My browser(Iron) is attempting to connect to...

Discussion in 'malware problems & news' started by Dregg Heda, Sep 16, 2009.

Thread Status:
Not open for further replies.
  1. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    68.71.208.163. How do I find out what this domin is and if its safe? Thanks.
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,792
    Location:
    Texas
  3. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    Thanks for that Ronjor!

    This is what I get:

    http://ws.arin.net/whois/?queryinput=68.71.208.163

    Is this THE disney? Or some sort of malware spoof? Why the hell will my browser be trying to connect to disney? I havent installed anything from them. Hell I havent ever been to any of their websites. Can anyone shed any light on this?

    You guys should know that when I booted up my PC my HIPS, OA paid alerted me to some executables, atleast one of which was a driver, which had been automatically blocked previously. The only things I recently installed were Hash on click from 2brightsparks and some windows updates. I am pretty certain I entered "install mode" while installing hash on click, a hash calculator. As for the windows updates those usually dont elicit any pop-ups. It should be noted that this was the first time I installed the updates while surfing the net. Could something have compromised the downloading and installing of the updates? On second thought it was probably a bad idea to install the updates while using the computer. Although afaik these particular updates were only for MS Office, and I wasnt using Office while updating.

    Also I am on Vista SP2. Any ideas?

    Here are the executables:

    mcbuilder.exe(this was from a previous pop-up which I allowed), OGAExec.exe, PEAUTH.sys and tcpipreg.sys.

    Thanks.
     
  4. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,792
    Location:
    Texas
  5. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    Hi Ronjor,

    Thats interesting. I have been looking at youtube videos related to sports recently. None of these were ESPN videos or videos of ESPN produced material to my knowledge. But I could be wrong.

    Also one of the first sites I opened was soccernet, an ESPN site so maybe that has something to do with it.

    But why is my browser trying to make a connection with ESPN/DIsney? Can the site somehow illicit a connection attempt by the browser without dropping an exe to call out? Or have Disney hit me with a drive-by? Or even if its a drive-by I run sandboxed with the appropriate internet and run restrictions. Surely sbie would have stopped any executable dead in its tracks?

    EDIT: Ive temporarily blocked it. I am still interested in figuring it out though, just to be certain.

    I have figured out what OGAExec is. Its MS spyware, just block it or it will call out everytime you load Office. Also via google some claim it calls out on start-up as well. Be very careful when installing MS Updates dont install anything unless they patch a security risk or introduce some functionality you need or want. If not dont bother imo. Or atleast this is how Im starting to feel.
     
  6. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,792
    Location:
    Texas
    Have you tried another browser and does the browser exhibit the same behavior?
     
  7. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    Nah only with iron, and this is the first time its happened. I could reboot and try with FF, see if I can replicate it.
     
  8. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    619
    Location:
    Sydney Australia
    I just checked out the main page of soccernet. If you look at the page source you'll see a lot of links to corporate.disney.go* or disney.corporate* and if you follow these you also get to corporate.disney.go*.js - it doesn't appear to be anything malicious.
     
  9. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    If one has their browser properly secured, simply place the IP in the address bar.

    ESPN.JPG
     
  10. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    So Disney were attermpting to redirect me via javascript?
     
  11. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    Hi Bubba,

    Thanks for this. What I dont understand is why my browser was attempting to connect to that page. I dont recall clicking on anything, and even if I did why did my firewall pop-up? How was this different from me clicking on a link or entering the domain name to get to a particular site. On those occasions my firewall doesnt pop-up, but on this occasion it did. So I guess my question is what is different about this connection that my firewall alerted me? Anyone have any ideas? Thanks.
     
  12. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    Ive got a new question. Why is svchost.exe attempting to establish a udp connection to 207.46.232.182 via port 123? According to whois the ip belongs to MS. In particular msn abuse, hotmail abuse and some other MS related sites are mentioned. Why is svchost attempting to contact MS nd should I allow it?
     
  13. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,748
    Location:
    The Netherlands
    Time sync?
     
  14. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    Hi:
    Here is the full site data on this. If you want to block it fully you would need the range of ip's. Or put the name servers

    NameServer: SENS01.DIG.COM
    NameServer: SENS02.DIG.COM

    in HOST File as 127.0.0.1's forcing loopbacks

    See ya

    OrgName: Disney Online
    OrgID: DISNE-7
    Address: 500 S BUENA VISTA ST
    City: Burbank
    StateProv: CA
    PostalCode: 91521
    Country: US

    NetRange: 68.71.208.0 - 68.71.223.255
    CIDR: 68.71.208.0/20
    OriginAS: AS8137
    NetName: DISNEYONLINE-NETBLK-3
    NetHandle: NET-68-71-208-0-1
    Parent: NET-68-0-0-0-0
    NetType: Direct Assignment
    NameServer: SENS01.DIG.COM
    NameServer: SENS02.DIG.COM
    Comment:
    RegDate: 2009-04-07
    Updated: 2009-04-07

    RAbuseHandle: DON21-ARIN
    RAbuseName: Disney Online - NOC
    RAbusePhone: +1-866-344-4357
    RAbuseEmail: dimg-noc@disney.com

    RNOCHandle: DON21-ARIN
    RNOCName: Disney Online - NOC
    RNOCPhone: +1-866-344-4357
    RNOCEmail: dimg-noc@disney.com

    RTechHandle: DON21-ARIN
    RTechName: Disney Online - NOC
    RTechPhone: +1-866-344-4357
    RTechEmail: dimg-noc@disney.com

    OrgTechHandle: AK565-ARIN
    OrgTechName: KIWERSKI, ALEXANDER
    OrgTechPhone: +1-206-664-4190
    OrgTechEmail: Alex.Kiwerski@disney.com
     
  15. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    Whats time sync?
     
  16. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    Hi guys,

    where can I find the SHA 1 hashes of PEAUTH.sys, mcbuilder.exe and tcpipreg.sys. All of these executables have recently been detected and automatically blocked by OA. A google search seems to suggest these are either windows components or in the case of some possibly malware. Shouldnt OA automatically trust these if they were related to the windows update? Id like the SHA 1 hashes so that I can confirm they are windows components. Thanks.
     
  17. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    Does anyone have any idea where I can find the SHA 1 hashes of PEAUTH.sys, mcbuilder.exe and tcpipreg.sys? Thanks.
     
  18. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    Can no one help me with this?
     
  19. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Google. Use the obvious search terms/adaptive strategy. Should get you there.

    Blue
     
Loading...
Thread Status:
Not open for further replies.