:State;I:CA
    network:postal-Code;I:92614
    network:Country-Code;I:USA

    %ok
     
    Tony Raven, Oct 16, 2004
    #6
  7. boris

    boris Guest

    Tony Raven <> wrote in
    news::

    > boris wrote:
    >> Whenever I start Firefox 1.0 PR I get a warning from my firewall
    >> software (McAfee) that it is communicating with the following:
    >>
    >> 64.79.164.25
    >> streak.fimc.net
    >>

    >
    > Seems like it contacting First MediaWorks
    > http://www.firstmediaworks.com/media/default.asp
    >
    > Not sure what it is doing but they are not listed in SBL/XBLs and seem
    > legit. Do you have any internet broadcast applications or plugins
    > running?


    Not currently. A few days ago I listened to an mp3 stream of a radio
    station with Winamp 5.

    Could that be it?

    >
    > If you are worried just set up a permanent block on that IP on your
    > firewall. If you notice something not working then you will have
    > likely found its origin.


    OK. I blocked the IP and domain name with my firewall software. But I
    would like to find the root of the problem.

    Thanks.
     
    boris, Oct 16, 2004
    #7
  8. boris

    RDE Guest

    boris wrote:
    > Tony Raven <> wrote in
    > news::
    >
    >
    >>boris wrote:
    >>
    >>>Whenever I start Firefox 1.0 PR I get a warning from my firewall
    >>>software (McAfee) that it is communicating with the following:
    >>>
    >>>64.79.164.25
    >>>streak.fimc.net
    >>>

    >>
    >>Seems like it contacting First MediaWorks
    >>http://www.firstmediaworks.com/media/default.asp
    >>
    >>Not sure what it is doing but they are not listed in SBL/XBLs and seem
    >>legit. Do you have any internet broadcast applications or plugins
    >>running?

    >
    >
    > Not currently. A few days ago I listened to an mp3 stream of a radio
    > station with Winamp 5.
    >
    > Could that be it?
    >
    >
    >>If you are worried just set up a permanent block on that IP on your
    >>firewall. If you notice something not working then you will have
    >>likely found its origin.

    >
    >
    > OK. I blocked the IP and domain name with my firewall software. But I
    > would like to find the root of the problem.
    >
    > Thanks.


    Do you have any RSS feeds setup?
     
    RDE, Oct 16, 2004
    #8
  9. boris

    boris Guest

    RDE <> wrote in news:YK-dnTBW26Sx8ezcRVn-
    :

    > boris wrote:
    >> Tony Raven <> wrote in
    >> news::
    >>
    >>
    >>>boris wrote:
    >>>
    >>>>Whenever I start Firefox 1.0 PR I get a warning from my firewall
    >>>>software (McAfee) that it is communicating with the following:
    >>>>
    >>>>64.79.164.25
    >>>>streak.fimc.net
    >>>>
    >>>
    >>>Seems like it contacting First MediaWorks
    >>>http://www.firstmediaworks.com/media/default.asp
    >>>
    >>>Not sure what it is doing but they are not listed in SBL/XBLs and seem
    >>>legit. Do you have any internet broadcast applications or plugins
    >>>running?

    >>
    >>
    >> Not currently. A few days ago I listened to an mp3 stream of a radio
    >> station with Winamp 5.
    >>
    >> Could that be it?
    >>
    >>
    >>>If you are worried just set up a permanent block on that IP on your
    >>>firewall. If you notice something not working then you will have
    >>>likely found its origin.

    >>
    >>
    >> OK. I blocked the IP and domain name with my firewall software. But

    I
    >> would like to find the root of the problem.
    >>
    >> Thanks.

    >
    > Do you have any RSS feeds setup?
    >


    No, I have no RSS feeds set up.
     
    boris, Oct 16, 2004
    #9
  10. boris

    Tony Raven Guest

    boris wrote:
    >
    > OK. I blocked the IP and domain name with my firewall software. But I
    > would like to find the root of the problem.
    >
    > Thanks.


    Try running a nifty little programme TCPView which will list all the
    programmes connected via TCP/UDP and where they are connecting to.
    http://www.sysinternals.com/

    It does it real time so you can watch what changes when you open Firefox.

