The Orange Mane -  a Denver Broncos Fan Community  

Go Back   The Orange Mane - a Denver Broncos Fan Community > Orange Mane Discussion > Orange Mane Central Discussion
Register FAQ Members List Calendar Chat Room Mark Forums Read



Reply
 
Thread Tools Display Modes
Old 06-16-2009, 09:52 AM   #1
HILife
Ring of Famer
 
HILife's Avatar
 
Mrs. Alicia Hilife

Join Date: Jun 2006
Location: DC - NOVA - DMV - VA - Take your pick
Posts: 4,375
Default infection?

Hey all,

I visited this site yestarday (as well as others) and now I noticed that my computer keeps trying to send a "beacon" like message using iexplore.exe to the IP address 69.64.155.19. I was trying to hunt down how it got here and wanted to see if anybody else is having this problem. thanks
HILife is offline   Reply With Quote
Sponsored Links
Old 06-16-2009, 09:53 AM   #2
alkemical
Guerrilla Ontologist
 
alkemical's Avatar
 
rorrim|mirror

Join Date: Apr 2001
Location: Future
Posts: 43,054

Adopt-a-Bronco:
Prima Materia
Default

so what pr0n or warez sites did you hit up as well? any crazy russian blog sites?
alkemical is offline   Reply With Quote
Old 06-16-2009, 09:54 AM   #3
Beantown Bronco
Athletic Supporter
 
Beantown Bronco's Avatar
 

Join Date: Mar 2004
Location: Mass
Posts: 20,049

Adopt-a-Bronco:
Matt Prater
Default

Quote:
Originally Posted by hilife View Post
I visited this site yestarday (as well as others)
Focus on the bold part.

How long before the mac contingent invades?
Beantown Bronco is offline   Reply With Quote
Old 06-16-2009, 09:56 AM   #4
Garcia Bronco
Hokie since 1993
 

Join Date: Apr 2001
Location: Denver, CO
Posts: 46,773

Adopt-a-Bronco:
Tom Jackson
Default

I don't, and that IP has no DNS. I'd just block in your firewall.

You would see this connection by opening a command prompt and typing

Netstat -no

This will list all of your connections. You can also see the PID and open task manager and change the column view to see the PID and kill any processes associated with a particular connection.
Garcia Bronco is offline   Reply With Quote
Old 06-16-2009, 09:58 AM   #5
Kaylore
Genetically Superior
 
Kaylore's Avatar
 
Because I am better.

Join Date: Aug 2004
Location: Ceti Alpha V
Posts: 45,403

Adopt-a-Bronco:
Wesley Duke
Default

Maybe you have a trojan.
Kaylore is offline   Reply With Quote
Old 06-16-2009, 10:12 AM   #6
vancejohnson82
Shabby
 
vancejohnson82's Avatar
 

Join Date: Feb 2007
Location: Hawthorne, NJ
Posts: 6,080

Adopt-a-Bronco:
All 8 Points
Default

Quote:
Originally Posted by Kaylore View Post
Maybe you have a trojan.
Insert Travis Henry joke here
vancejohnson82 is offline   Reply With Quote
Old 06-16-2009, 10:32 AM   #7
bronco610
OLD FART
 
bronco610's Avatar
 

Join Date: Nov 2005
Location: Keller, TX
Posts: 1,839

Adopt-a-Bronco:
Woodyard
Default

Quote:
Originally Posted by Garcia Bronco View Post
I don't, and that IP has no DNS. I'd just block in your firewall.

You would see this connection by opening a command prompt and typing

Netstat -no

This will list all of your connections. You can also see the PID and open task manager and change the column view to see the PID and kill any processes associated with a particular connection.
Could you repeat that in english ?
bronco610 is offline   Reply With Quote
Old 06-16-2009, 10:36 AM   #8
dbfan21
Broncos Fan in Florida
 
dbfan21's Avatar
 

Join Date: Jul 2006
Location: Florida
Posts: 2,174

Adopt-a-Bronco:
Pat Bowlen
Default

Quote:
Originally Posted by Beantown Bronco View Post
Focus on the bold part.

How long before the mac contingent invades?
dbfan21 is offline   Reply With Quote
Old 06-16-2009, 11:05 AM   #9
Garcia Bronco
Hokie since 1993
 

Join Date: Apr 2001
Location: Denver, CO
Posts: 46,773

Adopt-a-Bronco:
Tom Jackson
Default

Quote:
Originally Posted by bronco610 View Post
Could you repeat that in english ?
That's about as english as it gets. "I'd just block in your firewall"

The quoted line stated clearer should read "I'd just block the IP in your firewall."
Garcia Bronco is offline   Reply With Quote
Old 06-16-2009, 11:09 AM   #10
bronco610
OLD FART
 
bronco610's Avatar
 

Join Date: Nov 2005
Location: Keller, TX
Posts: 1,839

Adopt-a-Bronco:
Woodyard
Default

Oh well, I am not very computer savy. I know how to turn it on. Luckily I am taking a course this fall that should help. I don't have any problems now just sounded interesting.
bronco610 is offline   Reply With Quote
Old 06-16-2009, 11:22 AM   #11
Garcia Bronco
Hokie since 1993
 

Join Date: Apr 2001
Location: Denver, CO
Posts: 46,773

Adopt-a-Bronco:
Tom Jackson
Default

Quote:
Originally Posted by bronco610 View Post
Oh well, I am not very computer savy. I know how to turn it on. Luckily I am taking a course this fall that should help. I don't have any problems now just sounded interesting.
What are you taking?
Garcia Bronco is offline   Reply With Quote
Old 06-16-2009, 11:25 AM   #12
Popps
TEAM FIRST.
 
