Message boards :
Cafe SETI :
who is pre005.lifemedien.de?
Message board moderation
Author | Message |
---|---|
Captain Avatar Send message Joined: 17 May 99 Posts: 15133 Credit: 529,088 RAC: 0 |
And why every time I come to the Cafe My fire wall goes nuts? A computer in your Banned IP list at pre005.lifemedien.de has attempted to access TCP port xxxx on your computer. and keeps trying on many ports..... thanks |
Rom Walton (BOINC) Send message Joined: 28 Apr 00 Posts: 579 Credit: 130,733 RAC: 0 |
What port number is it trying to attach too? ----- Rom BOINC Development Team, U.C. Berkeley My Blog |
Daniel Michel Send message Joined: 2 Feb 04 Posts: 14925 Credit: 1,378,607 RAC: 6 |
> And why every time I come to the Cafe My fire wall goes nuts? > > > A computer in your Banned IP list at pre005.lifemedien.de has attempted to > access TCP port xxxx on your computer. > and keeps trying on many ports..... > > > > thanks >-------------------------------- i checked my firewall and saw pre005.lifemedien.de listed in the traffic log when i back traced www.hcs-tuning.de 194.97.107.175 it read as if it were going for port 0. PROUD TO BE TFFE! |
Captain Avatar Send message Joined: 17 May 99 Posts: 15133 Credit: 529,088 RAC: 0 |
> What port number is it trying to attach too? > > All of them S. Port 80 D. Ports 1229 1228 1208 1197 1229 1228 1226 1169 1143 1109 4861 I can go on and on Rom Thanks and theres more besides this one.... |
Captain Avatar Send message Joined: 17 May 99 Posts: 15133 Credit: 529,088 RAC: 0 |
> And why every time I come to the Cafe My fire wall goes nuts? > > > A computer in your Banned IP list at pre005.lifemedien.de has attempted to > access TCP port xxxx on your computer. > and keeps trying on many ports..... > > > > thanks > I refreshed my screen and this is one of the messages i get A computer in your Banned IP list at pre005.lifemedien.de has attempted to access TCP port 1502 on your computer. TCP port 1502 is commonly used by the "Shiva" service or program. Then another one is A computer in your Banned IP list at pre005.lifemedien.de has attempted to access TCP port 1510 on your computer. TCP port 1510 is commonly used by the "Midland Valley Exploration Ltd. Lic. Man." service or program. |
Rom Walton (BOINC) Send message Joined: 28 Apr 00 Posts: 579 Credit: 130,733 RAC: 0 |
Does it happen off the homepage? Is it only some of the threads, or all of them? ----- Rom BOINC Development Team, U.C. Berkeley My Blog |
N/A Send message Joined: 18 May 01 Posts: 3718 Credit: 93,649 RAC: 0 |
It's not me. I'd have used :1043 .o0(Who doesn't?) [b]>[/b][i]nslookup pre005.lifemedien.de[/i] Name: pre005.lifemedien.de Address: 194.97.107.175 [b]>[/b][i]nslookup 194.97.107.175[/i] Non-authoritative answer: 175.107.97.194.in-addr.arpa name = pre005.lifemedien.de. Authoritative answers can be found from: 107.97.194.in-addr.arpa nameserver = dns.mcbone.net. 107.97.194.in-addr.arpa nameserver = wayne.mcbone.net. 107.97.194.in-addr.arpa nameserver = center-n.mcbone.net. dns.mcbone.net internet address = 194.97.3.2 wayne.mcbone.net internet address = 62.104.198.72 center-n.mcbone.net internet address = 194.97.3.4Hitting up lifemedien.de shows a web hosting site. Vas ist der gamen? |
Alex Send message Joined: 26 Sep 01 Posts: 260 Credit: 2,327 RAC: 0 |
I'm going to guess that it's probably a boinc stats image on a server which is taking to long for your firewall program. Myself, I have images turned off. Each time your pc makes a request, it opens up a new temporary listening port that your webbrowser uses to get an image. When you surf, you open up several concurrent connections at once when viewing a page with many images on it. Browsers turn off the listen port after getting a proper response or when they time out. I can see how a stats server could bet overloaded on a large thread, such as the 'babe of the day thread' when there's a hundred statistic sigs. You can open up a command line, and type netstat or netstat -n to see what ports your pc opens up. |
Rom Walton (BOINC) Send message Joined: 28 Apr 00 Posts: 579 Credit: 130,733 RAC: 0 |
