Probes from Jerusalem

Printable View

May 21st, 2002, 11:52 PM
Ouroboros

Probes from Jerusalem

Just recently (within a couple of weeks), I have been constantly getting probes on high-numbered ports from the 209.73.225 set of IPs. NeoTrace Express traces these to Jerusalem, although the company, Cydoor Technologies, seems to be registered in the US. The general trace leads from my location to my ISP's mainframe to Jersey City, NJ to Jerusalem.

Here is the Registrant info on the trace via NeoTrace Express...

Cydoor Technologies Inc. (NETBLK-CYDOOR-209-73-225)
22 Maskit Street
Herzliya, N/A 46733
IL

Netname: CYDOOR-209-73-225
Netblock: 209.73.225.0 - 209.73.225.255

Coordinator:
Support, Tech (TS1229-ARIN) [email protected]
212-425-8780

Record last updated on 30-Aug-2001.
Database last updated on 9-May-2002 20:03:53 EDT.

The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and whois.nic.mil for NIPRNET Information.

And the IP (one of many in the 209.73.225 set) related to the probes...

5/21/02 5:06:16 PM Connection request 209.73.225.94 TCP(30412)

I have contacted 'Cydoor Technologies' about these probes, and have basically gotten the big "***k off" from them, with absolutely no explanation given. If it were just advertising probes, fine...but they are very high numbered ports(generally in the range of 24000 to 60000, so it seemed odd to me. I have run virus checks, both internally and externally, which yield results indicating no infections.

Anyone else have this problem, or anyone have some advice?

Ouroboros
May 22nd, 2002, 12:27 AM
KorpDeath

Haven't heard of anything like that recently. But it doesn't surprise me that a crap company like that would be scanning. You can find out who their ISP is and file a formal complaint. Cydoor might tell you to feck off but if their ISP gets enough complaints they'll jerk Cydoors inet access.

I may file one of mine own....
May 22nd, 2002, 12:44 AM
{P²P}Apocalypse

Cydoor is a spyware component installed with certain shareware and/or freeware.

Homepage:
http://www.cydoor.com/Cydoor/

Places to go to remove it and info on it:
http://www.cexx.org/cydoor.htm
http://accs-net.com/smallfish/cydoor.htm

Its some nasty software................
May 22nd, 2002, 12:45 AM
thesecretfire

Cydoor is a spyware company, in fact they are the ones with kazaa, aren't they? I doubt there is a legitimate explanation for this, as I wouldn't give these peopel the benefit of the doubt.
May 23rd, 2002, 11:28 PM
Ouroboros

Sigh

Thanks for the responses...

I went to http://www.cexx.org/cydoor.htm , as posted by P2P Apocalypse, and followed the instructions (I do run W98se), yet I found nothing. I don't use KaZaa, or any other file sharing software for that matter, and found none of the references in my registry or the System Files. (Yes, all of the files and folders are shown...I have even dropped down into the pseudo-DOS that W98 has, still nothing).
The most recent programs(within a month or so) that have been downloaded are the Opera browser, and a program called System Mechanic, by Iolo Technologies.

I have no idea how my box has become bait, for the above reasons....and as my firewall blocks all of the connection requests, I am not worried too much. I would rather see those attempts disappear, though. My firewall doesn't allow blocking of specific IP ranges, so I have to suffice with the stealth blocks generated by the firewall.

The programs that I have tried are : AVG, AdAware, RegVac, System Mechanic... along with the online scans provided by Sygatetech. All for naught, apparently, as they have detected nothing out of the ordinary.

"Nasty software" indeed!!

I have also sent multiple e-mails to Cydoor, and their ISP, which appears to be Globix. (the entry right above the Cydoor entry in the list is: v4-edge7-gw1.nyc1.globix.net . We'll see what happens, but I am not hopeful, as SPYWARE is not illegal...yet.

I see a bizarre analogy here...just as software developers want Windows source code, ordinary, average users want spyware keys...to rid both of the 'covert aspects' of the software.

I'll keep trying, and thanks again for the responses.

Ouroboros

Today's intrusion is:

Cydoor Technologies Inc. (NETBLK-CYDOOR-209-73-225)
22 Maskit Street
Herzliya, N/A 46733
IL

Netname: CYDOOR-209-73-225
Netblock: 209.73.225.0 - 209.73.225.255

Coordinator:
Support, Tech (TS1229-ARIN) [email protected]
212-425-8780

Record last updated on 30-Aug-2001.
Database last updated on 9-May-2002 20:03:53 EDT.

The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and whois.nic.mil for NIPRNET Information.

Same thing, right?...crap!...

But the IP that I got from Globix is 204.10.1.131....hmmm...

No match for 204.10.1.131 .

NO MATCH TIP

ALL OF THE POINT OF CONTACT HANDLES IN THE ARIN
WHOIS END WITH -ARIN , IF YOU ARE QUERYING A POINT
OF CONTACT HANDLE PLEASE ADD -ARIN TO YOUR QUERY.

The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and whois.nic.mil for NIPRNET Information.

HMMM?

Ouroboros
May 24th, 2002, 10:28 PM
Ouroboros

In closing...

Although I wanted to eliminate the source of the problem, I couldn't. I could not find any files, registry entries, or otherwise that would make Cydoor scan me. So, I just went ahead and instructed my firewall to reject anything from that IP range (209.73.225.0 - 209.73.225.255) on all ports and all protocols. I don't like to have to do things like that, but sometimes it seems necessary. Oh well...

Thanks for the suggestions, everyone. I'll have to keep my eyes open a little wider from now on, as this situation has been nothing but a pain in the ass.

Ouroboros