There is one hit in DejaNews and a few in the "Old DejaNews", if you search
Usenet.
Looks like a special version of mmkeybd.exe has this IP hard coded into
it?.?.
Copied:
sandweiss <[log in to unmask]> , pondered obviously not long enough, and
said
>http://www.luckystreakcasino.com/promo/pop.html
That screen says 'Enter email' and has a button for a form
submit. Hmmmm.....
The form submits to
"http://list.emailbucks.com/subscribe.jsp"
Hmnm..... a java script rather than a CGI. Well, I'm not about to try to
run it to find out what it does.
>http://www.casinotraffic.com/exit/
>http://www.tiffanyscasino.com/?edialers
>http://www.tiffanyscasino.com/?edialers
These ' edialer' URLs bring up the same 'promo/pop.htl as
above, plus another main screen
>http://freegamblegames.com/casino/
Well, I don't see them doing anything 'stealth', and nothing
tried to DL, and nothing tripped my alarms.
>
>I am also running a firewall (Conseal FW v. 2.09), which does not show
>any valid IP addresses although it listed 18 times within a 3 minute
>period, the following:
>
>2000/11/20 1:58:20 PM GMT -0800: Intel 21041 based..[0001][Ref# 3]
>Blocking incoming ICMP: src=0.0.0.0, dst=207.26.131.137, type 8.
207.26.131.137 shows as a dead address right now.
>This information wash "pushed" onto my machine, although I run Netscape
>Comm 4.7, and NEVER had, or would have, an "active desktop".
I wonder if there's not something on your machine that called
it. IMO, the 'Push' scenario is unlikely.
Paul
--
PMRobot - freeware - apply automation macros to any Windows program
PMDOS - freeware - run any DOS command from Windows, capture the output to
Windows
Stockmon - freeware - stock tracking / research program
My WWW site is at http://www.pobox.com/~pjm ,featuring free HVAC, stock
market, and other free software
>~~>~~>~~>~~>~~>~~>~~>~~>~~>~~>~~>~~>~~>~~>~~>~~>~~>~~>~~
pjm@(remove this part )pobox.com
end of copy
more copy:
<[log in to unmask]> wrote in message news:39B6E697.5234E1B8@nac.net...
> "Claude J. Ortega" wrote:
> >
> > New Pavilion XL753, Win-Me.
> >
> > On a local LAN.
> >
> > Sending an 'icmp echo request' ( ping ) once per second, to ip -
> > 207.26.131.137, which nslookup
> > indicates 'no host name'.
> >
> > LAN is Sygated to a cable modem, but the pings don't get thru to the
cable
> > modem.
> >
> > All tasks except Explorer and Systray killed via 'ctrl-alt-del' dialog
box,
> > but pings continue.
> >
> > Mcafee VS indicates 'no viruses detected'.
> >
> > Any ideas on what might be generating these pings, or where I might look
to
> > find the source?
> >
> > ( I got lost, looking for a 'community' on the HP web site, to post this
> > question.) :-(
> >
> > Thanks,
> >
> > Claude
> >
> > --
> > ==================================================
> > Claude J. Ortega [log in to unmask] Bolingbrook, Il.
> > ==================================================
>
> Sounds like a WIN ME problem.
> Try a Win ME group??
>
> LB
Tryed that, no response.
So I finally figured out how to get around in the HP Communitys site.
Another poster there, described another problem that I have been having,
which caused me to look into the Netropia Multi-Media Keyboard program (
mmkeybd.exe ).
The ip address that my system is ( was ) pinging is hard-coded in the
.exe.file. Disabling the program stopped the pings.
The other problem was that when I ran MS Media Player 7, mmkeybd.exe would
take ~90% of the available cpu cycles, as displayed by WinTop. This played
havoc with the Seti@Home client's execution time.
As I don't really need a 'One-touch' connection function, the mmkeybd is
useless to me. It didn't work right anyway. :-)
Claude
--
==================================================
Claude J. Ortega [log in to unmask] Bolingbrook, Il.
==================================================
end copy
> -----Original Message-----
> From: Jeff Kell [mailto:[log in to unmask]]
> Sent: Tuesday, December 05, 2000 2:15 PM
> To: [log in to unmask]
> Subject: OT: Pavillions phone home?
>
>
> Allow me to skip the details of how this came to my attention, but I
> have discovered some weird, extraneous traffic coming from our dorms
> (yes, that is somewhat redundant, but I mean *really* weird :-) ).
> Once a second, about 3 dozen machines on average try to establish
> communication with IP 207.26.131.137. Hmmm...
>
> I've done a fairly exhaustive search in my resource list to find
> anything about this and the only mentions of this I can find are in
> dejanews if you search the complete archive for that IP address, and
> the details were extremely sketchy. Three posts were old ones to
> comp.sys.hp.hardware mentioning this address, that the poster's new
> Pavillion with Win/ME was pinging it once a second. One follow-up
> mentions something about a "Netropia Multi-Media Keyboard" and it's
> driver or related file MMKEYBD.EXE being the culprit.
>
> I can find nothing about the IP. Can't trace it. Can't ping it. No
> web server. No mail server. No whois registration. Only the larger
> IP block allocation to ANS, a big-name provider.
>
> Checking some of the local IPs that were "ringing" I did find evidence
> that at least half of them were HPs and a couple Pavillions (based on
> our local registration, if present, and guesswork at their NETBIOS
> names).
>
> We aren't getting this traffic from any of the other couple thousand
> machines on campus, but most of the on-campus platforms are
> either Dell
> or Macintosh. Only seen this coming from the dorms, where
> students can
> bring whatever they want. So the Pavillion story makes some sense.
>
> Has anyone heard anything about this? Anyone have any recent
> Pavillions
> that might be doing the same thing? The posting mentioned above was
> back in September. I'd like to verify it is some unscrupulous
> executable that happened to be dumped on Pavillions, or if it is
> something more bizarre they have perhaps downloaded. It doesn't match
> the signatures of any virus, DOS, or DDOS intrusion I can find.
>
> Curiously yours,
>
> Jeff Kell <[log in to unmask]>
>
|