posted 08-04-2001 10:27 PM            

today I have a record of 337 pings on my zone alarm and counting, the majority affecting port 80
http 80/tcp World Wide Web HTTP
http 80/udp World Wide Web HTTP
www 80/tcp World Wide Web HTTP
www 80/udp World Wide Web HTTP
www-http 80/tcp World Wide Web HTTP
www-http 80/udp World Wide Web HTTP
# Tim Berners-Lee

The pings seem non-stop...wondering if a new (or modified) worm or virus is flooding the Internet?

Had a hit from Microsft...port 2118

alarm log~
FWIN,2001/08/04,17:43:03 -7:00 GMT,207.46.178.11:1313,24.77.199.97:2118,UDP

The firewall has blocked Internet access to your computer (UDP Port 2118) from 207.46.178.11 (UDP Port 1313).

Time: 8/4/2001 5:43:02 PM

port 2118 mentaserver 2118/udp MENTASERVER Ilan Shlosberg

Microsoft (NETBLK-MICROSOFT-GLOBAL-NET)
One Redmond Way
Redmond, WA 98052
US

Netname: MICROSOFT-GLOBAL-NET
Netblock: 207.46.0.0 - 207.46.255.255

Coordinator:
Microsoft (ZM39-ARIN) noc@microsoft.com
425-936-4200

Domain System inverse mapping provided by:

DNS1.CP.MSFT.NET 207.46.138.20
DNS2.CP.MSFT.NET 207.46.138.21
DNS1.TK.MSFT.NET 207.46.232.37
DNS1.DC.MSFT.NET 207.68.128.151
DNS1.SJ.MSFT.NET 207.46.97.11

Record last updated on 20-Jun-2001.
Database last updated on 3-Aug-2001 23:13:45 EDT.

UPDATE: just received this e-mail in regards to activity on port 80...

quote:

---

The traffic you are seeing on your firewall is related to the Code Red worm. As long as you aren't running Win2k Server with IIS or WinNT Server with IIS, you can ignore this traffic.

We are working to identify the infected hosts on our service to help resolve this problem.

Thank you for your report.

---

[Edited 3 times, lastly by Lulu on 08-05-2001]

posted 08-05-2001 05:07 PM            

Does anyone know what the program named "TSAdBOT.exe" is, or what it is supposed to do?? It seems to appear in a Program Alert box from ZoneAlert when I'm first connecting to my ISP, but it doesn't always pop up, and I've been able to do everything online with it or without it approved for access. Where could I find out what this program is? Thanks for any input any of you might have!!

MollyGainYa, with love

posted 08-05-2001 05:38 PM            

(snip)

It turns out that this process was kicked off by a program supplied as part
of shareware distributions of Real Player Audio (it's also in PKzip for
windows though).

The offending "feature" is an advertising subroutine called "tsadbot.exe"
from a company called Timesink. It basically links the system to an
advertising site that downloads ad banners in the background that get
displayed as you run the apps. I had killed it off once before, but it came
back with an update. at least I hope that it was downloading to my machine
and not uploading from it.

So now I have a permanent route entry in my route tables to send any net
requests to that site into the bitbucket. My cleanup batch file now removes
anything in a directory from timesink, and I've learned a lesson I'd rather
not have thought about.

Thanks to all who responded, although I should have been clearer on the net
address. I sent the generic domain address of 216.32.73.0 instead of the
machine address of 216.32.73.123 in order to guard against any errors on my
part. I didn't want some poor site scanned/slammed to death on account of a
mistake on my part.

soapbox on

However, I find it the height of gall for an advertiser to establish what
amounts to a useful (to them) Trojan without being up front about it. If
they had asked as part of the install, even with a result of my not
installing the app, I would feel better about it. I don't feel good about
this, about Real Player, about PKware, or any other vendor who would include
this to make a few bucks. I know shareware vendors need funds to support
their efforts, but this steps over a line.

soapbox off

Thanks again,
- ---------------------------------------
Greg Roody
EMC Cambridge Software Development Center
125 Sidney Street, Cambridge, MA 02139
ph: 617-806-1648 fax: 617-441-7772
pager: (numeric) 800-936-3044/ (text) 800-672-4363, pin 0940633
groody@emc.com (Business Only pls)
(snip)
More can be gawked at here: http://www.pkware.com/support/faq/?topic=spons

posted 08-05-2001 05:53 PM            

Why do people in Korea, Taiwan, Switzerland, and Venezula care about hacking ME??? I just don't get it...

posted 08-05-2001 11:05 PM            

% This is the RIPE Whois server.
% The objects are in RPSL format.
% Please visit http://www.ripe.net/rpsl for more information.
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html

inetnum: 194.153.131.0 - 194.153.131.255
netname: BASICNET-NET
descr: BasicNet SPA
descr: Corso Brescia, 86
descr: I-10152 Torino
country: IT
admin-c: SV1745-RIPE
tech-c: SV1745-RIPE
status: ASSIGNED PI
notify: vaio@basic.net
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-by: INET-NOC
changed: hostmaster@ripe.net 20000306
changed: clazuc@inet.it 20000328
changed: clazuc@inet.it 20000330
source: RIPE

route: 194.153.131.0/24
descr: Basicnet SpA
origin: AS13060
notify: noc@inet.it
mnt-by: INET-NOC
changed: clazuc@inet.it 20000329
source: RIPE

person: Stefano Vaio
address: Basicnet S.p.A.
address: Corso Brescia , 86
address: I-10152 Torino
address: Italy
phone: +39 11 26171
fax-no: +39 11 2617259
e-mail: vaio@basic.net
nic-hdl: SV1745-RIPE
changed: clazuc@inet.it 20000329
source: RIPE

