Checking Automatic Update in Security

Re: IP lookups re Akamai

Tue, 16 Nov 2004 17:35:55 EDT

said by spooler:

I used a Whois search earlier that did show Sweden. I'm quite sure, but looking those up today, every service tried shows it is Akamai with a Cambridge, MASS. location but maybe that is just the home office and not the physical location of the server for the IP entered?

Yep, It is the location of the "office". That doesn't guarantee that if they need an IP in California they won't use one that the office in Sweden requested. ;)
--
Dog and Butterfly

IP lookups re Akamai

Tue, 16 Nov 2004 16:21:47 EDT

anon : WiseGuy said:
"Do you still have the IP? How did you determine it was in Sweden, via a Whois? If it was via an Whois it may not have been located in Sweden."
------------------
You are correct. The IPs were all in the 209.170.95.136 to 152 range.

I used a Whois search earlier that did show Sweden. I'm quite sure, but looking those up today, every service tried shows it is Akamai with a Cambridge, MASS. location but maybe that is just the home office and not the physical location of the server for the IP entered?

I checked out your link. Earlier in the summer I too was getting outbound connections to IP's "in Amsterdam" and also wondered why. . . The conclusion based on readings then (perhaps from Marcus Jansson's website) was that the Internet, Yahoo, and Akamai were worldwide and that images to load pages would be drawn from wherever it was most convenient at the time of the request - even if it seemed a far away place.

After that, I forgot about it until Name Game's comments in this thread. Those comments reintroduced geographical proximitry into the mix which made me question those old IP lookups on Akamai showing distant sites. Sweden and Amsterdam showed up for sure earlier, but not now. Perhaps I was using a different IP lookup service then or perhaps what the services are reporting has changed. For a long time IP lookups were showing addresses belonging to "French Telecom", too.

After learning what Akamai was, I got to the point of ignoring those entries in the logs and hadn't looked them up again until today. Those 209.xxx.xx.xxx entries are still showing up with almost every visit to Yahoo, but the IP's in my lookups today all show Cambridge, Mass., and not Sweden...

Re: What is 67.72.4.94?

Tue, 16 Nov 2004 15:34:37 EDT

TheWiseGuy :

said by spooler:

but the IP was to Akamai servers in Sweden which is not very close to my location here in the U.S.

Do you still have the IP? How did you determine it was in Sweden, via a Whois? If it was via an Whois it may not have been located in Sweden. See the link below for a similar situation.

»Re: Port 80 security question.
--
Dog and Butterfly

Re: What is 67.72.4.94?

Tue, 16 Nov 2004 14:47:59 EDT

Name Game : Hey good stuff..i think you got the whole process down pat when it looks for that update when they used that IP..most likey various updates for not only XP pro..but then the IE and others product use servers and redirectors from other networks as required..Akamai certainly does lots of business with Microsoft also.
I have turned so much of that stuff off with...

Safe XP allows users to quickly tweak various security and privacy related settings in XP. The options include Media Player settings, Services settings (error reporting, time synch, remote registry etc.), as well as and option to remove items from the Start menu, network security settings and more.
Safe XP improves your system performance and makes Windows to run faster, more secure and reliable!
It is suitable for beginners and experts!

Download FREE Version
Screenshot
More Info

»www.theorica.net/safexp.htm

and do it manually when need...

and then used this site to lock down XP..

»www.markusjansson.net/erecent.html
Securing yourself & your computer
»www.markusjansson.net/esecuring.html

Tweaks and tricks for security and privacy
»www.markusjansson.net/eienbid.html

That i do not see alot of that stuff happening.

Thanks
--
Gladiator Security Forum »www.gladiator-antivirus.com/
Missing Kids
»www.missingkids.com/

Re: What is 67.72.4.94?

Tue, 16 Nov 2004 00:23:20 EDT

anon : Name Game:

You are right about it being easy to get lost in the language.

I've been rereading your original posts from several weeks ago and today's/tonight's posts.

You are over my head, but I think I have the gist of what you said at the very first of the thread
and what you have explained again tonight.

Here's what it now seems to me in very basic novice terms.

1) When I boot start or restart my computer, a dll sends out a request to check for windowsupdates.

2) A DNS request is sent to my ISP, which instead of contacting MSFT directly, sends the message to one of many other possible servers.

3) Sandpiper Footprint is one of the possible servers to which the message may be sent rather than going to the MSFT servers.

