WinME w/NortonAV boots with http to foreign IP address

Discussion in 'Computer Security' started by jayjwa, Oct 3, 2003.

  1. jayjwa

    jayjwa Guest

    Randell D. wrote:
    > Folks,
    > I have two WindowME clients - Both have Norton Internet Security 2003 and
    > I've got several years within IT (predominently Unix/Linux though I have
    > picked up knowledge of Windoze platforms along the way)... I have my WinMe
    > clients hidden behind a router - both clients have Norton Internet AntiVirus
    > + Firewall active on both machines giving them that additional bit of
    > security.
    >
    > I checked my routers log file and notice that when booting, one of my
    > clients makes a http connection to 204.221.192.198 This IP address resolves
    > to "mr.net" which also has some relationship with o"nvoy.ne"t (onvoy looks
    > like they bought mr.net). I've never heard of either server or service and
    > don't have any software installed that I could think would be anyway related
    > to them. I've checked my startup routines with msconfig and everything
    > looks normal...
    >
    > Anybody got any ideas?
    >


    I just checked with Links and it's not allowing the index file to be
    retrieved, which most likey means you'd have to know the proper
    directory or file to pull down (like Apache's directive Options Indexes,
    set to "Off") If it was my call, I'd cut it. You know the user isn't
    going to know what's going on, unless they're into web development or
    something, but if they're running Windows, they're mostlikely a regular
    joe-average computer user that's installed something that makes a call
    to that location, possibly for an ad or something. Ask'em what they're
    running.

    It's got a SSH on 22, maybe SSH-1, Listed as "99-Server-VI"
    The http on 80 w/"AkamiGHost" HTTP Acceleration/Mirror Service + SSL
    version of that

    Akamighost:
    <qoute>" A company that provides caching of content for its clients, you
    pay them to cache your site, and then they distribute machines to ISP's
    that server up content locally to isp customers. This requires less
    bandwidth to be spent on the actual machine. In exchange isp's get to
    use the server to cache their own content and save bandwidth in exchange
    for electricity. I believe they run a modified RedHat/Apache System."
    </qoute>

    It's a Linux system, maybe Redhat or Debian, but's that a guess, up
    since Sept. 26, 04:47:40 '03


    <morespeculation> Lots of "hot" Windows crap (like Kazaa) has Spyware or
    Adware loaded. _If the client knows nothing about this_, I'd say an
    app he'd installed has adware in it and is calling that place to
    download ads. That would explain why it's getting beyond the FW, because
    the user is giving premission to the app, not knowing that the Adware is
    going along for the ride. I've seen that before, but note that this is a
    far-fetched guess only- dont' qoute me on that!</morespeculation>

    Windows users are known to install anything! ;p (see Swen.Win32.Worm)

    --
    --------------nonoffensive sig.v2.2RC2?------------------------
    - jayjwa 4 Spammers: mailto:
    The New Atr2. PGP/GPG Keys onsite
    "Why do all the noob's use RedHat,
    speak 4th grade English,
    and cry because their X server crashed?"
    Send HTTP1.1 GET to /cgi-bin/ping-jay.cgi, my domain, 2 mail
    ==Atr2.Ath.Cx: Linux Tough, Powered by Slackware.=============
     
    jayjwa, Oct 3, 2003
    #1
    1. Advertising

  2. jayjwa

    Randell D. Guest

    Folks,
    I have two WindowME clients - Both have Norton Internet Security 2003 and
    I've got several years within IT (predominently Unix/Linux though I have
    picked up knowledge of Windoze platforms along the way)... I have my WinMe
    clients hidden behind a router - both clients have Norton Internet AntiVirus
    + Firewall active on both machines giving them that additional bit of
    security.

    I checked my routers log file and notice that when booting, one of my
    clients makes a http connection to 204.221.192.198 This IP address resolves
    to "mr.net" which also has some relationship with o"nvoy.ne"t (onvoy looks
    like they bought mr.net). I've never heard of either server or service and
    don't have any software installed that I could think would be anyway related
    to them. I've checked my startup routines with msconfig and everything
    looks normal...

    Anybody got any ideas?

    --
    A: Because it messes up the order in which people normally read text.
    Q: Why is top-posting such a bad thing?
    A: Top-posting.
    Q: What is the most annoying thing on usenet?
     
