LISTSERV - HP3000-L Archives

HP3000-L Archives

December 2000, Week 1

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L December 2000, Week 1

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives
Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]
Subject:	Re: Pavillions phone home?
From:	Dave Darnell <[log in to unmask]>
Reply To:	Dave Darnell <[log in to unmask]>
Date:	Tue, 5 Dec 2000 15:13:37 -0700
Content-Type:	text/plain
Parts/Attachments:	text/plain (227 lines)
The new guy in the next cube, Jesse Yarbrough, says this sounds like a
keyboard logger.  It will send on any keystrokes, even for an encrypted
field.

Search the web for BackOrifice for information on detecting and removing any
trojan horse that will overwrite the file mmkeybd.exe, remove it if it is
detected, and download a clean copy of the file from the keyboard
manufacturer.

He says also look on AOL for trojans.

I'm thinking that if someone had a protocol analyzer or other sniffer on the
subnet, they could be logging all the output to the "dead" IP address.

-dtd

> -----Original Message-----
> From: Dave Darnell
> Sent: Tuesday, December 05, 2000 2:30 PM
> To: Jeff Kell; [log in to unmask]
> Subject: RE: Pavillions phone home?
>
>
> There is one hit in DejaNews and a few in the "Old DejaNews",
> if you search Usenet.
>
> Looks like a special version of mmkeybd.exe has this IP hard
> coded into it?.?.
>
> Copied:
>
> sandweiss <[log in to unmask]> , pondered obviously not
> long enough, and said
>
>
> >http://www.luckystreakcasino.com/promo/pop.html
>
> That screen says 'Enter email' and has a button for a form
> submit.  Hmmmm.....
>
> The form submits to
> "http://list.emailbucks.com/subscribe.jsp"
>
> Hmnm..... a java script rather than a CGI.  Well, I'm not
> about to try to run it to find out what it does.
>
> >http://www.casinotraffic.com/exit/
> >http://www.tiffanyscasino.com/?edialers
> >http://www.tiffanyscasino.com/?edialers
>
> These ' edialer' URLs bring up the same 'promo/pop.htl as
> above, plus another main screen
>
> >http://freegamblegames.com/casino/
>
> Well, I don't see them doing anything 'stealth', and nothing
> tried to DL, and nothing tripped my alarms.
>
> >
> >I am also running a firewall (Conseal FW v. 2.09), which
> does not show
> >any valid IP addresses although it listed 18 times within a 3 minute
> >period, the following:
> >
> >2000/11/20 1:58:20 PM GMT -0800: Intel 21041 based..[0001][Ref# 3]
> >Blocking incoming ICMP: src=0.0.0.0, dst=207.26.131.137, type 8.
>
> 207.26.131.137 shows as a dead address right now.
>
> >This information wash "pushed" onto my machine, although I
> run Netscape
> >Comm 4.7, and NEVER had, or would have, an "active desktop".
>
> I wonder if there's not something on your machine that called
> it.  IMO, the 'Push' scenario is unlikely.
>
>
> Paul
> --
> PMRobot - freeware - apply automation macros to any Windows program
> PMDOS - freeware - run any DOS command from Windows, capture
> the output to Windows
> Stockmon - freeware - stock tracking / research program
>
> My WWW site is at  http://www.pobox.com/~pjm ,featuring free
> HVAC, stock market, and other free software
> >~~>~~>~~>~~>~~>~~>~~>~~>~~>~~>~~>~~>~~>~~>~~>~~>~~>~~>~~
> pjm@(remove this part )pobox.com
>
> end of copy
>
> more copy:
>
>
> <[log in to unmask]> wrote in message news:39B6E697.5234E1B8@nac.net...
> > "Claude J. Ortega" wrote:
> > >
> > > New Pavilion XL753, Win-Me.
> > >
> > > On a local LAN.
> > >
> > > Sending an 'icmp echo request' ( ping ) once per second, to ip -
> > > 207.26.131.137, which nslookup
> > > indicates 'no host name'.
> > >
> > > LAN is Sygated to a cable modem, but the pings don't get
> thru to the
> cable
> > > modem.
> > >
> > > All tasks except Explorer and Systray killed via
> 'ctrl-alt-del' dialog
> box,
> > > but pings continue.
> > >
> > > Mcafee VS indicates 'no viruses detected'.