    Tony
     
    Tony Raven, Oct 16, 2004
    #10
  11. boris

    Karl S. Guest

    boris wrote:
    > Whenever I start Firefox 1.0 PR I get a warning from my firewall software
    > (McAfee) that it is communicating with the following:
    >
    > 64.79.164.25
    > streak.fimc.net
    >
    > The communication uses different ports each time.
    >
    > Does anyone know why my browser would communicate with fimc.net each time
    > it opens?
    >
    > Seems like *spying* to me. I see absolutely no need for it.
    >
    > The only "extensions" I have are the DOM one that comes with Firefox, Sun
    > Java, and Macromedia Flash. Nothing else.
    >
    > Google is my homepage - www.google.com.
    >
    > If anyone has any ideas why this is happening your thoughts would be
    > appreciated.
    >

    If it is spyware, I've found that these three applications work well
    together: Ad-Aware, Spybot Search and Destroy, and SpywareBlaster.

    Ad-Aware gets most of the baddies, Spybot finds most that Ad-Aware
    misses, and 'Blaster works with your browser to prevent future
    re-infection. No application is perfect though, so the usual warnings
    apply. I haven't had any of these damage any computer of mine though.

    Karl S.
    --
    And whosoever will be chief among you, let him be your servant.
    Matthew 20:27 KJV
     
    Karl S., Oct 16, 2004
    #11
  12. boris

    Brian Guest

    (On 10/16/2004 12:14 PM) boris wrote:
    > Jay Garcia <> wrote in
    > news:ckrcle$:
    >
    >
    >>On 16.10.2004 09:32, Brian wrote:
    >>
    >> --- Original Message ---
    >>
    >>
    >>>(On 10/16/2004 9:35 AM) boris wrote:
    >>>|~~> Note X-Posting
    >>>
    >>>
    >>>>Whenever I start Firefox 1.0 PR I get a warning from my firewall
    >>>>software (McAfee) that it is communicating with the following:
    >>>>
    >>>>64.79.164.25
    >>>>streak.fimc.net
    >>>>
    >>>>The communication uses different ports each time.
    >>>
    >>>Where is the 'random port'? Is it local or remote?
    >>>
    >>>
    >>>>Does anyone know why my browser would communicate with fimc.net each
    >>>>time it opens?
    >>>>
    >>>>Seems like *spying* to me. I see absolutely no need for it.
    >>>
    >>>Noted. *Seems* like spying to you, but yet you have no idea what it
    >>>is doing. Good opinion.
    >>>

    >>Geeze, do we REALLY need all the x-posts ??

    >
    > Crossposting was done to reach a wider, and hopefully knowledgeable,
    > audience.
    >


    Cross-posting is fine when needed, but why in the world did you set the
    Followup-to field to all of the cross-posted groups!? You could have
    set it to _one_ group to focus all the replies to that particular group.
    And then mention which group is going to get the replies, so people in
    the groups you cross-posted to can subscribe to the followup-to group if
    they aren't already. I say this because many times someone in one of
    the cross-posted groups is going to remove the others (you can see it's
    already happened to your post) and then you get multiple discussions
    across multiple groups. And that's not too helpful to everyone
    interested in your problem.

    At any rate... did you try AdAware and Spybot yet?

    --
    Brian

    Email Info--
    http://68.1.17.8/p0nykiller/email.htm
     
    Brian, Oct 16, 2004
    #12
  13. boris

    cmsix Guest

    "Adrian" <> wrote in message
    news:3D9cd.28237$...
    > boris wrote:
    >
    >> Whenever I start Firefox 1.0 PR I get a warning from my firewall
    >> software (McAfee) that it is communicating with the following:
    >>
    >> 64.79.164.25
    >> streak.fimc.net
    >>
    >> The communication uses different ports each time.
    >>
    >> Does anyone know why my browser would communicate with fimc.net
    >> each time it opens? Seems like *spying* to me. I see absolutely
    >> no need for it.
    >>
    >> The only "extensions" I have are the DOM one that comes with
    >> Firefox, Sun Java, and Macromedia Flash. Nothing else.
    >>
    >> Google is my homepage - www.google.com.
    >>
    >> If anyone has any ideas why this is happening your thoughts would
    >> be appreciated.
    >>

    >
    > Have you run any anti-spyware software?
    >
    > Like "SpyBot - Search and Destroy"
    >
    > If not, give it a go.