    Randell D., Oct 3, 2003
    #2
    1. Advertising

  3. jayjwa

    Randell D. Guest

    "jayjwa" <> wrote in message
    news:...
    > Randell D. wrote:
    > > Folks,
    > > I have two WindowME clients - Both have Norton Internet Security 2003

    and
    > > I've got several years within IT (predominently Unix/Linux though I have
    > > picked up knowledge of Windoze platforms along the way)... I have my

    WinMe
    > > clients hidden behind a router - both clients have Norton Internet

    AntiVirus
    > > + Firewall active on both machines giving them that additional bit of
    > > security.
    > >
    > > I checked my routers log file and notice that when booting, one of my
    > > clients makes a http connection to 204.221.192.198 This IP address

    resolves
    > > to "mr.net" which also has some relationship with o"nvoy.ne"t (onvoy

    looks
    > > like they bought mr.net). I've never heard of either server or service

    and
    > > don't have any software installed that I could think would be anyway

    related
    > > to them. I've checked my startup routines with msconfig and everything
    > > looks normal...
    > >
    > > Anybody got any ideas?
    > >

    >
    > I just checked with Links and it's not allowing the index file to be
    > retrieved, which most likey means you'd have to know the proper
    > directory or file to pull down (like Apache's directive Options Indexes,
    > set to "Off") If it was my call, I'd cut it. You know the user isn't
    > going to know what's going on, unless they're into web development or
    > something, but if they're running Windows, they're mostlikely a regular
    > joe-average computer user that's installed something that makes a call
    > to that location, possibly for an ad or something. Ask'em what they're
    > running.
    >
    > It's got a SSH on 22, maybe SSH-1, Listed as "99-Server-VI"
    > The http on 80 w/"AkamiGHost" HTTP Acceleration/Mirror Service + SSL
    > version of that
    >
    > Akamighost:
    > <qoute>" A company that provides caching of content for its clients, you
    > pay them to cache your site, and then they distribute machines to ISP's
    > that server up content locally to isp customers. This requires less
    > bandwidth to be spent on the actual machine. In exchange isp's get to
    > use the server to cache their own content and save bandwidth in exchange
    > for electricity. I believe they run a modified RedHat/Apache System."
    > </qoute>
    >
    > It's a Linux system, maybe Redhat or Debian, but's that a guess, up
    > since Sept. 26, 04:47:40 '03
    >
    >
    > <morespeculation> Lots of "hot" Windows crap (like Kazaa) has Spyware or
    > Adware loaded. _If the client knows nothing about this_, I'd say an
    > app he'd installed has adware in it and is calling that place to
    > download ads. That would explain why it's getting beyond the FW, because
    > the user is giving premission to the app, not knowing that the Adware is
    > going along for the ride. I've seen that before, but note that this is a
    > far-fetched guess only- dont' qoute me on that!</morespeculation>
    >
    > Windows users are known to install anything! ;p (see Swen.Win32.Worm)
    >
    > --
    > --------------nonoffensive sig.v2.2RC2?------------------------
    > - jayjwa 4 Spammers: mailto:
    > The New Atr2. PGP/GPG Keys onsite
    > "Why do all the noob's use RedHat,
    > speak 4th grade English,
    > and cry because their X server crashed?"
    > Send HTTP1.1 GET to /cgi-bin/ping-jay.cgi, my domain, 2 mail
    > ==Atr2.Ath.Cx: Linux Tough, Powered by Slackware.=============
    >
    >
    >


    Thanks for the prompt response - its a home network and both of the machines
    are mine (well - the infected (?) machine is mine, the other one is my
    girlfriends but I manage them both). Secondly, I consider myself reasonably
    well switched on as I've got many years Unix/Linux and some windoze
    experience... The "infected" machine doesn't have anything I'd be too
    worried about and my original post did mention I rebuilt it about 5weeks ago
    and it only has Macromedia Dreamweaver MX, OpenOffice.org, Outlook, an old
    version of Visio and MySQL client... I dread the idea of having to rebuild
    it - between the install and microsoft updates, plus anti-virus updates and
    software - it will take several hours...

    any other ideas? can you suggest a method on how I can sniff my own network?
    I've been reading the man page for tcpdump and nmap but I'm really not
    familiar with security tools...
     
    Randell D., Oct 3, 2003
    #3
  4. jayjwa

    Randell D. Guest

    "Randell D." <> wrote in message
    news:ki7fb.7965$pl3.7020@pd7tw3no...
    >
    > Folks,
    > I have two WindowME clients - Both have Norton Internet Security 2003 and
    > I've got several years within IT (predominently Unix/Linux though I have
    > picked up knowledge of Windoze platforms along the way)... I have my WinMe
    > clients hidden behind a router - both clients have Norton Internet

    AntiVirus
    > + Firewall active on both machines giving them that additional bit of
    > security.
    >
    > I checked my routers log file and notice that when booting, one of my
    > clients makes a http connection to 204.221.192.198 This IP address

    resolves
    > to "mr.net" which also has some relationship with o"nvoy.ne"t (onvoy looks
    > like they bought mr.net). I've never heard of either server or service

    and
    > don't have any software installed that I could think would be anyway

    related
    > to them. I've checked my startup routines with msconfig and everything
    > looks normal...
    >
    > Anybody got any ideas?
    >
    > --
    > A: Because it messes up the order in which people normally read text.
    > Q: Why is top-posting such a bad thing?
    > A: Top-posting.
    > Q: What is the most annoying thing on usenet?
    >
    >


    I think it was Quicktime... I have uninstalled and rebooted a couple of
    times and not seen the http connection...
     