4) I assume that Akamai may also be another group of servers that could be used for that or that are used to store common web content pages like Yahoo? Same may also be true for the occasional outbound traffic at startup to William Communications Group, Sprint, and other Level3 addresses?

5) The dll, proxy, and stub you describe are the tools that make the process work.

6) The process is designed to speed up internet traffic and may help decrease congestion and even speed webpage loading for the end user?
----------------------
Well, thank you, Name Game. You've gone to a lot of trouble to clarify what you said so briefly several weeks ago. Now it makes a little more sense if what I've stated above is correct in the most general non-technical terms.

Aside: IP 67.29.170.61 just showed up in the router logs when I rebooted to test my understanding of what your posts said. So it looks like "Server: Footprint Distributor V3.0" is back.

Another question: Prior to noticing Footprint Distributor V3.0 at startup in the router logs in October, had noticed outgoing traffic to Akamai at startup during August and September. Nothing startling there, but the IP was to Akamai servers in Sweden which is not very close to my location here in the U.S.

The Footprint documentation mentions speeding up traffic on the Internet by directing it to geographically close locations. ("Footprint redirects the request to the Footprint Distributor nearest the request.") Apparently that is not the case with Akamai?

Re: What is 67.72.4.94?

Mon, 15 Nov 2004 23:29:53 EDT

Name Game : Then I was reading about..Sandpiper custom DNS servers resolve the name to the best distributor in this attached presentation..
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/

Sandpiper.zip 2,742 bytes
(Sandpiper.txt)

Re: What is 67.72.4.94?

Mon, 15 Nov 2004 23:09:05 EDT

Name Game : Thanks..well i do know that...
anybody know what this dll is?

wups.dll Windows Update client proxy stub

My Norton keeps alerting me and asking me if this dll can access the internet thru port 3374 TCP 67.72.4.94:80

and..

A Proxy-Stub DLL is used to marshall information between a client and a server application. If your application creates an object on a remote server
(or more accurately for every out-of-process call) it is activated. The proxy lives on the client, and the stub on the server. The proxy intercepts each call to the server and mimics it's behavior. when you call a method on the server class, the proxy structures the arguments and sends it to the stub. The stub mimics the client and decodes the received information into a call to the server class. So for the called DLL, it is as if the stub were the client, and for the client the proxy is the server. In the other direction (when a result is returned from a function for example) it's the same game, only the direction changes. Allmost anything can be marshalled in this way, but not objects. Therefore objects can only be passed to a method ByRef (VB allows ByVal, but will ignore this). It is important to minimize the number of round trips in your applications, they affect performance heavily! Usually the proxy/stub layer is implemented by OLEAUT32.DLL, but it is possible to have custom marshallers as well.

Think of Proxy-Stud as the communications vehicle between a client (e.g. application on a workstation computer) and a server (e.g. dll on a server computer). The proxy, which resides on the client computer, is a representation of the dll on the server machine. The client application thinks that it is dealing directly with the dll on the server machine, but in fact it is working with the proxy. The proxy then marshals the information to the stub that is on the server. The dll on the server interacts with the stub, and thinks that it is dealing directly with the client.

So the long and the short of it is that the proxy-stub is used to accomplish distributed computing by making it look to each side like they are directly interacting, when in fact the proxy and stub are taking care of the interaction and marshalling of data and calls over the network. I beleive Microsoft calls this "Location Transparency".

I hope this addresses your question. It's possible to get lost in the terminology here. I tried to use the word computer where I was specifically referring to a machine and used the words client and server when referring to software components on those machines.

then in the update process this is in the log..

2456 1b0 Checking for different Redirector at:
»download.windowsupdate.com/msdow···edir.cab

C:\WINDOWS\system32\wups.dll is: 5,4,3790,2182
2456 1b0 Binary: C:\WINDOWS\system32\wups.dll:
Target version: 5.4.3790.2182 Required: 5.4.3790.2182

and was reading tonight about this..