_______________________________

Comite Gestor da Internet no Brasil (NETBLK-BRAZIL-BLK2)
R. Pio XI, 1500
Sao Paulo, SP 05468-901
BR

Netname: BRAZIL-BLK2
Netblock: 200.128.0.0 - 200.255.255.255
Maintainer: RNP

Coordinator:
Registro.br (NF-ORG-ARIN) blkadm@registro.br
+55 19 9119-0304

Domain System inverse mapping provided by:

NS.DNS.BR 143.108.23.2
NS1.DNS.BR 200.255.253.234
NS2.DNS.BR 200.19.119.99

These addresses have been further assigned to Brazilian users.
Contact information can be found at the WHOIS server located
at whois.registro.br and at http://whois.nic.br

Record last updated on 20-Jul-2001.
Database last updated on 4-Aug-2001 23:01:41 EDT.
***

Italy and Brazil! A far-flung duo. Probably nothing sinister, but interesting nevertheless.
~SD

posted 08-06-2001 04:19 AM            

WHOIS Query Result for 231.122.21.242:
IANA (NET-MCAST-NET)
Internet Assigned Numbers Authority
4676 Admiralty Way, Suite 330
Marina del Rey, CA 90292-6695
US

Netname: MCAST-NET
Netblock: 224.0.0.0 - 239.255.255.255

Coordinator:
Internet Corporation for Assigned Names and Numbers (IANA-ARIN) res-ip@iana.org
(310) 823-9358

Domain System inverse mapping provided by:

FLAG.EP.NET 198.32.4.13
STRUL.STUPI.SE 192.108.200.1 192.36.143.3
NS.ISI.EDU 128.9.128.127
NIC.NEAR.NET 192.52.71.4

posted 08-06-2001 02:15 PM            

quote:

---

Dear *****,

The following address blocks are reserved for private use
and should never appear in the public Internet:

192.168.0.0-192.168.255.255
172.16.0.0-172.31.255.255
10.0.0.0-10.255.255.255

The IANA has no idea who the users of these address blocks are.
The point of private address space is to allow many organizations
in different places to use the same addresses for their disconnected
or self contained islands of IP talking computers (private intranets).
Anyone may use these address blocks without any prior notification
to IANA.

This is documented in RFC 1918.
To locate RFC's you can go to .

If you have further questions about RFC 1918 usage, please contact
your ISP.

Best regards,
IANA

-----Original Message-----
From: ***** **** [mailto:ter5555@home.com]
Sent: Saturday, August 04, 2001 1:17 PM
To: res-ip@iana.org
Subject: NetBIOS from 192.168.0.1 2001/07/30 IANA

what is this traffic???????

alarm log~
FWIN,2001/07/30,22:45:33 -7:00 GMT,192.168.0.1:137,24.77.199.97:137,UDP

IANA (IANA-CBLK-RESERVED)
Internet Assigned Numbers Authority
4676 Admiralty Way, Suite 330
Marina del Rey, CA 90292-6695
US

Netname: IANA-CBLK1
Netblock: 192.168.0.0 - 192.168.255.255

Coordinator:
Internet Corporation for Assigned Names and Numbers (IANA-ARIN) res-ip@iana.org
(310) 823-9358

Domain System inverse mapping provided by:

BLACKHOLE.ISI.EDU 128.9.64.26
BLACKHOLE.EP.NET 198.32.1.116

These blocks are reserved for special purposes.
Please see RFC 1918 for additional information.

Record last updated on 16-May-2001.
Database last updated on 3-Aug-2001 23:13:45 EDT.

---

a further track on BLACKHOLE

IANA (BLACKHOLE3-HST)

Hostname: BLACKHOLE.ISI.EDU
Address: 128.9.64.26
System: ? running ?

Coordinator:
Internet Corporation for Assigned Names and Numbers (IANA-ARIN) res-ip@iana.org
(310) 823-9358

Record last updated on 02-Mar-1998.
Database last updated on 4-Aug-2001 23:01:41 EDT.

and...

Information Sciences Institute (NET-ISI-NET)
4676 Admiralty Way
Marina del Rey, CA 90292
US

Netname: ISI-NET
Netblock: 128.9.0.0 - 128.9.255.255

Coordinator:
Action (ACT-ORG-ARIN) action@ISI.EDU
310-822-1511 x 289
Fax- 310-827-2637

Domain System inverse mapping provided by:

VENERA.ISI.EDU 128.9.0.32 128.9.176.32
NS.ISI.EDU 128.9.128.127

Record last updated on 22-Apr-1997.
Database last updated on 4-Aug-2001 23:01:41 EDT.

Know your ports...
http://www.iana.org/assignments/port-numbers

[Edited 3 times, lastly by Lulu on 08-06-2001]