Broadband Tech > Security > Security > persistent connection to qw-in-f113.1e100.net on boot

reply to cyb3rl0g

Re: persistent connection to qw-in-f113.1e100.net on boot

reply to gogregor6

said by dsilvers :

---

Add five spaces between 127.0.0.1 and the URL.

---

reply to gogregor6
Just a little FYI for those that don't know, that is 1e1OO.net , ( one e one oh oh dot net , not one e one hundred dot net )

Ignore this info, I have been corrected

You are correct that there is a 1e1oo.net.

Domain Name: 1E1OO.NET
Registrar: MONIKER
Registrant [1530176]:
        Xander Jeduyu info@ALGEBRALIVE.COM
        ALGEBRALIVE
        P.O. Box 523
        7480 Praesent Ave
        Praesent Ave
        BE
        1154AU
        BE
 

Registrant:
        DNS Admin
        Google Inc.
        1600 Amphitheatre Parkway
         Mountain View CA 94043
        US
        dns-admin@google.com +1.6502530000 Fax: +1.6506188571
    Domain Name: 1e100.net
        Registrar Name: Markmonitor.com
        Registrar Whois: whois.markmonitor.com
        Registrar Homepage: »www.markmonitor.com
 

I beleive you are correct, i've been spending some time trying to find out what to block (Blackhole DNS). If I ping 1e100, i get 'Ping request could not find host 1e100.net', if I ping 1e1oo.net the result is 208.73.210.27 - Oversee.net, not matching your results?

I thought Blackhole DNS would work with 1e100.net, but it wasn't working so that's when I thought it was with the O's (still didn't work)

any advice?
--
"You will find that the mere resolve not to be useless, and the honest desire to help other people, will, in the quickest and delicatest ways, improve yourself" -
John Ruskin

I am not sure exactly what you are trying to do, so I am not able to provide any advice.

I think, however, that you may not understand the difference between a domain name and a host name. A domain name is the registered name for a domain, and a domain may contain many subdomains and host names. The domain name itself does not have to have any specific host associated with it, nor is there any requirement for any domain or host to be pingable.

Examples:

C:\>ping 1e100.net
Ping request could not find host 1e100.net. Please check the name and try again.

C:\>ping qw-in-f113.1e100.net

Pinging qw-in-f113.1e100.net [74.125.93.113] with 32 bytes of data:

Reply from 74.125.93.113: bytes=32 time=48ms TTL=44
Reply from 74.125.93.113: bytes=32 time=52ms TTL=47
Reply from 74.125.93.113: bytes=32 time=48ms TTL=44
Reply from 74.125.93.113: bytes=32 time=50ms TTL=47

Ping statistics for 74.125.93.113:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 48ms, Maximum = 52ms, Average = 49ms

C:\>nslookup 1e100.net
Server:  dcs-srv.dcs-net
Address:  192.168.10.2

Name:    1e100.net

C:\>nslookup qw-in-f113.1e100.net
Server:  dcs-srv.dcs-net
Address:  192.168.10.2

Non-authoritative answer:
Name:    qw-in-f113.1e100.net
Address:  74.125.93.113

C:\>ping 1e1oo.net

Pinging 1e1oo.net [208.73.210.27] with 32 bytes of data:

Reply from 208.73.210.27: bytes=32 time=66ms TTL=236
Reply from 208.73.210.27: bytes=32 time=68ms TTL=239
Reply from 208.73.210.27: bytes=32 time=65ms TTL=236
Reply from 208.73.210.27: bytes=32 time=68ms TTL=239

Ping statistics for 208.73.210.27:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 65ms, Maximum = 68ms, Average = 66ms

C:\>nslookup 1e1oo.net
Server:  dcs-srv.dcs-net
Address:  192.168.10.2

Non-authoritative answer:
Name:    1e1oo.net
Address:  208.73.210.27 

Maybe you should try using the letter O instead of zeros (0).

one e one o o dot net

oh oh

qw-in-f113.1e1oo.net resolves to 208.73.210.27.