I'm experimenting with Win2k DNS in preparation for an installation. At the moment, I have a Win2k DNS server running in house, but no active directory yet. I also have an NT4 box running Proxy 2.0. Basically, I have set our internal DNS domain name exactly the same as our ISP hosted external DNS domain name (e.g. ourdomain.co.uk). The proxy server is connected to the LAN and has an ISDN TA (i.e. demand dial). I have put an A record entry on our internal DNS server which points www.ourdomain.co.uk to the IP address our ISP is using to host our web site. This all works fine, but I don't understand why!!! When a client requests www.ourdomain.co.uk in a web browser, obviously it goes off to our internal DNS server and successfully resolves to the external IP address (I know this is the case because the IP address appears in the bottom part of the screen in the web browser BEFORE the proxy server brings the ISDN line up). What I don't understand is how the client actually manages to get to our external website after being given the correct IP address by our internal DNS server. I think this is due to my fundamental lack of understanding of how client side proxy settings work. This even works successfully if the winsock proxy client is disabled, and I only have the proxy settings configured in IE's proxy connection area (i.e. web proxy only). Could someone please enlighten me? Also, does ISA server work in exactly the same way?

You have set up your interanl DNS to provide the external IP for the external name. When the Proxy client tries to get to an address that is not local (not in the LAT) the proxy stub on the client talks to Proxy server, which then lets the client out, which if needed will raise the ISDN line. Since this is a web client browsing, the Winsock proxy is not used. ISA includes proxy ability, but it is a much diferent product.

Thanks Roger. I'd been mulling it over since my post and came to the conclusion that the LAT is how the client side proxy functionality decides what IP addresses to go out to the Internet for (as opposed to DNS names). I was getting confused with all the talk about DNS forwarders, "." zones, etc, etc, when at the end of the day it's a basic IP thing.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/

Re: What is 67.72.4.94?

Mon, 15 Nov 2004 22:45:18 EDT

anon : Hello Name Game:

You asked:

Q) "So I have a question for you..since you ISP tells you they do not use that IP to do any DSN..when you click on a domain name link you have on your system..what is the IP of the server that did do the DNS resolve..did that also show up..or just the two you mentioned above?"

Answer) The two techs at CableOne (my ISP) said it only uses its own DNS servers. The two CableOne DNS servers are both in the 24.xxx.xxx.x range. If they go to others it is not transparent to me from here.
-----------------

Interestingly, this thread was started back on October 23rd.

My router logs go back to November 2nd and now show no outbound connections to IP 67.72.4.93 or 67.72.4.94. That outbound traffic at startup stopped sometime between October 23rd and November 1st.

However, but others usually identified as Akamai appear to have taken their place - both at startup and throughout the browser session.

For Example, this browser's session on 11-15-2004 shows many to 63.214.191.232; 63.214.191.238; 63.214.191.233; 205.161.4.156, 157, 163, & 168.

Don't know if this is what you had in mind, but it is all the information I have on it at the moment.

Re: What is 67.72.4.94?

Mon, 15 Nov 2004 18:15:06 EDT

Name Game : Sandpiper's Footprint is based on HTTP redirection. When a request for a URL download arrives at your server, Footprint redirects the request to the Footprint Distributor nearest the request. That Distributor downloads the requested URL and caches it and all of its resources for subsequent requests from Web users in the vicinity.

Web pages are increasingly dynamic, so some say caching won't work. Sandpiper disagrees. Web publishers can identify which of their URLs should be cached. Even dynamic pages have many resources that are not dynamic -- images for example. Sandpiper reports that on average, 95 percent of Web content ends up being cached.

But Web publishers need to know who is hitting their pages, so some say caching won't work. Sandpiper says it keeps track of hits to cached URLs and return results, so advertisers can be billed for page views and other metrics of activity.

Sandpiper charges for its Footprint service according to the bandwidth its customers reserve and then use. When capacity reservations are exceeded, additional downloads are not redirected to Footprint Distributors, but are left on your servers, so you will know for sure that you have to order more Footprint capacity. This would be like increasing the press run at a printing plant.

Sandpiper's Footprint service looks like a winner. For example, it's easy to try. Sign up, drop a Migrator on your network, and see how much your user's responsiveness improves.

Footprint Migrator software runs on a variety of platforms including Sun Solaris, Microsoft Windows NT, Red Hat Linux, and SCO OpenServer. Sandpiper's Footprint service uses Solaris for its Distributors, despite Microsoft's recently announced commitment to ship NT 5.0 with 23x6 availability.

»www.infoworld.com/cgi-bin/displa···12bm.htm

So I have a question for you..since you ISP tells you they do not use that IP to do any DSN..when you click on a domain name link you have on your system..what is the IP of the server that did do the DNS resolve..did that also show up..or just the two you mentioned above ?