    Randell D., Oct 3, 2003
    #4
  5. jayjwa

    sponge Guest

    "Randell D." <> wrote in message news:<2q8fb.8580$9l5.7483@pd7tw2no>...
    > "jayjwa" <> wrote in message
    > news:...
    > > Randell D. wrote:
    > > > Folks,
    > > > I have two WindowME clients - Both have Norton Internet Security 2003

    > and
    > > > I've got several years within IT (predominently Unix/Linux though I have
    > > > picked up knowledge of Windoze platforms along the way)... I have my

    > WinMe
    > > > clients hidden behind a router - both clients have Norton Internet

    > AntiVirus
    > > > + Firewall active on both machines giving them that additional bit of
    > > > security.
    > > >
    > > > I checked my routers log file and notice that when booting, one of my
    > > > clients makes a http connection to 204.221.192.198 This IP address

    > resolves
    > > > to "mr.net" which also has some relationship with o"nvoy.ne"t (onvoy

    > looks
    > > > like they bought mr.net). I've never heard of either server or service

    > and
    > > > don't have any software installed that I could think would be anyway

    > related
    > > > to them. I've checked my startup routines with msconfig and everything
    > > > looks normal...
    > > >
    > > > Anybody got any ideas?
    > > >

    > >
    > > I just checked with Links and it's not allowing the index file to be
    > > retrieved, which most likey means you'd have to know the proper
    > > directory or file to pull down (like Apache's directive Options Indexes,
    > > set to "Off") If it was my call, I'd cut it. You know the user isn't
    > > going to know what's going on, unless they're into web development or
    > > something, but if they're running Windows, they're mostlikely a regular
    > > joe-average computer user that's installed something that makes a call
    > > to that location, possibly for an ad or something. Ask'em what they're
    > > running.
    > >
    > > It's got a SSH on 22, maybe SSH-1, Listed as "99-Server-VI"
    > > The http on 80 w/"AkamiGHost" HTTP Acceleration/Mirror Service + SSL
    > > version of that
    > >
    > > Akamighost:
    > > <qoute>" A company that provides caching of content for its clients, you
    > > pay them to cache your site, and then they distribute machines to ISP's
    > > that server up content locally to isp customers. This requires less
    > > bandwidth to be spent on the actual machine. In exchange isp's get to
    > > use the server to cache their own content and save bandwidth in exchange
    > > for electricity. I believe they run a modified RedHat/Apache System."
    > > </qoute>
    > >
    > > It's a Linux system, maybe Redhat or Debian, but's that a guess, up
    > > since Sept. 26, 04:47:40 '03
    > >
    > >
    > > <morespeculation> Lots of "hot" Windows crap (like Kazaa) has Spyware or
    > > Adware loaded. _If the client knows nothing about this_, I'd say an
    > > app he'd installed has adware in it and is calling that place to
    > > download ads. That would explain why it's getting beyond the FW, because
    > > the user is giving premission to the app, not knowing that the Adware is
    > > going along for the ride. I've seen that before, but note that this is a
    > > far-fetched guess only- dont' qoute me on that!</morespeculation>
    > >
    > > Windows users are known to install anything! ;p (see Swen.Win32.Worm)
    > >
    > > --
    > > --------------nonoffensive sig.v2.2RC2?------------------------
    > > - jayjwa 4 Spammers: mailto:
    > > The New Atr2. PGP/GPG Keys onsite
    > > "Why do all the noob's use RedHat,
    > > speak 4th grade English,
    > > and cry because their X server crashed?"
    > > Send HTTP1.1 GET to /cgi-bin/ping-jay.cgi, my domain, 2 mail
    > > ==Atr2.Ath.Cx: Linux Tough, Powered by Slackware.=============
    > >
    > >
    > >

    >
    > Thanks for the prompt response - its a home network and both of the machines
    > are mine (well - the infected (?) machine is mine, the other one is my
    > girlfriends but I manage them both). Secondly, I consider myself reasonably
    > well switched on as I've got many years Unix/Linux and some windoze
    > experience... The "infected" machine doesn't have anything I'd be too
    > worried about and my original post did mention I rebuilt it about 5weeks ago
    > and it only has Macromedia Dreamweaver MX, OpenOffice.org, Outlook, an old
    > version of Visio and MySQL client... I dread the idea of having to rebuild
    > it - between the install and microsoft updates, plus anti-virus updates and
    > software - it will take several hours...
    >
    > any other ideas? can you suggest a method on how I can sniff my own network?
    > I've been reading the man page for tcpdump and nmap but I'm really not
    > familiar with security tools...


