Spooler
@cableone.net
| What is 67.72.4.94?
At startup, router logs report outbound to 67.72.4.94.
DNS search for that address says it it from a block owned by Level 3:
OrgName: Level 3 Communications, Inc.
OrgID: LVLT
Address: 1025 Eldorado Blvd.
City: Broomfield
StateProv: CO
PostalCode: 80021
Country: US
NetRange: 67.72.0.0 - 67.75.255.255
CIDR: 67.72.0.0/14
Anyone know what this is and why my comp might be connecting to it at startup after
Zone Alarm does its own outbound connection? |
|
Ronnie_USA
BigBlueFan
Premium
join:2003-10-09
Galion, OH
 ·RoadRunner Cable
 ·Windstream
| Here is who it is:
WHOIS results for 67.72.4.94
Generated by www.DNSstuff.com
Country: UNITED STATES
NOTE: More information appears to be available at LC-ORG-ARIN.
Using 24 day old cached answer (or, you can get fresh results).
Hiding E-mail address (you can get results with the E-mail address).
OrgName: Level 3 Communications, Inc.
OrgID: LVLT
Address: 1025 Eldorado Blvd.
City: Broomfield
StateProv: CO
PostalCode: 80021
Country: US
NetRange: 67.72.0.0 - 67.75.255.255
CIDR: 67.72.0.0/14
NetName: LC-ARIN-4BLK
NetHandle: NET-67-72-0-0-1
Parent: NET-67-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.LEVEL3.NET
NameServer: NS2.LEVEL3.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2002-08-15
Updated: 2004-01-28
TechHandle: LC-ORG-ARIN
TechName: level Communications
TechPhone: +1-877-453-8353
TechEmail: ************@level3.com
OrgAbuseHandle: APL8-ARIN
OrgAbuseName: Abuse POC LVLT
OrgAbusePhone: +1-877-453-8353
OrgAbuseEmail: *****@level3.com
OrgTechHandle: TPL1-ARIN
OrgTechName: Tech POC LVLT
OrgTechPhone: +1-877-453-8353
OrgTechEmail: ************@level3.com
OrgTechHandle: ARINC4-ARIN
OrgTechName: ARIN Contact
OrgTechPhone: +1-800-436-8489
OrgTechEmail: ************@genuity.com
# ARIN WHOIS database, last updated 2004-09-27 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
[If E-mail address(es) were hidden on this page, you can click here to get the results with the E-mail address.
(C) Copyright 2000-2004 R. Scott Perry |
|
Terikan
join:2004-10-07
Russell, KS | reply to Spooler
well, he posted half of that in his original post... and that doesn't tell us any more about it unfortunately. |
|
Ronnie_USA
BigBlueFan
Premium
join:2003-10-09
Galion, OH | reply to Spooler
Yes I see that.
But when I posted what I did, Here is all it said:
What is 67.72.4.94?
At StartUp, router logs report outbound to 67.72.4.94. |
|
javaMan
Premium,MVM
join:2002-07-15
San Luis Obispo, CA
| reply to Spooler
SBC contracts with Level 3 to handle their broadband. It's probably contacting the DNS servers or something similar. In other words, nothing to stress about.
--
Woe unto them that call evil good, and good evil; that put darkness for light, and light for darkness. . . Isa. 5:20 |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| reply to Terikan
said by Terikan  :well, he posted half of that in his original post... and that doesn't tell us any more about it unfortunately. It tell you everything  ..his pc is resolving DNS via that server..what he did not tell us is what process or application he has running in software or firmware setup to do it..but then you would also have to know just how his ISP handles it all..if he does not have something internal on his system to reslove the look up with out going out of the box.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kidshttp://www.missingkids.com/ |
|
TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
Yonkers, NY | reply to Spooler
What are the Ports and protocol? Can you check what program is trying to connect?
I believe some of the major corps use Level3 as caching servers for Updates.
--
Dog and Butterfly |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| said by TheWiseGuy :What are the Ports and protocol? Can you check what program is trying to connect? I believe some of the major corps use Level3 as caching servers for Updates. Yup could even be an update thingie..but will confide even for me over the last few days one of my ISP's started to connect on 64.136.29.180 for start up even though home page was set to about:blank and I heard that many other ISP were having a bit of a go with their standard name look up methods..but all seems to be settled down today.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kidshttp://www.missingkids.com/ |
|
TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
Yonkers, NY
| Hi Name Game,
I used NSlookup and tried a DNS lookup with that IP as the server and didn't get any response. That does not mean it is not a DNS server since it might not respond to IPs outside a range. Also since ZA connects outbound first I would think that connection might be to the DNS server.
