I just found this to be a little disturbing but it is most likely a benign update.
I installed a new version of XP and the first thing I installed is Tiny Firewall. I then downloaded winscp. I installed scp then used it to connect to a server for some file retrieval. Tiny firewall checks if I want to allow port 22 connection to the server. I ovisoulsy allow it. Then after I connect I get a Tiny Firewall event to connect to port 80 to the ip address 212.267.64.170. WTF? Ok maybe auto-updates or something.
I pop up snort and monitor port 80 and actually tell Tiny Firewall to let the connection go. Its basically encrypted traffic so I cant really tell if its my user/pass being sent. So then I ask to see if theres an update and it goes to that same ip above ... so should be peace of mind right..well not really
I had actaully blocked this the first few times it popped up. The only time it checks for an update is after it has successfully connected to a location.Why wouldnt it just check when the app is first started? Why does it not check if you dont succesfully connect? I mean it only connect after a succesfull connection, ie. after a valid user/pass has been entered.
So I don some more checks. The IP 212.267.64.170 is in Germany. If you goto that IP with a web browser if goes to a "Site Under Construction" page.
While like I said this is most likely a bengin updating mechanism it also seems weird. If a hacker had reached the source code to winscp say through recent cvs holes what would be the best thing to do...send info about all succesfull conection and make sure updates go to a site he control
Am I just paranoid?
err sorry that ip was 220.127.116.11
you can go there at http://18.104.22.168
does that site seem wierd that its an update site for winscp?