Allow me to skip the details of how this came to my attention, but I
have discovered some weird, extraneous traffic coming from our dorms
(yes, that is somewhat redundant, but I mean *really* weird :-) ).
Once a second, about 3 dozen machines on average try to establish
communication with IP 207.26.131.137.  Hmmm...

I've done a fairly exhaustive search in my resource list to find
anything about this and the only mentions of this I can find are in
dejanews if you search the complete archive for that IP address, and
the details were extremely sketchy.  Three posts were old ones to
comp.sys.hp.hardware mentioning this address, that the poster's new
Pavillion with Win/ME was pinging it once a second.  One follow-up
mentions something about a "Netropia Multi-Media Keyboard" and it's
driver or related file MMKEYBD.EXE being the culprit.

I can find nothing about the IP.  Can't trace it.  Can't ping it.  No
web server.  No mail server.  No whois registration.  Only the larger
IP block allocation to ANS, a big-name provider.

Checking some of the local IPs that were "ringing" I did find evidence
that at least half of them were HPs and a couple Pavillions (based on
our local registration, if present, and guesswork at their NETBIOS
names).

We aren't getting this traffic from any of the other couple thousand
machines on campus, but most of the on-campus platforms are either Dell
or Macintosh.  Only seen this coming from the dorms, where students can
bring whatever they want.  So the Pavillion story makes some sense.

Has anyone heard anything about this?  Anyone have any recent Pavillions
that might be doing the same thing?  The posting mentioned above was
back in September.  I'd like to verify it is some unscrupulous
executable that happened to be dumped on Pavillions, or if it is
something more bizarre they have perhaps downloaded.  It doesn't match
the signatures of any virus, DOS, or DDOS intrusion I can find.

Curiously yours,

Jeff Kell <[log in to unmask]>