When I try an HTTP connection, according to "ID Serve" the server id is "Footprint Distributor V3.0". A write up on this indicates it is some type of caching server
said by BOB METCALFE InfoWorld:
Sandpiper's Footprint is based on HTTP redirection. When a request for a URL download arrives at your server, Footprint redirects the request to the Footprint Distributor nearest the request. That Distributor downloads the requested URL and caches it and all of its resources for subsequent requests from Web users in the vicinity.
--
Dog and Butterfly |
|
NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
Murfreesboro, TN
 ·Vonage
·AT&T Southeast
 ·Cingular Wireless
·AT&T CallVantage
| reply to Spooler
It appears to be a proxy server.
When doing a blind port 80 connect, the following is returned:
<HTML>
<HEAD>
<TITLE>ERROR: The requested URL could not be retrieved</TITLE>
</HEAD>
<BODY>
<H1>ERROR</H1>
<H2>The requested URL could not be retrieved</H2>
<HR>
<P>
While trying to retrieve the URL: <A HREF="N/A">N/A</A>
<P>
The following error was encountered:
<UL>
<LI>
<STRONG>
Connection Lifetime Expired
</STRONG>
</UL>
<P>
Squid has terminated the request because it has exceeded the maximum connection lifetime.
</P>
<a href="http://www.footprint.net">Footprint 3.0/FPMCP</a><br clear="all">
<hr noshade size=1>
Generated Sat, 23 Oct 2004 17:27:52 GMT by 67.72.4.94
(<a href="http://www.footprint.net">Footprint 3.0/FPMCP</a>)
</BODY>
</HTML>
When doing a port 80 connect and sending "GET / HTTP/1.1", the following is returned:
<HTML>
<HEAD>
<TITLE>505 HTTP Version Not Supported</TITLE>
<BODY>
<H1>HTTP Version Not Supported</H1>
The requested URL, "http://67.72.4.70:8808/", cannot be accessed using your current browse
*r.
<P>
</BODY>
</HTML>
(*) WARNING 1 long line(s) split
Also, since footprint.net appears to be a mail server based on the nslookup information shown below, it is possibly a mail proxy. You may want to check your system to make sure it has not been converted to a spambot. I know that SAVVIS is a legitimate company, but it would not be the first time that a legitimate company's server(s) had also been hijacked by spammers.
nslookup -querytype=any footprint.net tlngahp-pub-ns1.covad.net
Server: atlngahp-pub-ns1.covad.net
Address: 64.105.202.138
Non-authoritative answer:
footprint.net MX preference = 10, mail exchanger = mx01.exodus.net
footprint.net MX preference = 10, mail exchanger = mx02.exodus.net
footprint.net MX preference = 5, mail exchanger = mx.exodus.net
footprint.net nameserver = ns2.footprint.net
footprint.net nameserver = ns3.footprint.net
footprint.net nameserver = ns4.footprint.net
footprint.net nameserver = ns5.footprint.net
footprint.net nameserver = ns6.footprint.net
footprint.net nameserver = ns7.footprint.net
footprint.net nameserver = ns8.footprint.net
footprint.net nameserver = ns9.footprint.net
footprint.net nameserver = ns1.footprint.net
footprint.net nameserver = ns7.footprint.net
footprint.net nameserver = ns8.footprint.net
footprint.net nameserver = ns9.footprint.net
footprint.net nameserver = ns1.footprint.net
footprint.net nameserver = ns2.footprint.net
footprint.net nameserver = ns3.footprint.net
footprint.net nameserver = ns4.footprint.net
footprint.net nameserver = ns5.footprint.net
footprint.net nameserver = ns6.footprint.net
ns1.footprint.net internet address = 206.24.190.6
ns2.footprint.net internet address = 64.152.81.68
ns3.footprint.net internet address = 63.208.106.68
ns4.footprint.net internet address = 67.72.120.47
ns5.footprint.net internet address = 210.158.219.50
ns6.footprint.net internet address = 203.89.237.100
ns7.footprint.net internet address = 209.247.108.228
Of course without knowing the context of what application is accessing that server and what port/protocol it is using, this is just speculation.
--
I never found the companion that was so companionable as solitude.
The man who goes alone can start today; but he who travels with another must wait till that other is ready, and it may be a long time before they get off. |
|
Spooler
@cableone.net
| reply to Ronnie_USA
Ronnie_USA's posts
Ronnie said:
"Yes I see that.
But when I posted what I did, Here is all it said:
What is 67.72.4.94?
At StartUp, router logs report outbound to 67.72.4.94."
------------
Interesting you got only half the original post. I paused for awhile thinking about posting a capture of the router logs or just stating what was going on with a text copy of the DNS lookup results.
Don't know how you got only half the post once it posted though. Maybe it uploaded twice or perhaps a glitch in your first download.
