-
May 21st, 2002, 11:52 PM
#1
Probes from Jerusalem
Just recently (within a couple of weeks), I have been constantly getting probes on high-numbered ports from the 209.73.225 set of IPs. NeoTrace Express traces these to Jerusalem, although the company, Cydoor Technologies, seems to be registered in the US. The general trace leads from my location to my ISP's mainframe to Jersey City, NJ to Jerusalem.
Here is the Registrant info on the trace via NeoTrace Express...
Cydoor Technologies Inc. (NETBLK-CYDOOR-209-73-225)
22 Maskit Street
Herzliya, N/A 46733
IL
Netname: CYDOOR-209-73-225
Netblock: 209.73.225.0 - 209.73.225.255
Coordinator:
Support, Tech (TS1229-ARIN) support@cydoor.com
212-425-8780
Record last updated on 30-Aug-2001.
Database last updated on 9-May-2002 20:03:53 EDT.
The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and whois.nic.mil for NIPRNET Information.
And the IP (one of many in the 209.73.225 set) related to the probes...
5/21/02 5:06:16 PM Connection request 209.73.225.94 TCP(30412)
I have contacted 'Cydoor Technologies' about these probes, and have basically gotten the big "***k off" from them, with absolutely no explanation given. If it were just advertising probes, fine...but they are very high numbered ports(generally in the range of 24000 to 60000, so it seemed odd to me. I have run virus checks, both internally and externally, which yield results indicating no infections.
Anyone else have this problem, or anyone have some advice?
Ouroboros
"entia non sunt multiplicanda praeter necessitatem"
"entities should not be multiplied beyond necessity."
-Occam's Razor
-
May 22nd, 2002, 12:27 AM
#2
Haven't heard of anything like that recently. But it doesn't surprise me that a crap company like that would be scanning. You can find out who their ISP is and file a formal complaint. Cydoor might tell you to feck off but if their ISP gets enough complaints they'll jerk Cydoors inet access.
I may file one of mine own....
Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
- Samuel Johnson
-
May 22nd, 2002, 12:44 AM
#3
Cydoor is a spyware component installed with certain shareware and/or freeware.
Homepage:
http://www.cydoor.com/Cydoor/
Places to go to remove it and info on it:
http://www.cexx.org/cydoor.htm
http://accs-net.com/smallfish/cydoor.htm
Its some nasty software................
The COOKIE TUX lives!!!!
Windows NT crashed,I am the Blue Screen of Death.
No one hears your screams.
-
May 22nd, 2002, 12:45 AM
#4
Cydoor is a spyware company, in fact they are the ones with kazaa, aren't they? I doubt there is a legitimate explanation for this, as I wouldn't give these peopel the benefit of the doubt.
Elen alcarin ar gwath halla ná engwar.
-
May 23rd, 2002, 11:28 PM
#5
Sigh
Thanks for the responses...
I went to http://www.cexx.org/cydoor.htm , as posted by P2P Apocalypse, and followed the instructions (I do run W98se), yet I found nothing. I don't use KaZaa, or any other file sharing software for that matter, and found none of the references in my registry or the System Files. (Yes, all of the files and folders are shown...I have even dropped down into the pseudo-DOS that W98 has, still nothing).
The most recent programs(within a month or so) that have been downloaded are the Opera browser, and a program called System Mechanic, by Iolo Technologies.
I have no idea how my box has become bait, for the above reasons....and as my firewall blocks all of the connection requests, I am not worried too much. I would rather see those attempts disappear, though. My firewall doesn't allow blocking of specific IP ranges, so I have to suffice with the stealth blocks generated by the firewall.
The programs that I have tried are : AVG, AdAware, RegVac, System Mechanic... along with the online scans provided by Sygatetech. All for naught, apparently, as they have detected nothing out of the ordinary.
"Nasty software" indeed!!
I have also sent multiple e-mails to Cydoor, and their ISP, which appears to be Globix. (the entry right above the Cydoor entry in the list is: v4-edge7-gw1.nyc1.globix.net . We'll see what happens, but I am not hopeful, as SPYWARE is not illegal...yet.
I see a bizarre analogy here...just as software developers want Windows source code, ordinary, average users want spyware keys...to rid both of the 'covert aspects' of the software.
I'll keep trying, and thanks again for the responses.
Ouroboros
Today's intrusion is:
Cydoor Technologies Inc. (NETBLK-CYDOOR-209-73-225)
22 Maskit Street
Herzliya, N/A 46733
IL
Netname: CYDOOR-209-73-225
Netblock: 209.73.225.0 - 209.73.225.255
Coordinator:
Support, Tech (TS1229-ARIN) support@cydoor.com
212-425-8780
Record last updated on 30-Aug-2001.
Database last updated on 9-May-2002 20:03:53 EDT.
The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and whois.nic.mil for NIPRNET Information.
Same thing, right?...crap!...
But the IP that I got from Globix is 204.10.1.131....hmmm...
No match for 204.10.1.131 .
NO MATCH TIP
ALL OF THE POINT OF CONTACT HANDLES IN THE ARIN
WHOIS END WITH -ARIN , IF YOU ARE QUERYING A POINT
OF CONTACT HANDLE PLEASE ADD -ARIN TO YOUR QUERY.
The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and whois.nic.mil for NIPRNET Information.
HMMM?
Ouroboros
"entia non sunt multiplicanda praeter necessitatem"
"entities should not be multiplied beyond necessity."
-Occam's Razor
-
May 24th, 2002, 10:28 PM
#6
In closing...
Although I wanted to eliminate the source of the problem, I couldn't. I could not find any files, registry entries, or otherwise that would make Cydoor scan me. So, I just went ahead and instructed my firewall to reject anything from that IP range (209.73.225.0 - 209.73.225.255) on all ports and all protocols. I don't like to have to do things like that, but sometimes it seems necessary. Oh well...
Thanks for the suggestions, everyone. I'll have to keep my eyes open a little wider from now on, as this situation has been nothing but a pain in the ass.
Ouroboros
"entia non sunt multiplicanda praeter necessitatem"
"entities should not be multiplied beyond necessity."
-Occam's Razor
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|