Availability and description of the Port Reporter tool

»support.microsoft.com/?id=837243

--
Gladiator Security Forum »www.gladiator-antivirus.com/
Missing Kids
»www.missingkids.com/

Re: ID Serve & Checking Automatic Update

Mon, 15 Nov 2004 17:42:46 EDT

bthielen : Check out
»headers.bragger.net/info/footpri···tor.html

Leads to sandpiper.net then this..
»www.cw.com/about_us/company_prof···_7a.html

Re: ID Serve & Checking Automatic Update

Mon, 25 Oct 2004 18:39:40 EDT

anon : WiseGuy and Zeus:

Thanks again. Sorry this turned into such a long dialog, but each post resulted in new learning (for me, at least).
----------------
Wise Guy:

I turned Windows Updates off and on without rebooting as you suggested. Kept TCPview on top to see what happened in real time. Three IP's appeared:

Two to MSFT at 64.4.23.156 which is ID'd as v5.windowsupdate.microsoft.com in my router logs.

And then one to 67.72.120.62 which is ID'd as "Footprint Distributor" by the GRC ID Serve utility you suggested.

That's a neat little tool. Thanks for recommending it.
--------------

BlitzenZeus:

Once again, you are right on from the start.

The exercises since your first post confirm the outbound to IP 67.72.4.94 is connected to MSFT Windows AutoUpdates using Level Three and what turned the third party servers - "Footprint".

TCPview caught it in action just as you said it would.

Thanks Everyone.
------------------

Mods - looks like we are done here with this one.

Re: ID Serve & Checking Automatic Update

Mon, 25 Oct 2004 18:17:20 EDT

BlitzenZeus : PID 0 is actually a port waiting to timeout for its next use, the program that was listening is no longer bound to that port, and these are just past connections, however they do not show which program was listening.

Re: ID Serve & Checking Automatic Update

Mon, 25 Oct 2004 18:14:36 EDT

TheWiseGuy :

said by Spooler:

Also turned AutoUpdates off & back on and rebooted.

I didn't need to reboot, I hit apply (WinXP Home) and it immediately checked for Updates, disabled it, waited a couple of minutes and selected "Notify me but..." again and it connected out again.

I believe PID 0 is normally System Idle process.
--
Dog and Butterfly

ID Serve & Checking Automatic Update

Mon, 25 Oct 2004 17:32:55 EDT

anon : Well, thanks again, Dr. S & WiseGuy:

Went to GRC and downloaded ID serve as suggested. It clearly confirms the ID of the IP in Question as a "Footprint" site.
(see above) Thanks for that tool.

Also turned AutoUpdates off & back on and rebooted.

Computer went to home page first (Yahoo), then to ZA sites, Perhaps AutoUpdates was using Akamai that time rather than Level 3.then to 81.52.249.182 which is identified as an Akamai site.

TCPview showed that site and "System"0 for a while then it disappeared from view.

Raises a new issue though, and that is:
What is the Process reported as "System 0" in TCPview where it normally reports the Service and PID?

Checking Automatic Update

Mon, 25 Oct 2004 11:27:11 EDT

TheWiseGuy : OK had some time to do a couple of tests and check some tools.

You can try turning off automatic update, and then turning it back on, this should cause it to check for updates and may tell you if it is what is causing the connection. When I did this several times, Port Reporter recorded svchost connecting each time to three IPs, in one of the updates the last was a Footprint Server on the Level 3 network.
64.152.17.157

If that doesn't confirm it, you can install and run Port Reporter it may provide enough information to figure it out.

»support.microsoft.com/default.as···d=837243
--
Dog and Butterfly

Re: What is 67.72.4.94?

Mon, 25 Oct 2004 10:30:36 EDT

DrStrange : I used NetDemon, but if you're just looking for a server ID, IDServe is a lot prettier.

»www.netdemon.net/

Re: What is 67.72.4.94?

Mon, 25 Oct 2004 08:59:44 EDT

TheWiseGuy :

said by Spooler:

Would you explain what you ran to get the information shown?

A quick and easy way to get this information would be to use ID serve.

»www.grc.com/id/idserve.htm
--
Dog and Butterfly

Re: GHP = Generic Host Process = svchost.exe & mor

Mon, 25 Oct 2004 03:15:18 EDT

anon : NetFixer:

Thank you for the explanation. I follow your posts here and frequently learn from them.