Either way, thanks for the reply. |
|
Spooler
@cableone.net
| reply to NetFixer
Name Game, WiseGuy, & NetFixer
Thank you for your responses earlier today. I've been trying to follow up on some of your suggestions
and on the phone to my ISP.
1) This is not my ISP's DNS server and they said they don't use others so it doesn't appear to be that.
2) According to ZoneAlarm logs, the process used is GHP. The port is 80 on the remote IP address.
3) Over last 30 days, there have been six instances of this outbound traffic on 9-26,10-7,10-12(2),10-17,& 10-23.
4) All were 67.72.4.93 or 67.72.4.94. True DNS Lookup says they are within a Level 3 block of IP addressesa
and that these two are both out of Irving, Texas.
5) McAfee AV scans, TrendMicro Housecall scans, AdAware scans, Spybot scans, HiJackThis scans, and TDS-3 scans are all clear.
6) I don't use a proxy server over than the ad-blocker, WebWasher.
7) Most updates I do are done manually. Except for: Microsoft Windows Updates, Windows Time Updates, and ZoneAlarm which is set to check for new virus dat updates from McAfee. Is this by chance where there updates are stored or an ad image storage point like Akamai?
8) I doubted it was Akamai because other IP that are Akamai storage sites seem to clearly identify themselves as that.
Anything else you can suggest to track this down?
And, if nothing else, how can I shrink the blank portions of captures posted. The above capture is as small as I could get the margins using Paint. |
|
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR | Do you have Windows Auto Update enabled? They use level3.net, and Akamai for farming their bandwidth. |
|
Spooler
@cableone.net
| Windows updates?
BlitzenZeus asked:
"Do you have Windows Auto Update enabled? They use level3.net, and Akamai for farming their bandwidth."
---------------
Yes, Zeus, Windows Updates is enabled to "Notify Only".
Do you think this Level 3 connection is to it?
In the past, other outbound connections to Williams Communications Group at 69.45.78.152 that I could not identify. Would they have also been Windows Updates?
For some reason, I had thought windows updates would have been to Microsoft's own IP addresses in the 207.46.xx.xx ranges. That was wrong, huh? |
|
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
 ·Verizon FIOS
·Verizon Online DSL
1 edit | They have been using their servers for quite some time to take the stress away from their own servers, and also there as been worms that attacked their fixed ip address update servers so the servers are on dynamic ip addresses now.
A program like TCPView will tell you which program is making the connections if you can catch it in the act. XP uses svchost.exe to check for updates.
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed.
The biggest error is sitting in front of your keyboard. |
|
Spooler
@cableone.net | TCPview
Thanks, Zeus. Will try TCPview.
Appreciate the help and education from all of you. |
|
DrStrange
Technically feasible
Premium
join:2001-07-23
West Hartford, CT | reply to Spooler
Re: What is 67.72.4.94?
Sandpiper Networks Footprint Distributor |
|
NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
Murfreesboro, TN
·Vonage
·AT&T Southeast
·Cingular Wireless
·AT&T CallVantage
| reply to Spooler
What is GHP???
said by Spooler:
According to ZoneAlarm logs, the process used is GHP. The port is 80 on the remote IP address. I give up, I just did Google, Yahoo and Microsoft searches for GHP, but I could find nothing which looked like a software module or product. What is GHP???
--
I never found the companion that was so companionable as solitude.
The man who goes alone can start today; but he who travels with another must wait till that other is ready, and it may be a long time before they get off. |
|
TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
Yonkers, NY
| I've never seen it that way before, but since what I expected as the answer matches,
My guess is 
Generic Host Process for Win32 Services or svchost.exe
Certainly seems as if it is Windows Update. He could try to sniff the connection with Ethereal, and check the DNS lookups, or maybe turn off Automatic Update and see if it goes away.
--
Dog and Butterfly |
|
Spooler
@cableone.net
| reply to NetFixer
GHP = Generic Host Process = svchost.exe & more
NetFixer, and WiseGuy:
GHP was my shorthand for Generic Host Process or Svchost.exe.
That was the program/service connecting to 67.72.4.94.
As mentioned above, it has been showing up as an outbound connection right after startup about once a week for the past thirty days.
I've been trying to isolate connections using TCPview as BlitzeZeus suggested in attempts to learn which connections are what.
Since the 67.72.4.94 is not showing up every restart, it is hard to tell if it is Windows Updates for certain by disabling the updates for a onetime or even one day test.
-------------------
Dr. Strange & others:
What is "Sandpiper Networks Footprint" Distributor?
Why would my computer be connecting to it at start-up on a periodic basis?
-------------------
NetFixer:
I didnot follow or understand what you did above in your longer post. Could you explain?
Thanks. |
|
