cannot find spy

[peter krom]

In article <DcU6e.1362$t85.3@newssvr21.news.prodigy.com>, "Spam
Reporting" <FROM:@hillscapital.com> says...
> "peter krom" <jonhy [at]_ rook.com> wrote in message
> news:MPG.1cc5cebdc961300f989688@news.quicknet.nl.. .
> What plugins and extensions did you have installed for Firefox? It might
> have been one of them... if it's a commonly used one, people need to
> know about this. Or did you find that it was something else within
> Firefox?

I used 2 plug-ins in Firefox, the first one is Autocopy and the second
one was Wizz RSS reader, both downloaded from the mozilla site btw. The
file itself which was resident was called firefox.exe and was 4.96 kB in
size. The original firefox 1.0 was updated twice, with 1.01 and 1.02....
I am sure that the attempts to connect kelcos5.dynu.com are gone because
i have netview running all the time and the log-file doesn't show
anything regarding the ip-pool discussed.

Peter


---
avast! Antivirus: Uitgaande bericht is niet besmet.
Virus Gegevensbestand (VPS): 0515-1, 2005-04-12
Getest op: 13-4-2005 1:04:51
avast! auteursrecht (c) 1988-2004 ALWIL Software.
http://www.avast.com

[Paul Vader]

peter krom <jonhy@rook.com> writes:
>I used 2 plug-ins in Firefox, the first one is Autocopy and the second
>one was Wizz RSS reader, both downloaded from the mozilla site btw. The

The homepage for the Wizz reader really creeps me out. Every piece of
supposed weirdness is apparently cause by bugs in firefox. I'd drop it and
find something else. *
--
* PV something like badgers--something like lizards--and something
like corkscrews.

[peter krom]

In article <115qebe4u0480ec@news.supernews.com>, pv+usenet@pobox.com
says...
> peter krom <jonhy@rook.com> writes:
> >I used 2 plug-ins in Firefox, the first one is Autocopy and the second
> >one was Wizz RSS reader, both downloaded from the mozilla site btw. The
> The homepage for the Wizz reader really creeps me out. Every piece of
> supposed weirdness is apparently cause by bugs in firefox. I'd drop it and
> find something else. *

I'v read your 3 posts, I'll try to answer them in 1 msg:

It is becoming clearly now that one of the extensions was phoning home.
Most likely it was the wizz rss-extension. I have done a portscan at the
IP-address that this - let's say - piece of malicous software was
attempting to connect to and no ports were open...there was simply
nothing there. You can be sure... you don't have to eat your hat, I have
reinstalled mozilla without any extensions and nothing happened in any
of the previous discussed instances... I am glad to say that mozilla
itself is safe but let it be known that this rss-reader is a no-go. To
be able to read the rss-feeds I have made a small webpage on my server
with javascript so I can read my rss-feeds again... Leaves me with the
thought that everything is quiet on the western front and I am no longer
a tool for malicious entities who make thier money by bombarding people
with unsolicited mail and other things that we so deeply hate.

Thank you all for thinking with me (or against...) Now e have another
aplication to put on the blacklist: the wizz rss-reader

Peter


---
avast! Antivirus: Uitgaande bericht is niet besmet.
Virus Gegevensbestand (VPS): 0515-1, 2005-04-12
Getest op: 14-4-2005 1:31:01
avast! auteursrecht (c) 1988-2004 ALWIL Software.
http://www.avast.com

[Dave Platt]

In article <MPG.1cc7c9fd3b5222a898968c@news.quicknet.nl>,
peter krom <jonhy@rook.com> wrote:

>I'v read your 3 posts, I'll try to answer them in 1 msg:
>
>It is becoming clearly now that one of the extensions was phoning home.
>Most likely it was the wizz rss-extension. I have done a portscan at the
>IP-address that this - let's say - piece of malicous software was
>attempting to connect to and no ports were open...there was simply
>nothing there.

Unfortunately, it's truly not possible to say for certain that this
was the case unless you've done a physical inspection of whatever
hardware may be routed at that address. It's quite possible to write
a malware server which would sit there, "see" the phone-home packets,
and yet look for all the world as if:

- There's no host there, and the net's router is responding with a
"no such host" ICMP response, or

- There's no host there, and the phone-home packets or ICMP responses
simply vanish, or

- There's a host there, but its ports are closed and are responding
with "connection refused".

