PDA

View Full Version : infection?


HILife
06-16-2009, 10:52 AM
Hey all,

I visited this site yestarday (as well as others) and now I noticed that my computer keeps trying to send a "beacon" like message using iexplore.exe to the IP address 69.64.155.19. I was trying to hunt down how it got here and wanted to see if anybody else is having this problem. thanks

alkemical
06-16-2009, 10:53 AM
so what pr0n or warez sites did you hit up as well? any crazy russian blog sites?

Beantown Bronco
06-16-2009, 10:54 AM
I visited this site yestarday (as well as others)

Focus on the bold part.

How long before the mac contingent invades?

Garcia Bronco
06-16-2009, 10:56 AM
I don't, and that IP has no DNS. I'd just block in your firewall.

You would see this connection by opening a command prompt and typing

Netstat -no

This will list all of your connections. You can also see the PID and open task manager and change the column view to see the PID and kill any processes associated with a particular connection.

Kaylore
06-16-2009, 10:58 AM
Maybe you have a trojan.

vancejohnson82
06-16-2009, 11:12 AM
Maybe you have a trojan.

Insert Travis Henry joke here

bronco610
06-16-2009, 11:32 AM
I don't, and that IP has no DNS. I'd just block in your firewall.

You would see this connection by opening a command prompt and typing

Netstat -no

This will list all of your connections. You can also see the PID and open task manager and change the column view to see the PID and kill any processes associated with a particular connection.

??? Could you repeat that in english ?

dbfan21
06-16-2009, 11:36 AM
Focus on the bold part.

How long before the mac contingent invades?

LOL

Garcia Bronco
06-16-2009, 12:05 PM
??? Could you repeat that in english ?

That's about as english as it gets. "I'd just block in your firewall"

The quoted line stated clearer should read "I'd just block the IP in your firewall."

bronco610
06-16-2009, 12:09 PM
Oh well, I am not very computer savy. I know how to turn it on. Luckily I am taking a course this fall that should help. I don't have any problems now just sounded interesting.

Garcia Bronco
06-16-2009, 12:22 PM
Oh well, I am not very computer savy. I know how to turn it on. Luckily I am taking a course this fall that should help. I don't have any problems now just sounded interesting.

What are you taking?

Popps
06-16-2009, 12:25 PM
No problems here. :)

HILife
06-16-2009, 12:54 PM
Focus on the bold part.

How long before the mac contingent invades?

in 3...2...1...Mac is great!

HILife
06-16-2009, 12:54 PM
I don't, and that IP has no DNS. I'd just block in your firewall.

You would see this connection by opening a command prompt and typing

Netstat -no

This will list all of your connections. You can also see the PID and open task manager and change the column view to see the PID and kill any processes associated with a particular connection.

Yea, I've already blocked it. It's sending a message every fee hours. netstat shows me nothing for that address.

bronco610
06-16-2009, 01:25 PM
What are you taking?

Computer applications.

HILife
06-17-2009, 11:44 AM
I think I found out what this "beacon" is coming from. It turns out it does have something to do with the Orangemane. Everytime I click on something in the message board (a thread, the back button, page 1, 2, ect.) a beacon is sent out to 69.64.155.19 on port 80 using internet explorer. It happens the very second I click on something and ONLY when I click on something.

I've tested this out on other sites and it doesn't come up. If someone out there can try and put this to the test and let me know if the same thing is happening to them, I would appreicate it. I also noticed this only happens on the message board and not on the front page such as www.orangemane.com

I'm bringing this up because there could be something wrong with the O-mane server or it could be nothing. Also network security is flagging me for possible malicious activicty. Hate to have to stop visiting the board.

Thanks

EDIT: also it looks like netstat -ano will not pick it up.

EDIT: I looked up the address and it looks like it belongs to "Demand Media." They seem to be some kind of social media company. I'm guessing they had something to do with the design of this message board. Here is some info on them:

Demand Media is a heavily backed new media company headed by Richard Rosenblatt, the former chairman of Intermix Media, the company that sold MySpace to News Corporation. It has raised $355 million.

Demand Media owns and operates 1) a network of 65 destination websites 2) a content and social media marketplace connecting content creators, users and publishers on a mass scale and 3) the second largest domain name registrar. Most recently, Demand Media launched LIVESTRONG.COM in partnership with the Lance Armstrong Foundation.

alkemical
06-17-2009, 11:55 AM
use mozilla/firefox - install noscript and see which script is doing it.

