site Search:


Home Reviews Tools Forums FAQs Find Service ISP News Maps About  
 
    All Forums Hot Topics Gallery






how-to block ads

  
Forums >

Alarming ZoneAlarm? > Phoning Home to Our Servers Also

Search Topic:
 Uniqs:
545		 Share Topic
Post a:
Post a:
AuthorAll Replies


LinuXProX

join:2000-04-23
Birmingham, AL

Phoning Home to Our Servers Also

We have seen a number of these type requests in our web server logs as well. Some include:
- - [15/Jun/2004:16:45:31 -0500] "GET http://avu.zonelabs.com/modules.txt HTTP/1.0" 404 20
 *5 "-" "Internet Download"

- - [15/Jun/2004:16:45:33 -0500] "GET http://update.zonelabs.com/checkupdate.asp HTTP/1.0"
 * 404 205 "-" "Zone Labs Registration Agent 1.0"

(*) WARNING 2 long line(s) split

--
»www.OverclockersClub.com
to forum · permalink · 2004-06-16 12:50:11 ·


Steve
I know your IP address
Consultant
join:2001-03-10
Yorba Linda, CA
kudos:5

said by LinuXProX:
"GET »update.zonelabs.com/checkupdate.asp HTTP/1.0"
Curious: you're seeing a GET, while we're seeing a POST.

Could there be any kind of proxy going on here?

Steve
--
Stephen J. Friedl * Security Consultant * Tustin, California USA * my web site
to forum · permalink · 2004-06-16 12:56:33 ·

delwalsh

join:2004-06-16
Pompano Beach, FL

reply to LinuXProX
A little suspicious?

nslookup avu.zonelabs.com
Non-authoritative answer:
Server: launchmodem
Address: 192.168.1.254

Name: a1599.g.akamai.net
Addresses: 63.211.120.39, 63.209.213.63
Aliases: avu.zonelabs.com, avu.zonelabs.com.edgesuite.net

to forum · permalink · 2004-06-16 13:08:05 ·


pcscdma
Chocobo Chocobo Random Battle
Premium
join:2004-01-14
Winterset, IA

Guess: It looks like Akamai's DNS screwup is causing this.

to forum · permalink · 2004-06-16 13:57:02 ·


LinuXProX

join:2000-04-23
Birmingham, AL

reply to Steve
Well we have the POST one too:

"GET »avu.zonelabs.com/modules.txt HTTP/1.0" 404 205 "-" "Internet Download"

"POST »update.zonelabs.com/checkupdate.asp HTTP/1.0" 404 209 "-" "Zone Labs Registration Agent 1.0"

"GET »avu.zonelabs.com/modules.txt HTTP/1.0" 404 205 "-" "Internet Download"

The specific users IP that requested this resolves to a user at the adelphia.net ISP. I think it may have something to do with the DNS attack.
--
»www.OverclockersClub.com

to forum · permalink · 2004-06-16 14:52:06 ·


Steve
I know your IP address
Consultant
join:2001-03-10
Yorba Linda, CA
kudos:5

said by LinuXProX:
I think it may have something to do with the DNS attack.
I don't see how this could be cause by DNS: even if one grants that DNS is somehow fouled up and sending people to the wrong place, that wouldn't explain rewriting of the POST/GET requests. I have a network capture of a valid ZA update request provided by Zone Labs, and it's just POST /checkupdate.asp HTTP/1.0. DNS wouldn't cause a rewrite.

Steve
--
Stephen J. Friedl * Security Consultant * Tustin, California USA * my web site
to forum · permalink · 2004-06-16 15:17:05 ·


Smokey
I'd rather be skiing
Premium
join:2003-05-20
Wild West

reply to pcscdma
This was happening before that thought, or at least before the DNS issues were reported.
--
You want 5 bucks to buy a 1.99 burger, and wonder why the democrats are in trouble?

to forum · permalink · 2004-06-16 15:27:19 ·


rchandra
Stargate Universe fan
Premium
join:2000-11-09
14225-2105

reply to Steve
That was my thought too. It's as if ZA is being told to use BBR/DSLR as a proxy. This is the sort of traffic one would see if the program were instructed to use a HTTP proxy server. ...something trampling on "Internet Settings" in the registry?

to forum · permalink · 2004-06-16 16:44:59 ·
Forums > Alarming ZoneAlarm?

Sunday, 27-May 08:51:11 Terms of Use & Privacy | feedback | contact | Hosting by nac.net - DSL,Hosting & Co-lo
over 12.5 years online © 1999-2012 dslreports.com.
Most commented news this week
Hot Topics