I'm out for the night here and it's even later where you & Dr. Strange are.

Back tomorrow if any more is here.

Re: GHP = Generic Host Process = svchost.exe & mor

Mon, 25 Oct 2004 03:10:00 EDT

NetFixer :

said by Spooler:

NetFixer:

I did not follow or understand what you did above in your longer post. Could you explain?

First, I made a passive port 80 TCP connection to IP address 67.72.4.94 and got back a timeout error reply from an application called "squid" which is a proxy server.

Next, I emulated a web browser connection by sending the string "GET / HTTP/1.1". This time the error message was that it was unable to redirect the request to IP address 67.72.4.70 on port 8808, also an indication that the original IP address hosted a proxy server. Probes to IP address IP address 67.72.4.70 produced similar results.

The first passive connection also returned a reference to footprint.net, so I did a nslookup for any DNS information on that domain name. The results only showed MX records (email servers) registered to exodus.net. I considered this to be a bit suspicious since most domain names would have at least one "A" (address) record. Since many ISPs are now blocking the normal SMTP (email protocol) port 25 traffic, if would make sense that a spambot which detected that your ISP blocked port 25 might resort to using a proxy server to send spam. A proxy server can be used to change the destination IP address and/or the TCP port in order to bypass a firewall (in this case, your ISP's firewall).

As I said in my original disclaimer, without actually seeing the transactions, this is speculation and your symptom may indeed be something innocuous such as the MS autoupdate using a caching proxy server (providing cached data is another use for a proxy server).
--
I never found the companion that was so companionable as solitude.
The man who goes alone can start today; but he who travels with another must wait till that other is ready, and it may be a long time before they get off.

Re: What is 67.72.4.94?

Mon, 25 Oct 2004 02:58:47 EDT

anon : Dr. Strange:

Would you explain what you ran to get the information shown?

It's over my head how you did it and it looks like a useful thing to know.

Thank you.

Re: What is 67.72.4.94?

Mon, 25 Oct 2004 02:54:12 EDT

DrStrange : --- 10/25/04 02:45:43 Eastern Daylight Time
--- reading URL 67.72.4.94
--- contacting host [67.72.4.94] on port 80

HTTP/1.1 404 Not Found
Date: Mon, 25 Oct 2004 06:45:48 GMT
Content-Length: 159
Content-Type: text/html
Server: Footprint Distributor V3.0
Connection: close

404 File Not Found
File Not Found
The requested URL, "http://67.72.4.68:8808/", is not available.

--- connection closed

-----------------------------------------------------------

I haven't the foggiest idea who's using it or what they're using it for. I just know how it identifies itself.

Microsoft would be a likely customer, but not the only likely one.

For Dr. Strange

Mon, 25 Oct 2004 02:31:24 EDT

anon : Just did a Google search on "Sandpiper Networks Footprint".

Sounds like they are a content caching company, perhaps.
(like Akamai?)

When I ran DNS searches on the IP, they all simply came up "Level 3 - unknown". The one that dug deepest said the site was in Irving, Texas rather than in Colorado, buts that's all I could get on the address.

How did you determine 67.72.4.94 is one of their storage sites?

If they are a Sandpiper storage site, question remains why the weekly connects to them at startup?

Do you concur with BlitzenZeus that the IP address is to a site used by MSFT in connection with Windows Updates?

GHP = Generic Host Process = svchost.exe & more

Mon, 25 Oct 2004 02:16:32 EDT

anon : NetFixer, and WiseGuy:

GHP was my shorthand for Generic Host Process or Svchost.exe.
That was the program/service connecting to 67.72.4.94.

As mentioned above, it has been showing up as an outbound connection right after startup about once a week for the past thirty days.

I've been trying to isolate connections using TCPview as BlitzeZeus suggested in attempts to learn which connections are what.

Since the 67.72.4.94 is not showing up every restart, it is hard to tell if it is Windows Updates for certain by disabling the updates for a onetime or even one day test.
-------------------
Dr. Strange & others:

What is "Sandpiper Networks Footprint" Distributor?

Why would my computer be connecting to it at start-up on a periodic basis?
-------------------
NetFixer:

I didnot follow or understand what you did above in your longer post. Could you explain?

Thanks.

Re: What is GHP???