Popps's Avatar
 

Join Date: Dec 2002
Location: Los Angeles, CA
Posts: 29,799
Default

No problems here.
Popps is offline   Reply With Quote
Old 06-16-2009, 11:54 AM   #13
HILife
Ring of Famer
 
HILife's Avatar
 
Mrs. Alicia Hilife

Join Date: Jun 2006
Location: DC - NOVA - DMV - VA - Take your pick
Posts: 4,375
Default

Quote:
Originally Posted by Beantown Bronco View Post
Focus on the bold part.

How long before the mac contingent invades?
in 3...2...1...Mac is great!
HILife is offline   Reply With Quote
Old 06-16-2009, 11:54 AM   #14
HILife
Ring of Famer
 
HILife's Avatar
 
Mrs. Alicia Hilife

Join Date: Jun 2006
Location: DC - NOVA - DMV - VA - Take your pick
Posts: 4,375
Default

Quote:
Originally Posted by Garcia Bronco View Post
I don't, and that IP has no DNS. I'd just block in your firewall.

You would see this connection by opening a command prompt and typing

Netstat -no

This will list all of your connections. You can also see the PID and open task manager and change the column view to see the PID and kill any processes associated with a particular connection.
Yea, I've already blocked it. It's sending a message every fee hours. netstat shows me nothing for that address.
HILife is offline   Reply With Quote
Old 06-16-2009, 12:25 PM   #15
bronco610
OLD FART
 
bronco610's Avatar
 

Join Date: Nov 2005
Location: Keller, TX
Posts: 1,839

Adopt-a-Bronco:
Woodyard
Default

Quote:
Originally Posted by Garcia Bronco View Post
What are you taking?
Computer applications.
bronco610 is offline   Reply With Quote
Old 06-17-2009, 10:44 AM   #16
HILife
Ring of Famer
 
HILife's Avatar
 
Mrs. Alicia Hilife

Join Date: Jun 2006
Location: DC - NOVA - DMV - VA - Take your pick
Posts: 4,375
Default

I think I found out what this "beacon" is coming from. It turns out it does have something to do with the Orangemane. Everytime I click on something in the message board (a thread, the back button, page 1, 2, ect.) a beacon is sent out to 69.64.155.19 on port 80 using internet explorer. It happens the very second I click on something and ONLY when I click on something.

I've tested this out on other sites and it doesn't come up. If someone out there can try and put this to the test and let me know if the same thing is happening to them, I would appreicate it. I also noticed this only happens on the message board and not on the front page such as www.orangemane.com

I'm bringing this up because there could be something wrong with the O-mane server or it could be nothing. Also network security is flagging me for possible malicious activicty. Hate to have to stop visiting the board.

Thanks

EDIT: also it looks like netstat -ano will not pick it up.

EDIT: I looked up the address and it looks like it belongs to "Demand Media." They seem to be some kind of social media company. I'm guessing they had something to do with the design of this message board. Here is some info on them:

Demand Media is a heavily backed new media company headed by Richard Rosenblatt, the former chairman of Intermix Media, the company that sold MySpace to News Corporation. It has raised $355 million.

Demand Media owns and operates 1) a network of 65 destination websites 2) a content and social media marketplace connecting content creators, users and publishers on a mass scale and 3) the second largest domain name registrar. Most recently, Demand Media launched LIVESTRONG.COM in partnership with the Lance Armstrong Foundation.

Last edited by HILife; 06-17-2009 at 11:46 AM..
HILife is offline   Reply With Quote
Old 06-17-2009, 10:55 AM   #17
alkemical
Guerrilla Ontologist
 
alkemical's Avatar
 
rorrim|mirror

Join Date: Apr 2001
Location: Future
Posts: 43,054

Adopt-a-Bronco:
Prima Materia
Default

use mozilla/firefox - install noscript and see which script is doing it.
alkemical is offline   Reply With Quote
Old 06-17-2009, 11:06 AM   #18
HILife
Ring of Famer
 
HILife's Avatar
 
Mrs. Alicia Hilife

Join Date: Jun 2006
Location: DC - NOVA - DMV - VA - Take your pick
Posts: 4,375
Default

Quote:
Originally Posted by amesj523 View Post
use mozilla/firefox - install noscript and see which script is doing it.
Sorry can't do that. This is a company computer so I can't just install anything on it. I did turn off the scripts for Internet explorer in the registry (or I think I did)
Hkey_local_machine\software\microsoft\windows\curr entversion\internet settings\zones\3 and then I changed REG_DWORD 1400 from 0 to 3.

