Update download sites

Discussion in 'Trojan Defence Suite' started by Rainwalker, Nov 28, 2003.

Thread Status:
Not open for further replies.
  1. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    Greetings, When i went to download TDS update today i noticed that all the mirrors and the main TDS update download update sites had the same address and that was 148.225.83.37 remote name always....
    fractus.mat.uson.mx i have not paid much attention in the past but i am thinking that all the download sites had diiferent addresses and the names were as indicated in the TDS server config window...... o_O

    TIA
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Waiting for our DCS team to explain this. They should all have different IP addresses yes.
     
  3. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Yes there is 8 different servers at the moment, with 1 experiencing problems. Grab a new update.cfg here if you need it, or just check it in notepad that it has some different servers included

    http://tds.diamondcs.com.au/index.php?page=update
     
  4. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    Greetings,
    Today at 7:15am Alaska time i went to download TDS update and the mirror that i used was www.turvamies.com ( as shown in console window )
    The remote address was 66.152.98.13 but when i checked turvamies ip address by going to www.turvamies.com it was 193.64.174.119. Now when i was dealing the issue mentioned above my firewall would ask me if i wanted to allow a dll to that .mx site and again it did this for all the mirrors and not just one and in the past my fw would simply update TDS w/out asking for permission to load a dll. Today no dll request came up but why two different ip address? Is this normal in that the mirror might be using a mirror? :doubt:
     
  5. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    66.152.98.13 belongs to www03.powweb.com o_O
     
  6. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    Thanks Dollefie but i do not know what that means ( www03.powweb.com ) o_O o_O
     
  7. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    Well....just went to try new download of tds-3 and tried all mirrors listed at diamonds site and everyone showed ip address as 66.152.98.13
    i really need some help here. :eek:
     
  8. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    this just keeeps getting better..... blocked site above and now ALL updates are from 148.225.83.37......... mexico again
    yeah, got to sort this out......helpppppppp :'(
     
  9. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    Hi all,
    this sounds strange - but I'm not sure I even understand what you're describing. It could be all things - from a harmless thing, to a rootkit, to a poisoned DNS server at your ISP...
    I'd like you to clarify a few things for us:

    - Can you paste the contents of your update.cfg (and possibly filesearch-verify that there is only one such file on your system)?

    - Can you paste the contents of your hosts file, if it's not too large? If it is, try to find out if the FQDNs (Fully Qualified Domain Names - like www. xy . com) or the IP adresses involved are in there...

    - What firewall are you using?

    - How do you proceed to compare the IP adresses to the FQDNs, i.e. which program are you using, where are the values displayed?

    - What is your DNS server (can be seen by running WinIPConfig, i think)? Have you encountered any webbrowsing problems or problems updating other security software?

    Thanks a lot,
    Andreas
     
  10. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    Andreas....thanks for getting back. Something very strange just happened..... i clicked on the link you sent ( xy.com ) to look at FQDN stuff as recommended and it is a gay something or other site. I spent no time there and backed out right away. Did YOU send that site. o_O?
     
  11. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Addresses change at times from owner/content (we're not always able to check a site before posting it). Anyway, found on this site more explanation which you might like to look
    here for the FQDN part. (google is more or less our friend here)
     
  12. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    Thanks Jooske do you or anyone know what the heck wwwo3.powweb.com is all about o_O i was not aware of anything but www.ect ect this 03 thing could not be good o_O
     
  13. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    Sorry, Rainwalker,
    I didn't mean to provide a link. I meant that just as an example of what a "Fully Qualified Domain Name" is, i.e. a toplevel domain .com which has one or more servers/subdomains preceding it. The first one being normally a www server, i wanted to give www<dot>xy-or-just-anything<dot>com as an example. Sorry to have caused you trouble. You did right to immediately back up and leave.

    To be more precise, I was meaning to ask if you find www.turvamies.com, fractus.mat.uson.mx, www03.powweb.com or any of the IP adresses you mentioned in your hosts file (in my W2k system this is in c:\windows\system32\drivers\etc).

    The 03 in www03 probably is harmless, it indicates a part of a webserver array that provide the same pages, but share their load. You point your browser to www.blabla and then are transparently being redirected to one of the mirrors. But when you do a lookup of that mirror's IP, you don't receive your initial go-to adress, but its real name, being www03 here.

    Sorry again,
    Andreas
     
  14. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    Andreas not to worry right after i posted it dawned on me what you meant. Did you see my wwwo3. question? If so, any info??
     
  15. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    updated the above posting - probably while you were reading the initial version or writing your reply. My interpretation of www03 is in there now.

    Andreas
     
  16. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    ok feel better :) i will look deeper later. gotta hit the sack....4:30am here thanks again
     
Thread Status:
Not open for further replies.