> > >
> > > Any ideas on what might be generating these pings, or
> where I might look
> to
> > > find the source?
> > >
> > > ( I got lost, looking for a 'community' on the HP web
> site, to post this
> > > question.)  :-(
> > >
> > > Thanks,
> > >
> > > Claude
> > >
> > > --
> > > ==================================================
> > > Claude J. Ortega        [log in to unmask]
> Bolingbrook, Il.
> > > ==================================================
> >
> > Sounds like a WIN ME problem.
> > Try a Win ME group??
> >
> > LB
>
> Tryed that, no response.
>
> So I finally figured out how to get around in the HP Communitys site.
>
> Another poster there, described another problem that I have
> been having, which caused me to look into the Netropia
> Multi-Media Keyboard program ( mmkeybd.exe ).
>
> The ip address that my system is ( was ) pinging is
> hard-coded in the .exe.file. Disabling the program stopped the pings.
>
> The other problem was that when I ran MS Media Player 7,
> mmkeybd.exe would take ~90% of the available cpu cycles, as
> displayed by WinTop. This played havoc with the Seti@Home
> client's execution time.
>
> As I don't really need a 'One-touch' connection function, the
> mmkeybd is useless to me. It didn't work right anyway.  :-)
>
> Claude
>
> --
> ==================================================
> Claude J. Ortega        [log in to unmask]        Bolingbrook, Il.
> ==================================================
>
> end copy
>
>
> > -----Original Message-----
> > From: Jeff Kell [mailto:[log in to unmask]]
> > Sent: Tuesday, December 05, 2000 2:15 PM
> > To: [log in to unmask]
> > Subject: OT: Pavillions phone home?
> >
> >
> > Allow me to skip the details of how this came to my attention, but I
> > have discovered some weird, extraneous traffic coming from our dorms
> > (yes, that is somewhat redundant, but I mean *really* weird :-) ).
> > Once a second, about 3 dozen machines on average try to establish
> > communication with IP 207.26.131.137.  Hmmm...
> >
> > I've done a fairly exhaustive search in my resource list to find
> > anything about this and the only mentions of this I can find are in
> > dejanews if you search the complete archive for that IP address, and
> > the details were extremely sketchy.  Three posts were old ones to
> > comp.sys.hp.hardware mentioning this address, that the poster's new
> > Pavillion with Win/ME was pinging it once a second.  One follow-up
> > mentions something about a "Netropia Multi-Media Keyboard" and it's
> > driver or related file MMKEYBD.EXE being the culprit.
> >
> > I can find nothing about the IP.  Can't trace it.  Can't
> ping it.  No
> > web server.  No mail server.  No whois registration.  Only
> the larger
> > IP block allocation to ANS, a big-name provider.
> >
> > Checking some of the local IPs that were "ringing" I did
> find evidence
> > that at least half of them were HPs and a couple Pavillions
> (based on
> > our local registration, if present, and guesswork at their NETBIOS
> > names).
> >
> > We aren't getting this traffic from any of the other couple thousand
> > machines on campus, but most of the on-campus platforms are
> > either Dell
> > or Macintosh.  Only seen this coming from the dorms, where
> > students can
> > bring whatever they want.  So the Pavillion story makes some sense.
> >
> > Has anyone heard anything about this?  Anyone have any recent
> > Pavillions
> > that might be doing the same thing?  The posting mentioned above was
> > back in September.  I'd like to verify it is some unscrupulous
> > executable that happened to be dumped on Pavillions, or if it is
> > something more bizarre they have perhaps downloaded.  It
> doesn't match
> > the signatures of any virus, DOS, or DDOS intrusion I can find.
> >
> > Curiously yours,
> >
> > Jeff Kell <[log in to unmask]>
> >
>
ATOM RSS1 RSS2
RAVEN.UTC.EDU