LISTSERV - HP3000-L Archives

HP3000-L Archives

December 2000, Week 1

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L December 2000, Week 1

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: OT: Pavillions phone home?
From:	Doug Werth <[log in to unmask]>
Reply To:	Doug Werth <[log in to unmask]>
Date:	Tue, 5 Dec 2000 16:30:39 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (60 lines)

Jeff,

I can't answer your question specifically. But I have heard where a
background program called HIDSERV.EXE did something similar on Pavilion's.
Try a web search on HIDSERV and see if it gives you the information you are
looking for.

Doug.

Doug Werth                             Beechglen Development Inc.
[log in to unmask]                               Cincinnati, Ohio


----- Original Message -----
From: "Jeff Kell" <[log in to unmask]>
To: <[log in to unmask]>
Sent: Tuesday, December 05, 2000 4:15 PM
Subject: OT: Pavillions phone home?


> Allow me to skip the details of how this came to my attention, but I
> have discovered some weird, extraneous traffic coming from our dorms
> (yes, that is somewhat redundant, but I mean *really* weird :-) ).
> Once a second, about 3 dozen machines on average try to establish
> communication with IP 207.26.131.137.  Hmmm...
>
> I've done a fairly exhaustive search in my resource list to find
> anything about this and the only mentions of this I can find are in
> dejanews if you search the complete archive for that IP address, and
> the details were extremely sketchy.  Three posts were old ones to
> comp.sys.hp.hardware mentioning this address, that the poster's new
> Pavillion with Win/ME was pinging it once a second.  One follow-up
> mentions something about a "Netropia Multi-Media Keyboard" and it's
> driver or related file MMKEYBD.EXE being the culprit.
>
> I can find nothing about the IP.  Can't trace it.  Can't ping it.  No
> web server.  No mail server.  No whois registration.  Only the larger
> IP block allocation to ANS, a big-name provider.
>
> Checking some of the local IPs that were "ringing" I did find evidence
> that at least half of them were HPs and a couple Pavillions (based on
> our local registration, if present, and guesswork at their NETBIOS
> names).
>
> We aren't getting this traffic from any of the other couple thousand
> machines on campus, but most of the on-campus platforms are either Dell
> or Macintosh.  Only seen this coming from the dorms, where students can
> bring whatever they want.  So the Pavillion story makes some sense.
>
> Has anyone heard anything about this?  Anyone have any recent Pavillions
> that might be doing the same thing?  The posting mentioned above was
> back in September.  I'd like to verify it is some unscrupulous
> executable that happened to be dumped on Pavillions, or if it is
> something more bizarre they have perhaps downloaded.  It doesn't match
> the signatures of any virus, DOS, or DDOS intrusion I can find.
>
> Curiously yours,
>
> Jeff Kell <[log in to unmask]>

ATOM RSS1 RSS2

RAVEN.UTC.EDU