You simply can't tell, from the outside, whether any particular "there
ain't nobody here" reaction is legitimate or misleading.

How one might write such a piece of spoofing server malware is left as
an exercise for the reader... no sense making it easier for the bad
guys.

--
Dave Platt <dplatt@radagast.org> AE6EO
Hosting the Jade Warrior home page: http://www.radagast.org/jade-warrior
I do _not_ wish to receive unsolicited commercial email, and I will
boycott any company which has the gall to send me such ads!

[Steve Baker]

On Wed, 13 Apr 2005 23:42:36 -0000, dplatt@radagast.org (Dave Platt)
wrote:

>- There's no host there, and the net's router is responding with a
> "no such host" ICMP response, or

How's that work, got a reference handy? I didn't know that routers
commented on the state of Internet hosts.

Steve Baker

[Paul Vader]

Steve Baker <bakesph@comcast.net> writes:
>>- There's no host there, and the net's router is responding with a
>> "no such host" ICMP response, or
>
> How's that work, got a reference handy? I didn't know that routers
>commented on the state of Internet hosts.

"No route to host" is probably what he was thinking of. *
--
* PV something like badgers--something like lizards--and something
like corkscrews.

[Steve Baker]

On Thu, 14 Apr 2005 15:01:49 -0000, pv+usenet@pobox.com (Paul Vader)
wrote:

>Steve Baker <bakesph@comcast.net> writes:
>>>- There's no host there, and the net's router is responding with a
>>> "no such host" ICMP response, or
>>
>> How's that work, got a reference handy? I didn't know that routers
>>commented on the state of Internet hosts.
>
>"No route to host" is probably what he was thinking of. *

Jeez. I sometimes get a bad case of tunnel vision as a result of
taking things way too literally. Thanks.

Steve Baker

[peter krom]

In article <115rbjcek6qmi32@corp.supernews.com>, dplatt@radagast.org
says...
> Unfortunately, it's truly not possible to say for certain that this
> was the case unless you've done a physical inspection of whatever
> hardware may be routed at that address. It's quite possible to write
> a malware server which would sit there, "see" the phone-home packets,
> and yet look for all the world as if:

Yes you are right... My router discards all Ping's from WAN so thank you
for clearing it up for me...

> How one might write such a piece of spoofing server malware is left as
> an exercise for the reader... no sense making it easier for the bad
> guys.

That's right... it is ashame though that these pieces of malware costs
globally over hunderds-of-millions of dollars and people haven't even
been asking for them....

Peter



---
avast! Antivirus: Uitgaande bericht is niet besmet.
Virus Gegevensbestand (VPS): 0515-1, 2005-04-12
Getest op: 14-4-2005 9:47:55
avast! auteursrecht (c) 1988-2004 ALWIL Software.
http://www.avast.com

[Paul Vader]

dplatt@radagast.org (Dave Platt) writes:
>Unfortunately, it's truly not possible to say for certain that this
>was the case unless you've done a physical inspection of whatever
>hardware may be routed at that address. It's quite possible to write
>
>How one might write such a piece of spoofing server malware is left as
>an exercise for the reader... no sense making it easier for the bad
>guys.

In one of my more paranoid moments, I wondered whether it was possible to
sneak data to a server via connection attempts, when then appears to
reject them. Thinking about it again after I saw your message, it should be
possible, and not even all that difficult. Fortunately, I think it would
only work in one direction, unless ... OK, I'm stopping now. *
--
* PV something like badgers--something like lizards--and something
like corkscrews.

[Seth Breidbart]

In article <115t1cdk5p2u146@news.supernews.com>,
Paul Vader <pv+usenet@pobox.com> wrote:

>In one of my more paranoid moments, I wondered whether it was possible to
>sneak data to a server via connection attempts, when then appears to
>reject them. Thinking about it again after I saw your message, it should be
>possible, and not even all that difficult. Fortunately, I think it would
>only work in one direction, unless ... OK, I'm stopping now. *

Spammers already know about portknocking.

Seth