Sat, 23 Oct 2004 23:33:29 EDT

TheWiseGuy : I've never seen it that way before, but since what I expected as the answer matches,

My guess is ;-)

Generic Host Process for Win32 Services or svchost.exe

Certainly seems as if it is Windows Update. He could try to sniff the connection with Ethereal, and check the DNS lookups, or maybe turn off Automatic Update and see if it goes away.
--
Dog and Butterfly

What is GHP???

Sat, 23 Oct 2004 23:24:01 EDT

NetFixer :

said by Spooler:

According to ZoneAlarm logs, the process used is GHP. The port is 80 on the remote IP address.

I give up, I just did Google, Yahoo and Microsoft searches for GHP, but I could find nothing which looked like a software module or product. What is GHP???
--
I never found the companion that was so companionable as solitude.
The man who goes alone can start today; but he who travels with another must wait till that other is ready, and it may be a long time before they get off.

Re: What is 67.72.4.94?

Sat, 23 Oct 2004 20:22:07 EDT

DrStrange : Sandpiper Networks Footprint Distributor

TCPview

Sat, 23 Oct 2004 19:43:56 EDT

anon : Thanks, Zeus. Will try TCPview.

Appreciate the help and education from all of you.

Re: Windows updates?

Sat, 23 Oct 2004 19:33:56 EDT

BlitzenZeus : They have been using their servers for quite some time to take the stress away from their own servers, and also there as been worms that attacked their fixed ip address update servers so the servers are on dynamic ip addresses now.

A program like TCPView will tell you which program is making the connections if you can catch it in the act. XP uses svchost.exe to check for updates.
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed.
The biggest error is sitting in front of your keyboard.

Windows updates?

Sat, 23 Oct 2004 19:18:48 EDT

anon : BlitzenZeus asked:
"Do you have Windows Auto Update enabled? They use level3.net, and Akamai for farming their bandwidth."
---------------
Yes, Zeus, Windows Updates is enabled to "Notify Only".

Do you think this Level 3 connection is to it?

In the past, other outbound connections to Williams Communications Group at 69.45.78.152 that I could not identify. Would they have also been Windows Updates?

For some reason, I had thought windows updates would have been to Microsoft's own IP addresses in the 207.46.xx.xx ranges. That was wrong, huh?

Re: Name Game, WiseGuy, & NetFixer

Sat, 23 Oct 2004 19:05:07 EDT

BlitzenZeus : Do you have Windows Auto Update enabled? They use level3.net, and Akamai for farming their bandwidth.

Name Game, WiseGuy, & NetFixer

Sat, 23 Oct 2004 18:55:51 EDT

anon : Thank you for your responses earlier today. I've been trying to follow up on some of your suggestions
and on the phone to my ISP.

1) This is not my ISP's DNS server and they said they don't use others so it doesn't appear to be that.

2) According to ZoneAlarm logs, the process used is GHP. The port is 80 on the remote IP address.

3) Over last 30 days, there have been six instances of this outbound traffic on 9-26,10-7,10-12(2),10-17,& 10-23.

4) All were 67.72.4.93 or 67.72.4.94. True DNS Lookup says they are within a Level 3 block of IP addressesa
and that these two are both out of Irving, Texas.

5) McAfee AV scans, TrendMicro Housecall scans, AdAware scans, Spybot scans, HiJackThis scans, and TDS-3 scans are all clear.

6) I don't use a proxy server over than the ad-blocker, WebWasher.

7) Most updates I do are done manually. Except for: Microsoft Windows Updates, Windows Time Updates, and ZoneAlarm which is set to check for new virus dat updates from McAfee. Is this by chance where there updates are stored or an ad image storage point like Akamai?

8) I doubted it was Akamai because other IP that are Akamai storage sites seem to clearly identify themselves as that.

Anything else you can suggest to track this down?

And, if nothing else, how can I shrink the blank portions of captures posted. The above capture is as small as I could get the margins using Paint.

Ronnie_USA's posts

Sat, 23 Oct 2004 15:22:51 EDT

anon : Ronnie said:
"Yes I see that.
But when I posted what I did, Here is all it said:
What is 67.72.4.94?
At StartUp, router logs report outbound to 67.72.4.94."
------------
Interesting you got only half the original post. I paused for awhile thinking about posting a capture of the router logs or just stating what was going on with a text copy of the DNS lookup results.

Don't know how you got only half the post once it posted though. Maybe it uploaded twice or perhaps a glitch in your first download.