C:\>nslookup 1e1oo.net
Server:  dcs-srv.dcs-net
Address:  192.168.10.2

Non-authoritative answer:
Name:    1e1oo.net
Address:  208.73.210.27

C:\>nslookup qw-in-f113.1e1oo.net
Server:  dcs-srv.dcs-net
Address:  192.168.10.2

Non-authoritative answer:
Name:    qw-in-f113.1e1oo.net
Address:  208.73.210.27

C:\>nslookup stuff.it.where.the.sun.does.not.shine.1e1oo.net
Server:  dcs-srv.dcs-net
Address:  192.168.10.2

Non-authoritative answer:
Name:    stuff.it.where.the.sun.does.not.shine.1e1oo.net
Address:  208.73.210.27
 

You're right. I had to check again. My own computer now is connected to 1e100.

vw-in-f100.1e100.net

My bad. It's definitely zeros, not "oh's"
--
'A government big enough to give you everything you want, is strong enough to take everything you have.' -Thomas Jefferson -

I guess it isn't really going anywhere if the domain doesn't work.

C:\>/nslookup Archivis.1e1oo.net
Server:  dcs-srv.dcs-net
Address:  192.168.10.2

Non-authoritative answer:
Name:    Archivis.1e1oo.net
Address:  208.73.210.27

C:\>ping Archivis.1e1oo.net

Pinging Archivis.1e1oo.net [208.73.210.27] with 32 bytes of data:

Reply from 208.73.210.27: bytes=32 time=66ms TTL=236
Reply from 208.73.210.27: bytes=32 time=68ms TTL=239
Reply from 208.73.210.27: bytes=32 time=66ms TTL=236
Reply from 208.73.210.27: bytes=32 time=69ms TTL=239

Ping statistics for 208.73.210.27:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 66ms, Maximum = 69ms, Average = 67ms
 

stop pinging me

reply to gogregor6
nevermind

reply to gogregor6
To continue in the same vein as the last few posts in this thread, there is also a leloo.net (el ee el oh oh dot net) domain:

Domain name: leloo.net
Administrative Contact:
   Inside Internet
   Novi Kod (domene@inside.hr)
   +385.12341433
   Fax: +385.12341434
   Cretski Odvojak, 1
   Zagreb,  10000
   HR
 

reply to gogregor6
This persistent connection was driving me crazy. Online Armour (firewall) reported the persistent connections as coming from Avast! (antivirus). However, the source was from Firefox. I guess since the antivirus is hooked into the http traffic, that's how it goes out.

ashWebSv.exe/TCP to qw-in-f113.1e100.net:http. I also see qw-in-f102.1e100.net:http, iad04s01-in-f147.1e100.net:http.

I did some quick research and found that this persistent connection is from Firefox's safe browsing feature. The Mysterious 1e100.net

I unchecked the "Block reported attack sites" and "Block reported web forgeries" choices in the Security tab and most of the persistent connections went away.

In Firefox, do about:config and filter on safebrowsing to see how what Firefox is doing.

Interesting that Thunderbird also connects to 1e100.net when it checks for new mail from my gmail account (Google, smtp.gmail.com is what I entered):

Thunderbird.exe/TCP to qy-in-f109.1e100.net:pop3s

Google is everywhere. Typing text in the search engine box (Google is default) fires up those persistent connections. httpFox showed queries to suggestqueries.google.com.

reply to gogregor6
gogregor6, have you cleared all your cookies from this computer that has these remote connections your talking about? If you disconnect your internet and reboot and use TCPview do you see these connections on start up with no internet access?

just on a side note, I could not help but notice you still use spybot, I would recommend you upgrade to something more modern like SUPERAntiSpyware and Malwarebytes Anti-Malware, anyone here will agree that spybot's time has sorta come and gone. still a useful tool to have mind you, but it's the last one scan with anymore.