Jeff,
I can't answer your question specifically. But I have heard where a
background program called HIDSERV.EXE did something similar on Pavilion's.
Try a web search on HIDSERV and see if it gives you the information you are
looking for.
Doug.
Doug Werth Beechglen Development Inc.
[log in to unmask] Cincinnati, Ohio
----- Original Message -----
From: "Jeff Kell" <[log in to unmask]>
To: <[log in to unmask]>
Sent: Tuesday, December 05, 2000 4:15 PM
Subject: OT: Pavillions phone home?
> Allow me to skip the details of how this came to my attention, but I
> have discovered some weird, extraneous traffic coming from our dorms
> (yes, that is somewhat redundant, but I mean *really* weird :-) ).
> Once a second, about 3 dozen machines on average try to establish
> communication with IP 207.26.131.137. Hmmm...
>
> I've done a fairly exhaustive search in my resource list to find
> anything about this and the only mentions of this I can find are in
> dejanews if you search the complete archive for that IP address, and
> the details were extremely sketchy. Three posts were old ones to
> comp.sys.hp.hardware mentioning this address, that the poster's new
> Pavillion with Win/ME was pinging it once a second. One follow-up
> mentions something about a "Netropia Multi-Media Keyboard" and it's
> driver or related file MMKEYBD.EXE being the culprit.
>
> I can find nothing about the IP. Can't trace it. Can't ping it. No
> web server. No mail server. No whois registration. Only the larger
> IP block allocation to ANS, a big-name provider.
>
> Checking some of the local IPs that were "ringing" I did find evidence
> that at least half of them were HPs and a couple Pavillions (based on
> our local registration, if present, and guesswork at their NETBIOS
> names).
>
> We aren't getting this traffic from any of the other couple thousand
> machines on campus, but most of the on-campus platforms are either Dell
> or Macintosh. Only seen this coming from the dorms, where students can
> bring whatever they want. So the Pavillion story makes some sense.
>
> Has anyone heard anything about this? Anyone have any recent Pavillions
> that might be doing the same thing? The posting mentioned above was
> back in September. I'd like to verify it is some unscrupulous
> executable that happened to be dumped on Pavillions, or if it is
> something more bizarre they have perhaps downloaded. It doesn't match
> the signatures of any virus, DOS, or DDOS intrusion I can find.
>
> Curiously yours,
>
> Jeff Kell <[log in to unmask]>
|