    Well, hopefully you fixed it. However, as far as sniffing goes, try
    Ethereal (http://www.ethereal.com). Make sure to download the WinPcap
    driver, v3.0. Use TCPView
    (http://www.sysinternals.com/ntw2k/source/tcpview.shtml) to ID
    processes.

    Sponge
    Sponge's Secure Solutions
    www.geocities.com/yosponge
    My new email: yosponge2 et yahoo dot com
     
    sponge, Oct 4, 2003
    #5
  6. jayjwa

    jayjwa Guest

    Randell D. wrote:

    >
    > Thanks for the prompt response - its a home network and both of the machines
    > are mine (well - the infected (?) machine is mine, the other one is my
    > girlfriends but I manage them both). Secondly, I consider myself reasonably
    > well switched on as I've got many years Unix/Linux and some windoze
    > experience... The "infected" machine doesn't have anything I'd be too
    > worried about and my original post did mention I rebuilt it about 5weeks ago
    > and it only has Macromedia Dreamweaver MX, OpenOffice.org, Outlook, an old
    > version of Visio and MySQL client... I dread the idea of having to rebuild
    > it - between the install and microsoft updates, plus anti-virus updates and
    > software - it will take several hours...
    >
    > any other ideas? can you suggest a method on how I can sniff my own network?
    > I've been reading the man page for tcpdump and nmap but I'm really not
    > familiar with security tools...
    >
    >


    Oh. When you said "client", I'm picturing client as in one who
    subscribes to a service, as in this case, like an ISP. I'm not say
    they're infected, Spyware (if it IS that, but remember, that's just a
    stab, more searching needs to be done to be conclusive).

    Sniffing, you have to know what you're looking at when you do that, but
    nmap's easy and can be used to show open ports, and now, since last
    version, some daemon ID'ing. There's better tools for ID'ing stuff,
    there's a Vmap & Amap too, and for really big jobs, I've got a Nessus
    daemon sitting onsite.
    I'd check and see what's being sent back from that site before I went
    and put hours into rebuilds, it may be nothing. Again, more info is
    needed. Who ever they were though, I got scanned out of it, but that's
    common- I get about 3-5 "stealth" scans a day. They broke off early, I
    don't know why, and I haven't seen anymore of them today.

    --
    --------------nonoffensive sig.v2.2RC2?------------------------
    - jayjwa 4 Spammers: mailto:
    The New Atr2. PGP/GPG Keys onsite
    "Why do all the noob's use RedHat,
    speak 4th grade English,
    and cry because their X server crashed?"
    Send HTTP1.1 GET to /cgi-bin/ping-jay.cgi, my domain, 2 mail
    ==Atr2.Ath.Cx: Linux Tough, Powered by Slackware.=============
     
    jayjwa, Oct 4, 2003
    #6
  7. jayjwa

    jayjwa Guest

    Randell D. wrote:

    > I think it was Quicktime... I have uninstalled and rebooted a couple of
    > times and not seen the http connection...
    >
    >



    Maybe it was accessing a cache, like in the discription I found. I hate
    when programs do stuff without your knowlege of it; that's another
    reason I moved to Linux. If you run a FW on Windows, you have just as
    much stuff trying to get out as you do trying to get in!

    --
    --------------nonoffensive sig.v2.2RC2?------------------------
    - jayjwa 4 Spammers: mailto:
    The New Atr2. PGP/GPG Keys onsite
    "Why do all the noob's use RedHat,
    speak 4th grade English,
    and cry because their X server crashed?"
    Send HTTP1.1 GET to /cgi-bin/ping-jay.cgi, my domain, 2 mail
    ==Atr2.Ath.Cx: Linux Tough, Powered by Slackware.=============
     
    jayjwa, Oct 4, 2003
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. a.nonny mouse
    Replies:
    2
    Views:
    1,182
  2. Scott
    Replies:
    1
    Views:
    8,972
    ScottF
    Aug 4, 2004
  3. Curley Bur¢h

    netstat.exe foreign address

    Curley Bur¢h, Sep 7, 2003, in forum: Computer Support
    Replies:
    5
    Views:
    20,995
    m.nouman
    Dec 19, 2010
  4. Replies:
    0
    Views:
    825
  5. milan_9211

    HTTP SOAP/HTTP GET/HTTP POST

    milan_9211, Jan 10, 2011, in forum: Software
    Replies:
    0
    Views:
    3,201
    milan_9211
    Jan 10, 2011
Loading...

Share This Page