Either way, thanks for the reply.

Re: What is 67.72.4.94?

Sat, 23 Oct 2004 14:02:33 EDT

NetFixer : It appears to be a proxy server.

When doing a blind port 80 connect, the following is returned:



ERROR: The requested URL could not be retrieved


ERROR

The requested URL could not be retrieved



While trying to retrieve the URL: N/A

The following error was encountered:

    
        
        Connection Lifetime Expired
        
    


Squid has terminated the request because it has exceeded the maximum connection lifetime.

Footprint 3.0/FPMCP


Generated Sat, 23 Oct 2004 17:27:52 GMT by 67.72.4.94
(Footprint 3.0/FPMCP)

When doing a port 80 connect and sending "GET / HTTP/1.1", the following is returned:



505 HTTP Version Not Supported

HTTP Version Not Supported

The requested URL, "http://67.72.4.70:8808/", cannot be accessed using your current browse
 *r.




(*) WARNING 1 long line(s) split

Also, since footprint.net appears to be a mail server based on the nslookup information shown below, it is possibly a mail proxy. You may want to check your system to make sure it has not been converted to a spambot. I know that SAVVIS is a legitimate company, but it would not be the first time that a legitimate company's server(s) had also been hijacked by spammers.

nslookup -querytype=any footprint.net tlngahp-pub-ns1.covad.net
Server:  atlngahp-pub-ns1.covad.net
Address:  64.105.202.138
 
Non-authoritative answer:
footprint.net   MX preference = 10, mail exchanger = mx01.exodus.net
footprint.net   MX preference = 10, mail exchanger = mx02.exodus.net
footprint.net   MX preference = 5, mail exchanger = mx.exodus.net
footprint.net   nameserver = ns2.footprint.net
footprint.net   nameserver = ns3.footprint.net
footprint.net   nameserver = ns4.footprint.net
footprint.net   nameserver = ns5.footprint.net
footprint.net   nameserver = ns6.footprint.net
footprint.net   nameserver = ns7.footprint.net
footprint.net   nameserver = ns8.footprint.net
footprint.net   nameserver = ns9.footprint.net
footprint.net   nameserver = ns1.footprint.net
 
footprint.net   nameserver = ns7.footprint.net
footprint.net   nameserver = ns8.footprint.net
footprint.net   nameserver = ns9.footprint.net
footprint.net   nameserver = ns1.footprint.net
footprint.net   nameserver = ns2.footprint.net
footprint.net   nameserver = ns3.footprint.net
footprint.net   nameserver = ns4.footprint.net
footprint.net   nameserver = ns5.footprint.net
footprint.net   nameserver = ns6.footprint.net
ns1.footprint.net       internet address = 206.24.190.6
ns2.footprint.net       internet address = 64.152.81.68
ns3.footprint.net       internet address = 63.208.106.68
ns4.footprint.net       internet address = 67.72.120.47
ns5.footprint.net       internet address = 210.158.219.50
ns6.footprint.net       internet address = 203.89.237.100
ns7.footprint.net       internet address = 209.247.108.228

Of course without knowing the context of what application is accessing that server and what port/protocol it is using, this is just speculation.

--
I never found the companion that was so companionable as solitude.
The man who goes alone can start today; but he who travels with another must wait till that other is ready, and it may be a long time before they get off.

Re: What is 67.72.4.94?

Sat, 23 Oct 2004 13:56:58 EDT

TheWiseGuy : Hi Name Game,

I used NSlookup and tried a DNS lookup with that IP as the server and didn't get any response. That does not mean it is not a DNS server since it might not respond to IPs outside a range. Also since ZA connects outbound first I would think that connection might be to the DNS server.

When I try an HTTP connection, according to "ID Serve" the server id is "Footprint Distributor V3.0". A write up on this indicates it is some type of caching server

said by BOB METCALFE InfoWorld:
Sandpiper's Footprint is based on HTTP redirection. When a request for a URL download arrives at your server, Footprint redirects the request to the Footprint Distributor nearest the request. That Distributor downloads the requested URL and caches it and all of its resources for subsequent requests from Web users in the vicinity.

--
Dog and Butterfly

Re: What is 67.72.4.94?

Sat, 23 Oct 2004 13:34:26 EDT

Name Game :

said by TheWiseGuy :

What are the Ports and protocol? Can you check what program is trying to connect?