HILife
06-17-2009, 12:06 PM
use mozilla/firefox - install noscript and see which script is doing it.

Sorry can't do that. This is a company computer so I can't just install anything on it. I did turn off the scripts for Internet explorer in the registry (or I think I did)
Hkey_local_machine\software\microsoft\windows\curr entversion\internet settings\zones\3 and then I changed REG_DWORD 1400 from 0 to 3.

because of that I don't think it's related to a script, but I'm not sure.

alkemical
06-17-2009, 12:19 PM
Sorry can't do that. This is a company computer so I can't just install anything on it. I did turn off the scripts for Internet explorer in the registry (or I think I did)
Hkey_local_machine\software\microsoft\windows\curr entversion\internet settings\zones\3 and then I changed REG_DWORD 1400 from 0 to 3.

because of that I don't think it's related to a script, but I'm not sure.

malware bytes/spybot/adaware don't find anything?

Spider
06-17-2009, 12:24 PM
I don't, and that IP has no DNS. I'd just block in your firewall.

You would see this connection by opening a command prompt and typing

Netstat -no

This will list all of your connections. You can also see the PID and open task manager and change the column view to see the PID and kill any processes associated with a particular connection.
so lets pretend for a second , I dont know what you are talking about , could you break it down ?

listopencil
06-17-2009, 12:57 PM
I don't, and that IP has no DNS. I'd just block in your firewall.

You would see this connection by opening a command prompt and typing

Netstat -no

This will list all of your connections. You can also see the PID and open task manager and change the column view to see the PID and kill any processes associated with a particular connection.


When I use that command the Dos window pops up and immediately closes. Any way to make it stay open?

HILife
06-17-2009, 01:04 PM
malware bytes/spybot/adaware don't find anything?

That's correct. I ran all 3 and they found nothing.

EDIT: Ok, I'm going to take a guess at what this is. After looking into it it looks like any time I click on something on this site it sends a message to an IP address assigned to Demand Media. This company seems to be some sort of "social media" company that designs well....social media (i.e. facebook, myspace, broncos message board).

Whenever I click on something it reads the cookies on my computer and sends it back to this company to gather information about me and everyone else that visits this site. That is why none of the antivirus/antispyware wouldn't pickup anything because nothing was installed on the computer (except a cookie......mmmmm cookie). It was just reading some cookies on the computer.


Again this is only a guess.

This is no good because I keep getting flagged for possible malicious activity. Guess I will have to stay away from this board while at work or find a way to block this.

HILife
06-17-2009, 01:05 PM
When I use that command the Dos window pops up and immediately closes. Any way to make it stay open?

Go to Start--> Run---> type in "cmd" (no quotes)

UberBroncoMan
06-17-2009, 01:17 PM
Do you use Firefox with the Ad-Block Plus and No-Script plug-in's? It stops a TON of ****...

alkemical
06-17-2009, 01:24 PM
Do you use Firefox with the Ad-Block Plus and No-Script plug-in's? It stops a TON of ****...

It's a work machine so he can't/doesn't.

alkemical
06-17-2009, 01:33 PM
That's correct. I ran all 3 and they found nothing.

EDIT: Ok, I'm going to take a guess at what this is. After looking into it it looks like any time I click on something on this site it sends a message to an IP address assigned to Demand Media. This company seems to be some sort of "social media" company that designs well....social media (i.e. facebook, myspace, broncos message board).

Whenever I click on something it reads the cookies on my computer and sends it back to this company to gather information about me and everyone else that visits this site. That is why none of the antivirus/antispyware would pickup anything because nothing was installed on the computer (except a cookie......mmmmm cookie). It was just reading some cookies on the computer.


Again this is only a guess.

This is no good because I keep getting flagged for possible malicious activity. Guess I will have to stay away from this board while at work or find a way to block this.

Did you install any toolbars, etc?

BrainSaladSurgery
06-17-2009, 01:41 PM
Probably digital gonorrhea carried by all of the poosies on your worthless team. :thumbsup:

HILife
06-17-2009, 03:36 PM
It's a work machine so he can't/doesn't.

yea, pretty much.

HILife
06-17-2009, 03:40 PM
Did you install any toolbars, etc?

no there aren't any tool bars. It's a bare minimum machine. Only has what it needs to get the job done (Microsoft office, internet explorer, antivirus).