    Hum, from the evangelist here, I'd gotten the notion that Firefox was
    immune to spyware, adware and all that.

    cmsix

    >
    > --
    > ~Adrian
    >
    > To contact me remove:
    > [takethisout] from my address.
     
    cmsix, Oct 16, 2004
    #13
  14. boris

    Karl S. Guest

    cmsix wrote:
    > "Adrian" <> wrote in message
    > news:3D9cd.28237$...
    >
    >>boris wrote:
    >>
    >>
    >>>Whenever I start Firefox 1.0 PR I get a warning from my firewall
    >>>software (McAfee) that it is communicating with the following:
    >>>
    >>>64.79.164.25
    >>>streak.fimc.net
    >>>
    >>>The communication uses different ports each time.
    >>>
    >>>Does anyone know why my browser would communicate with fimc.net
    >>>each time it opens? Seems like *spying* to me. I see absolutely
    >>>no need for it.
    >>>
    >>>The only "extensions" I have are the DOM one that comes with
    >>>Firefox, Sun Java, and Macromedia Flash. Nothing else.
    >>>
    >>>Google is my homepage - www.google.com.
    >>>
    >>>If anyone has any ideas why this is happening your thoughts would
    >>>be appreciated.
    >>>

    >>
    >>Have you run any anti-spyware software?
    >>
    >>Like "SpyBot - Search and Destroy"
    >>
    >>If not, give it a go.

    >
    >
    > Hum, from the evangelist here, I'd gotten the notion that Firefox was
    > immune to spyware, adware and all that.
    >
    > cmsix
    >
    >
    >>--
    >>~Adrian
    >>
    >>To contact me remove:
    >>[takethisout] from my address.

    >
    >
    >

    It's the human element. No operating system or browser is immune to its
    owner downloading and installing malicious software. Mozilla and Firefox
    are better that way because they won't automatically download and
    install it without asking, as will the Microsoft product's default
    installation.

    Karl S.
    --
    And whosoever will be chief among you, let him be your servant.
    Matthew 20:27 KJV
     
    Karl S., Oct 16, 2004
    #14
  15. In article <Sthcd.6954$q%>, cmsix says...

    > Hum, from the evangelist here, I'd gotten the notion that Firefox was
    > immune to spyware, adware and all that.


    It is, as long as the operator does not act to install it.

    --
    Norman
    ~Win dain a lotica, En vai tu ri, Si lo ta
    ~Fin dein a loluca, En dragu a sei lain
    ~Vi fa-ru les shutai am, En riga-lint
     
    Norman Miller, Oct 17, 2004
    #15
  16. In article <>, Tony Raven says...

    > Try running a nifty little programme TCPView which will list all the
    > programmes connected via TCP/UDP and where they are connecting to.
    > http://www.sysinternals.com/


    Only under Windows XP (or Windows 2K). For the Windows 9x family it is just
    a fancy GUI version of netstat.

    --
    Norman
    ~Win dain a lotica, En vai tu ri, Si lo ta
    ~Fin dein a loluca, En dragu a sei lain
    ~Vi fa-ru les shutai am, En riga-lint
     
    Norman Miller, Oct 17, 2004
    #16
  17. boris <> wrote:

    > Not currently. A few days ago I listened to an mp3 stream of a radio
    > station with Winamp 5.


    > Could that be it?


    That IP address appears to host the radio station Xfm, so I'd say that
    would be a pretty safe bet, yes.

    --
    Andrew Clover
    mailto:
    http://www.doxdesk.com/
     
    Andrew Clover, Oct 18, 2004
    #17
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Joe

    Suspicious script

    Joe, Sep 9, 2003, in forum: Computer Support
    Replies:
    2
    Views:
    607
  2. wgreene
    Replies:
    5
    Views:
    633
    Plato
    Jul 31, 2004
  3. John Black

    suspicious application in task manager?

    John Black, Jun 29, 2005, in forum: Computer Security
    Replies:
    3
    Views:
    544
    Winged
    Jul 1, 2005
  4. Sam

    Suspicious Icons on Desktop

    Sam, Apr 30, 2006, in forum: Computer Security
    Replies:
    36
    Views:
    3,092
  5. dontb

    Suspicious IP sent at Startup

    dontb, Jul 10, 2004, in forum: Computer Information
    Replies:
    4
    Views:
    573
    Stuart
    Jul 14, 2004
Loading...

Share This Page