My browser(Iron) is attempting to connect to...

68.71.208.163. How do I find out what this domin is and if its safe? Thanks.

 

Thanks for that Ronjor!

This is what I get:

http://ws.arin.net/whois/?queryinput=68.71.208.163

Is this THE disney? Or some sort of malware spoof? Why the hell will my browser be trying to connect to disney? I havent installed anything from them. Hell I havent ever been to any of their websites. Can anyone shed any light on this?

You guys should know that when I booted up my PC my HIPS, OA paid alerted me to some executables, atleast one of which was a driver, which had been automatically blocked previously. The only things I recently installed were Hash on click from 2brightsparks and some windows updates. I am pretty certain I entered "install mode" while installing hash on click, a hash calculator. As for the windows updates those usually dont elicit any pop-ups. It should be noted that this was the first time I installed the updates while surfing the net. Could something have compromised the downloading and installing of the updates? On second thought it was probably a bad idea to install the updates while using the computer. Although afaik these particular updates were only for MS Office, and I wasnt using Office while updating.

Also I am on Vista SP2. Any ideas?

Here are the executables:

mcbuilder.exe(this was from a previous pop-up which I allowed), OGAExec.exe, PEAUTH.sys and tcpipreg.sys.

Thanks.

 

Hi Ronjor,

Thats interesting. I have been looking at youtube videos related to sports recently. None of these were ESPN videos or videos of ESPN produced material to my knowledge. But I could be wrong.

Also one of the first sites I opened was soccernet, an ESPN site so maybe that has something to do with it.

But why is my browser trying to make a connection with ESPN/DIsney? Can the site somehow illicit a connection attempt by the browser without dropping an exe to call out? Or have Disney hit me with a drive-by? Or even if its a drive-by I run sandboxed with the appropriate internet and run restrictions. Surely sbie would have stopped any executable dead in its tracks?

EDIT: Ive temporarily blocked it. I am still interested in figuring it out though, just to be certain.

I have figured out what OGAExec is. Its MS spyware, just block it or it will call out everytime you load Office. Also via google some claim it calls out on start-up as well. Be very careful when installing MS Updates dont install anything unless they patch a security risk or introduce some functionality you need or want. If not dont bother imo. Or atleast this is how Im starting to feel.

 

Nah only with iron, and this is the first time its happened. I could reboot and try with FF, see if I can replicate it.

 

I just checked out the main page of soccernet. If you look at the page source you'll see a lot of links to corporate.disney.go* or disney.corporate* and if you follow these you also get to corporate.disney.go*.js - it doesn't appear to be anything malicious.

 

If one has their browser properly secured, simply place the IP in the address bar.

 

So Disney were attermpting to redirect me via javascript?

 

Hi Bubba,

Thanks for this. What I dont understand is why my browser was attempting to connect to that page. I dont recall clicking on anything, and even if I did why did my firewall pop-up? How was this different from me clicking on a link or entering the domain name to get to a particular site. On those occasions my firewall doesnt pop-up, but on this occasion it did. So I guess my question is what is different about this connection that my firewall alerted me? Anyone have any ideas? Thanks.

 

Ive got a new question. Why is svchost.exe attempting to establish a udp connection to 207.46.232.182 via port 123? According to whois the ip belongs to MS. In particular msn abuse, hotmail abuse and some other MS related sites are mentioned. Why is svchost attempting to contact MS nd should I allow it?

 

Time sync?

 

Hi:
Here is the full site data on this. If you want to block it fully you would need the range of ip's. Or put the name servers

NameServer: SENS01.DIG.COM
NameServer: SENS02.DIG.COM

in HOST File as 127.0.0.1's forcing loopbacks

See ya

OrgName: Disney Online
OrgID: DISNE-7
Address: 500 S BUENA VISTA ST
City: Burbank
StateProv: CA
PostalCode: 91521
Country: US

NetRange: 68.71.208.0 - 68.71.223.255
CIDR: 68.71.208.0/20
OriginAS: AS8137
NetName: DISNEYONLINE-NETBLK-3
NetHandle: NET-68-71-208-0-1
Parent: NET-68-0-0-0-0
NetType: Direct Assignment
NameServer: SENS01.DIG.COM
NameServer: SENS02.DIG.COM
Comment:
RegDate: 2009-04-07
Updated: 2009-04-07

RAbuseHandle: DON21-ARIN
RAbuseName: Disney Online - NOC
RAbusePhone: +1-866-344-4357
RAbuseEmail: dimg-noc@disney.com

RNOCHandle: DON21-ARIN
RNOCName: Disney Online - NOC
RNOCPhone: +1-866-344-4357
RNOCEmail: dimg-noc@disney.com

RTechHandle: DON21-ARIN
RTechName: Disney Online - NOC
RTechPhone: +1-866-344-4357
RTechEmail: dimg-noc@disney.com

OrgTechHandle: AK565-ARIN
OrgTechName: KIWERSKI, ALEXANDER
OrgTechPhone: +1-206-664-4190
OrgTechEmail: Alex.Kiwerski@disney.com

 

Whats time sync?

 

Hi guys,

where can I find the SHA 1 hashes of PEAUTH.sys, mcbuilder.exe and tcpipreg.sys. All of these executables have recently been detected and automatically blocked by OA. A google search seems to suggest these are either windows components or in the case of some possibly malware. Shouldnt OA automatically trust these if they were related to the windows update? Id like the SHA 1 hashes so that I can confirm they are windows components. Thanks.

 

Does anyone have any idea where I can find the SHA 1 hashes of PEAUTH.sys, mcbuilder.exe and tcpipreg.sys? Thanks.

 

Can no one help me with this?

 

Google. Use the obvious search terms/adaptive strategy. Should get you there.

Blue