because of that I don't think it's related to a script, but I'm not sure.
HILife is offline   Reply With Quote
Old 06-17-2009, 11:19 AM   #19
alkemical
Guerrilla Ontologist
 
alkemical's Avatar
 
rorrim|mirror

Join Date: Apr 2001
Location: Future
Posts: 43,054

Adopt-a-Bronco:
Prima Materia
Default

Quote:
Originally Posted by hilife View Post
Sorry can't do that. This is a company computer so I can't just install anything on it. I did turn off the scripts for Internet explorer in the registry (or I think I did)
Hkey_local_machine\software\microsoft\windows\curr entversion\internet settings\zones\3 and then I changed REG_DWORD 1400 from 0 to 3.

because of that I don't think it's related to a script, but I'm not sure.
malware bytes/spybot/adaware don't find anything?
alkemical is offline   Reply With Quote
Old 06-17-2009, 11:24 AM   #20
Spider
Mr Diplomacy
 
Spider's Avatar
 
I survived Tebow Mania at the Mane

Join Date: May 2001
Location: Elway was just an arm =MacGruder
Posts: 84,163

Adopt-a-Bronco:
Von Miller
Default

Quote:
Originally Posted by Garcia Bronco View Post
I don't, and that IP has no DNS. I'd just block in your firewall.

You would see this connection by opening a command prompt and typing

Netstat -no

This will list all of your connections. You can also see the PID and open task manager and change the column view to see the PID and kill any processes associated with a particular connection.
so lets pretend for a second , I dont know what you are talking about , could you break it down ?
Spider is offline   Reply With Quote
Old 06-17-2009, 11:57 AM   #21
listopencil
[sarcasm]text[/sarcasm]
 
listopencil's Avatar
 
BOOM! Winner.

Join Date: Aug 2002
Location: The People's Republic Of California
Posts: 8,537

Adopt-a-Bronco:
Broncos FO
Default

Quote:
Originally Posted by Garcia Bronco View Post
I don't, and that IP has no DNS. I'd just block in your firewall.

You would see this connection by opening a command prompt and typing

Netstat -no

This will list all of your connections. You can also see the PID and open task manager and change the column view to see the PID and kill any processes associated with a particular connection.

When I use that command the Dos window pops up and immediately closes. Any way to make it stay open?
listopencil is offline   Reply With Quote
Old 06-17-2009, 12:04 PM   #22
HILife
Ring of Famer
 
HILife's Avatar
 
Mrs. Alicia Hilife

Join Date: Jun 2006
Location: DC - NOVA - DMV - VA - Take your pick
Posts: 4,375
Default

Quote:
Originally Posted by amesj523 View Post
malware bytes/spybot/adaware don't find anything?
That's correct. I ran all 3 and they found nothing.

EDIT: Ok, I'm going to take a guess at what this is. After looking into it it looks like any time I click on something on this site it sends a message to an IP address assigned to Demand Media. This company seems to be some sort of "social media" company that designs well....social media (i.e. facebook, myspace, broncos message board).

Whenever I click on something it reads the cookies on my computer and sends it back to this company to gather information about me and everyone else that visits this site. That is why none of the antivirus/antispyware wouldn't pickup anything because nothing was installed on the computer (except a cookie......mmmmm cookie). It was just reading some cookies on the computer.


Again this is only a guess.

This is no good because I keep getting flagged for possible malicious activity. Guess I will have to stay away from this board while at work or find a way to block this.

Last edited by HILife; 06-17-2009 at 02:38 PM..
HILife is offline   Reply With Quote
Old 06-17-2009, 12:05 PM   #23
HILife
Ring of Famer
 
HILife's Avatar
 
Mrs. Alicia Hilife

Join Date: Jun 2006
Location: DC - NOVA - DMV - VA - Take your pick
Posts: 4,375
Default

Quote:
Originally Posted by listopencil View Post
When I use that command the Dos window pops up and immediately closes. Any way to make it stay open?
Go to Start--> Run---> type in "cmd" (no quotes)
HILife is offline   Reply With Quote
Old 06-17-2009, 12:17 PM   #24
UberBroncoMan
Your Local Nostradamus
 
UberBroncoMan's Avatar
 
2013... the year of Sci-Fi!

Join Date: Nov 2006
Posts: 7,803

Adopt-a-Bronco:
Duck Nacho
Default

Do you use Firefox with the Ad-Block Plus and No-Script plug-in's? It stops a TON of ****...
UberBroncoMan is offline   Reply With Quote
Old 06-17-2009, 12:24 PM   #25
alkemical
Guerrilla Ontologist
 
alkemical's Avatar
 
rorrim|mirror

Join Date: Apr 2001
Location: Future
Posts: 43,054

Adopt-a-Bronco:
Prima Materia
Default

Quote:
Originally Posted by UberBroncoMan View Post
Do you use Firefox with the Ad-Block Plus and No-Script plug-in's? It stops a TON of ****...
It's a work machine so he can't/doesn't.
alkemical is offline   Reply With Quote
Reply

Thread Tools
Display Modes



Forum Jump


All times are GMT -7. The time now is 05:39 PM.


Denver Broncos