I believe some of the major corps use Level3 as caching servers for Updates.

Yup could even be an update thingie..but will confide even for me over the last few days one of my ISP's started to connect on 64.136.29.180 for start up even though home page was set to about:blank and I heard that many other ISP were having a bit of a go with their standard name look up methods..but all seems to be settled down today.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/

Re: What is 67.72.4.94?

Sat, 23 Oct 2004 12:12:04 EDT

TheWiseGuy : What are the Ports and protocol? Can you check what program is trying to connect?

I believe some of the major corps use Level3 as caching servers for Updates.
--
Dog and Butterfly

Re: What is 67.72.4.94?

Sat, 23 Oct 2004 11:40:46 EDT

Name Game :

said by Terikan :

well, he posted half of that in his original post... and that doesn't tell us any more about it unfortunately.

It tell you everything :D..his pc is resolving DNS via that server..what he did not tell us is what process or application he has running in software or firmware setup to do it..but then you would also have to know just how his ISP handles it all..if he does not have something internal on his system to reslove the look up with out going out of the box.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/

Re: What is 67.72.4.94?

Sat, 23 Oct 2004 11:38:36 EDT

javaMan : SBC contracts with Level 3 to handle their broadband. It's probably contacting the DNS servers or something similar. In other words, nothing to stress about.
--
Woe unto them that call evil good, and good evil; that put darkness for light, and light for darkness. . . Isa. 5:20

Re: What is 67.72.4.94?

Sat, 23 Oct 2004 11:30:28 EDT

Ronnie_USA : Yes I see that.
But when I posted what I did, Here is all it said:
What is 67.72.4.94?

At StartUp, router logs report outbound to 67.72.4.94.

Re: What is 67.72.4.94?

Sat, 23 Oct 2004 11:27:57 EDT

Terikan : well, he posted half of that in his original post... and that doesn't tell us any more about it unfortunately.

Re: What is 67.72.4.94?

Sat, 23 Oct 2004 10:07:24 EDT

Ronnie_USA : Here is who it is:

WHOIS results for 67.72.4.94
Generated by www.DNSstuff.com

Country: UNITED STATES

NOTE: More information appears to be available at LC-ORG-ARIN.

Using 24 day old cached answer (or, you can get fresh results).
Hiding E-mail address (you can get results with the E-mail address).

OrgName: Level 3 Communications, Inc.
OrgID: LVLT
Address: 1025 Eldorado Blvd.
City: Broomfield
StateProv: CO
PostalCode: 80021
Country: US

NetRange: 67.72.0.0 - 67.75.255.255
CIDR: 67.72.0.0/14
NetName: LC-ARIN-4BLK
NetHandle: NET-67-72-0-0-1
Parent: NET-67-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.LEVEL3.NET
NameServer: NS2.LEVEL3.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2002-08-15
Updated: 2004-01-28

TechHandle: LC-ORG-ARIN
TechName: level Communications
TechPhone: +1-877-453-8353
TechEmail: ************@level3.com

OrgAbuseHandle: APL8-ARIN
OrgAbuseName: Abuse POC LVLT
OrgAbusePhone: +1-877-453-8353
OrgAbuseEmail: *****@level3.com

OrgTechHandle: TPL1-ARIN
OrgTechName: Tech POC LVLT
OrgTechPhone: +1-877-453-8353
OrgTechEmail: ************@level3.com

OrgTechHandle: ARINC4-ARIN
OrgTechName: ARIN Contact
OrgTechPhone: +1-800-436-8489
OrgTechEmail: ************@genuity.com

# ARIN WHOIS database, last updated 2004-09-27 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

[If E-mail address(es) were hidden on this page, you can click here to get the results with the E-mail address.

(C) Copyright 2000-2004 R. Scott Perry

What is 67.72.4.94?

Sat, 23 Oct 2004 10:00:11 EDT

anon : At startup, router logs report outbound to 67.72.4.94.

DNS search for that address says it it from a block owned by Level 3:

OrgName: Level 3 Communications, Inc.
OrgID: LVLT
Address: 1025 Eldorado Blvd.
City: Broomfield
StateProv: CO
PostalCode: 80021
Country: US

NetRange: 67.72.0.0 - 67.75.255.255
CIDR: 67.72.0.0/14

Anyone know what this is and why my comp might be connecting to it at startup after
Zone Alarm does its own outbound connection?