Probes from Jerusalem
Results 1 to 6 of 6

Thread: Probes from Jerusalem

  1. #1
    Senior Member Ouroboros's Avatar
    Join Date
    Nov 2001
    Location
    Superior, WI USA
    Posts
    628

    Post Probes from Jerusalem

    Just recently (within a couple of weeks), I have been constantly getting probes on high-numbered ports from the 209.73.225 set of IPs. NeoTrace Express traces these to Jerusalem, although the company, Cydoor Technologies, seems to be registered in the US. The general trace leads from my location to my ISP's mainframe to Jersey City, NJ to Jerusalem.

    Here is the Registrant info on the trace via NeoTrace Express...

    Cydoor Technologies Inc. (NETBLK-CYDOOR-209-73-225)
    22 Maskit Street
    Herzliya, N/A 46733
    IL

    Netname: CYDOOR-209-73-225
    Netblock: 209.73.225.0 - 209.73.225.255

    Coordinator:
    Support, Tech (TS1229-ARIN) support@cydoor.com
    212-425-8780

    Record last updated on 30-Aug-2001.
    Database last updated on 9-May-2002 20:03:53 EDT.

    The ARIN Registration Services Host contains ONLY Internet
    Network Information: Networks, ASN's, and related POC's.
    Please use the whois server at rs.internic.net for DOMAIN related
    Information and whois.nic.mil for NIPRNET Information.

    And the IP (one of many in the 209.73.225 set) related to the probes...

    5/21/02 5:06:16 PM Connection request 209.73.225.94 TCP(30412)

    I have contacted 'Cydoor Technologies' about these probes, and have basically gotten the big "***k off" from them, with absolutely no explanation given. If it were just advertising probes, fine...but they are very high numbered ports(generally in the range of 24000 to 60000, so it seemed odd to me. I have run virus checks, both internally and externally, which yield results indicating no infections.

    Anyone else have this problem, or anyone have some advice?

    Ouroboros
    "entia non sunt multiplicanda praeter necessitatem"

    "entities should not be multiplied beyond necessity."

    -Occam's Razor


  2. #2
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    Haven't heard of anything like that recently. But it doesn't surprise me that a crap company like that would be scanning. You can find out who their ISP is and file a formal complaint. Cydoor might tell you to feck off but if their ISP gets enough complaints they'll jerk Cydoors inet access.

    I may file one of mine own....
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  3. #3
    Senior Member
    Join Date
    Jan 2002
    Posts
    883
    Cydoor is a spyware component installed with certain shareware and/or freeware.

    Homepage:
    http://www.cydoor.com/Cydoor/

    Places to go to remove it and info on it:
    http://www.cexx.org/cydoor.htm
    http://accs-net.com/smallfish/cydoor.htm

    Its some nasty software................
    The COOKIE TUX lives!!!!
    Windows NT crashed,I am the Blue Screen of Death.
    No one hears your screams.


  4. #4
    Senior Member
    Join Date
    Jan 2002
    Posts
    452
    Cydoor is a spyware company, in fact they are the ones with kazaa, aren't they? I doubt there is a legitimate explanation for this, as I wouldn't give these peopel the benefit of the doubt.
    Elen alcarin ar gwath halla n engwar.

  5. #5
    Senior Member Ouroboros's Avatar
    Join Date
    Nov 2001
    Location
    Superior, WI USA
    Posts
    628

    Unhappy Sigh

    Thanks for the responses...

    I went to http://www.cexx.org/cydoor.htm , as posted by P2P Apocalypse, and followed the instructions (I do run W98se), yet I found nothing. I don't use KaZaa, or any other file sharing software for that matter, and found none of the references in my registry or the System Files. (Yes, all of the files and folders are shown...I have even dropped down into the pseudo-DOS that W98 has, still nothing).
    The most recent programs(within a month or so) that have been downloaded are the Opera browser, and a program called System Mechanic, by Iolo Technologies.

    I have no idea how my box has become bait, for the above reasons....and as my firewall blocks all of the connection requests, I am not worried too much. I would rather see those attempts disappear, though. My firewall doesn't allow blocking of specific IP ranges, so I have to suffice with the stealth blocks generated by the firewall.

    The programs that I have tried are : AVG, AdAware, RegVac, System Mechanic... along with the online scans provided by Sygatetech. All for naught, apparently, as they have detected nothing out of the ordinary.

    "Nasty software" indeed!!

    I have also sent multiple e-mails to Cydoor, and their ISP, which appears to be Globix. (the entry right above the Cydoor entry in the list is: v4-edge7-gw1.nyc1.globix.net . We'll see what happens, but I am not hopeful, as SPYWARE is not illegal...yet.

    I see a bizarre analogy here...just as software developers want Windows source code, ordinary, average users want spyware keys...to rid both of the 'covert aspects' of the software.

    I'll keep trying, and thanks again for the responses.

    Ouroboros

    Today's intrusion is:

    Cydoor Technologies Inc. (NETBLK-CYDOOR-209-73-225)
    22 Maskit Street
    Herzliya, N/A 46733
    IL

    Netname: CYDOOR-209-73-225
    Netblock: 209.73.225.0 - 209.73.225.255

    Coordinator:
    Support, Tech (TS1229-ARIN) support@cydoor.com
    212-425-8780

    Record last updated on 30-Aug-2001.
    Database last updated on 9-May-2002 20:03:53 EDT.

    The ARIN Registration Services Host contains ONLY Internet
    Network Information: Networks, ASN's, and related POC's.
    Please use the whois server at rs.internic.net for DOMAIN related
    Information and whois.nic.mil for NIPRNET Information.

    Same thing, right?...crap!...

    But the IP that I got from Globix is 204.10.1.131....hmmm...

    No match for 204.10.1.131 .

    NO MATCH TIP

    ALL OF THE POINT OF CONTACT HANDLES IN THE ARIN
    WHOIS END WITH -ARIN , IF YOU ARE QUERYING A POINT
    OF CONTACT HANDLE PLEASE ADD -ARIN TO YOUR QUERY.




    The ARIN Registration Services Host contains ONLY Internet
    Network Information: Networks, ASN's, and related POC's.
    Please use the whois server at rs.internic.net for DOMAIN related
    Information and whois.nic.mil for NIPRNET Information.

    HMMM?

    Ouroboros

    "entia non sunt multiplicanda praeter necessitatem"

    "entities should not be multiplied beyond necessity."

    -Occam's Razor


  6. #6
    Senior Member Ouroboros's Avatar
    Join Date
    Nov 2001
    Location
    Superior, WI USA
    Posts
    628
    In closing...

    Although I wanted to eliminate the source of the problem, I couldn't. I could not find any files, registry entries, or otherwise that would make Cydoor scan me. So, I just went ahead and instructed my firewall to reject anything from that IP range (209.73.225.0 - 209.73.225.255) on all ports and all protocols. I don't like to have to do things like that, but sometimes it seems necessary. Oh well...

    Thanks for the suggestions, everyone. I'll have to keep my eyes open a little wider from now on, as this situation has been nothing but a pain in the ass.

    Ouroboros
    "entia non sunt multiplicanda praeter necessitatem"

    "entities should not be multiplied beyond necessity."

    -Occam's Razor


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •