Time To Retest Your Firewall

[rikytik]

------meanwhile, a couple hours later-----------

Sony's thread about PCAudi and War's explanation were a wake up call for me. In going thru the paces, I installed x-NetStat 5.1 and found a curious connection from the other pc on my LAN.

Hostname: moscow.eau.wi.charter.com

This didn't show up in Sygate (latest version, set to DLL Authentification, but showed up in x-NetStat with the IP of the other pc on this LAN.

I ran AdAware, Trojan Remove, Kaspersky AV 5 and nothing showed up. Finally I did a search of the registry with Registry Crawler and found moscow.eau, etc. two places in the Registry along with some other moscow things.

At that point I deleted all the cookies in IE6 (there were a lot)and then the registry entries disappeared. I don't know what to make of it.

Anyway, things are tighter here now, thanks to the Sony's thread.

[Sony]

Quote:

Originally posted by rikytik@Oct 14 2004, 01:27 PM
.........  Hostname: moscow.eau.wi.charter.com

This didn't show up in Sygate (latest version, set to DLL Authentification, but showed up in x-NetStat with the IP of the other pc on this LAN. 

.....

I found the same entry on my pc (see screenshot)

The weird thing is that show my internal IP with that host name!!!

I need to ivestigate this , now you got me worried

If you find more information please let me know it's time to bed here so I will have to do my homework tomorrow morning about moscow.eau.wi.charter.com

Sony

[rikytik]

Wow. Really weird. Your screen shot is exactly like mine.

I thougtht it gone after a total cookie and registy clean up, but this evening that same thing logged on. With x-NetSTat I was able to kick it off, but Sygate isn't doing anything.

The saga continues.

[war59312]

Try Ethereal for more info.

BTW:

Quote:

Registrant:
Charter Communications Holding Company, LLC (CHARTER25-DOM)
  12405 Powerscourt Drive
  St. Louis, MO 63131
  US

  Domain Name: CHARTER.COM

  Administrative Contact:
      MASTER, HOST  (20118779I)                     
      Charter Communications Holding Company
      12405 Powerscourt Drive
      St. Louis, MO 63131
      US
      636 733 5300 fax: 636 394 9797

  Technical Contact:
      Charter Communications  (GZDZEHXCQO)                     
      12405 Powerscourt Dr.
      St. Louis, MO 63131
      US
      314-288-3889

  Record expires on 29-Jul-2006.
  Record created on 30-Jul-1994.

  Domain servers in listed order:

  NS1.CHARTER.COM              24.196.241.11
  NS2.CHARTER.COM              24.213.60.79
  NS3.CHARTER.COM              24.197.96.17
  NS4.CHARTER.COM              24.205.1.12

Quote:

Website Title:  Charter
Response Code:  200
SSL Cert:  www.charter.com SSL is expired!
Yahoo Directory:  B2B > Broadband
Yahoo Title:  Charter Communications
Yahoo Description:  Broadband communications company.
Website Status:  Active
Reverse IP:  Web server hosts 11 websites (reverse ip tool requires free login)
Server Type:  Microsoft-IIS/5.0
IP Address:  208.223.219.206 (ARIN & RIPE IP search)
IP Location:  - Missouri - Chesterfield - Catalyst Soloutions Group
Whois History:  127 records stored
Record Type:  Domain Name
Monitor:  Monitor or Backorder
Wildcard search:  'charter' in all domains.
Other TLDs:  .com .net .org .info .biz .us
X X X X X X

Name Server:  NS1.CHARTER.COM NS2.CHARTER.COM
ICANN Registrar:  NETWORK SOLUTIONS, LLC.
Created:  30-jul-1994
Expires:  29-jul-2006
Status:  ACTIVE

Oh nice. IIS 5.0. hehe You know what that means. :P

[Sony]

Quote:

Originally posted by war59312@Oct 14 2004, 11:14 PM
Try Ethereal for more info.

BTW:
Oh nice. IIS 5.0. hehe You know what that means. :P

[snapback]215530[/snapback]

I still don't get why my internal IP is associate with that domain ?

[war59312]

Quote:

Originally posted by sony@Oct 14 2004, 08:30 PM
I still don't get why my internal IP is associate with that domain ?

[snapback]215547[/snapback]

oh wtf yeah i was not even paying attendtion lol

Is that not your host name?

If it is then it just got it by resolving your internet ip address (Reverse DNS) and just told u your lan ip address instead.

If not then some program is messing with your dns server and assigning a host name to your lan ip for whatever reason. Or you isp did or whatever...

[unicorn]

war:

Quote:

BTW:
Oh nice. IIS 5.0. hehe You know what that means. :P

[snapback]215530[/snapback]

No. What does it mean? (Is it a microsoft server that is hacked by deafult?)

What is a reasonable explanation to the "moscow" part of the ip? Is that one of the web sites that is hosted by charter.com? I noticed that moscow demands a login to their website.

This thread is too confusing to me. The only conclusion I have done so far is that I should have a separate box for my www adventures. There I should start fresh every session by using a ghosted image of a clean install. Or a deep freezed version. Gonna check theese options. A separate box may be just the right thing, then I can have my computer where I really work clean and nice.
This is getting crazy. Do I want to live in such a world? Of course I do (the option seems boring) but I don't really want to spend half of my time to different security precautions.

Thanks to all that contributed here,

[rikytik]

I found the moscow thing on there again a bit ago.

There are quite a few articles around about IIS. I don't understand this problem yet.

[war59312]

oh my bad...i was just kidding...i just men IIS is a pos and there are so many security issues....thats all... srry for the confusion...

lol

Um yeah I would say that a charter isp ip address....is that your ISP?

if not yeah something is going on...

[war59312]

Um moscow.eau.wi.charter.com?

Site does not even exist it seems? At least not http.

Quote:

Originally posted by unicorn@Oct 15 2004, 05:19 AM
war:

No. What does it mean? (Is it a microsoft server that is hacked by deafult?)

What is a reasonable explanation to the "moscow" part of the ip? Is that one of the web sites that is hosted by charter.com? I noticed that moscow demands a login to their website.

This thread is too confusing to me. The only conclusion I have done so far is that I should have a separate box for my www adventures. There I should start fresh every session by using a ghosted image of a clean install. Or a deep freezed version. Gonna check theese options. A separate box may be just the right thing, then I can have my computer where I really work clean and nice.
This is getting crazy. Do I want to live in such a world? Of course I do (the option seems boring) but I don't really want to spend half of my time to different security precautions.

Thanks to all that contributed here,

[snapback]215575[/snapback]