> I'm going to guess that it's probably a boinc stats image on a server which is > taking to long for your firewall program. > > Myself, I have images turned off. > > Each time your pc makes a request, it opens up a new temporary listening port > that your webbrowser uses to get an image. > > When you surf, you open up several concurrent connections at once when viewing > a page with many images on it. > Browsers turn off the listen port after getting a proper response or when they > time out. > I can see how a stats server could bet overloaded on a large thread, such as > the 'babe of the day thread' when there's a hundred statistic sigs. > > You can open up a command line, and type netstat or netstat -n > to see what ports your pc opens up. Typically a browser uses a pull model where the request is opened up on a port but the web server’s response is sent back through that existing connection. An http server should not attempt to establish a connection with your machine through normal use; it looks to me as though an image request is triggering a port scan of some kind, possible worm infection type activity. ----- Rom BOINC Development Team, U.C. Berkeley My Blog |
N/A Send message Joined: 18 May 01 Posts: 3718 Credit: 93,649 RAC: 0 |
I'm going to guess that it's probably a boinc stats image on a server which is taking to long for your firewall program. I've sniffed through the most heavily transited pages in the Café with all images and sigs turned on - pre005.lifemedien.de nor 194.97.107.175 showed up. I checked my ipfw log. Just the usual NetBIOS BS... I guess that it's just a zombie looking for an easy host in the pool. I gave it to Agnes / she got it from Jim... |
Alex Send message Joined: 26 Sep 01 Posts: 260 Credit: 2,327 RAC: 0 |
Edit: update. my firewall show's it's misfit's sig. here's the contents of a packet from pre005.lifemedien.de 0000: 00 80 C8 B4 8E C2 00 40 : 2B 62 78 83 08 00 45 00 | .......@+bx...E. 0010: 02 A5 C2 B9 40 00 40 06 : 86 7C C0 A8 00 64 C2 61 | ....@.@..|...d.a 0020: 6B AF 06 2E 00 50 79 9C : 0E E0 D0 FA D4 05 50 18 | k....Py.......P. 0030: FA F0 42 39 00 00 47 45 : 54 20 2F 6E 65 69 6C 2F | ..B9..GET /neil/ 0040: 6D 69 72 72 6F 72 5F 78 : 6D 6C 2E 70 68 70 3F 62 | mirror_xml.php?b 0050: 67 3D 30 30 30 30 30 30 : 26 62 6F 72 64 65 72 3D | g=000000&border= 0060: 30 30 30 30 30 30 26 74 : 65 78 74 3D 30 30 66 66 | 000000&text=00ff 0070: 30 30 26 75 73 65 5F 62 : 6F 72 64 65 72 3D 30 26 | 00&use_border=0& 0080: 63 72 65 64 69 74 3D 34 : 35 32 39 34 2E 34 33 26 | credit=45294.43& 0090: 61 76 67 43 72 65 64 69 : 74 3D 33 34 2E 31 32 26 | avgCredit=34.12& 00A0: 6E 61 6D 65 3D 4D 69 73 : 66 69 74 26 63 6F 75 6E | name=Misfit&coun 00B0: 74 72 79 3D 55 6E 69 74 : 65 64 25 32 30 53 74 61 | try=United%20Sta 00C0: 74 65 73 26 72 65 67 3D : 32 31 73 74 25 32 30 4A | tes®=21st%20J 00D0: 75 6E 25 32 30 32 30 30 : 31 25 32 30 32 31 3A 31 | un%202001%2021:1 00E0: 33 3A 32 35 26 74 65 61 : 6D 4E 61 6D 65 3D 42 4F | 3:25&teamName=BO 00F0: 49 4E 43 2B 53 79 6E 65 : 72 67 79 26 6D 4E 6F 3D | INC+Synergy&mNo= 0100: 36 26 62 67 5F 69 6D 61 : 67 65 3D 68 74 74 70 3A | 6&bg_image=http: 0110: 2F 2F 69 6D 67 2E 70 68 : 6F 74 6F 62 75 63 6B 65 | //img.photobucke 0120: 74 2E 63 6F 6D 2F 61 6C : 62 75 6D 73 2F 76 33 33 | t.com/albums/v33 0130: 30 2F 73 65 74 69 77 65 : 62 2F 6E 65 62 75 6C 61 | 0/setiweb/nebula 0140: 2E 6A 70 67 26 69 6D 61 : 67 65 5F 74 79 70 65 3D | .jpg&image_type= 0150: 33 26 74 72 61 6E 73 3D : 6F 66 66 26 74 65 61 6D | 3&trans=off&team 0160: 3D 6F 6E 26 74 65 61 6D : 52 61 6E 6B 3D 31 30 26 | =on&teamRank=10& 0170: 72 61 6E 6B 3D 35 38 32 : 31 26 72 66 3D 30 26 70 | rank=5821&rf=0&p 0180: 72 6A 3D 31 26 75 70 64 : 61 74 65 64 3D 33 30 2F | rj=1&updated=30/ 0190: 30 33 2F 30 35 20 48 54 : 54 50 2F 31 2E 31 0D 0A | 03/05 HTTP/1.1.. 01A0: 41 63 63 65 70 74 3A 20 : 2A 2F 2A 0D 0A 52 65 66 | Accept: */*..Ref 01B0: 65 72 65 72 3A 20 68 74 : 74 70 3A 2F 2F 73 65 74 | erer: http://set 01C0: 69 77 65 62 2E 73 73 6C : 2E 62 65 72 6B 65 6C 65 | iweb.ssl.berkele 01D0: 79 2E 65 64 75 2F 66 6F : 72 75 6D 5F 74 68 72 65 | y.edu/forum_thre 01E0: 61 64 2E 70 68 70 3F 69 : 64 3D 35 31 39 35 0D 0A | ad.php?id=5195.. 01F0: 41 63 63 65 70 74 2D 4C : 61 6E 67 75 61 67 65 3A | Accept-Language: 0200: 20 65 6E 2D 63 61 0D 0A : 41 63 63 65 70 74 2D 45 | en-ca..Accept-E 0210: 6E 63 6F 64 69 6E 67 3A : 20 67 7A 69 70 2C 20 64 | ncoding: gzip, d 0220: 65 66 6C 61 74 65 0D 0A : 55 73 65 72 2D 41 67 65 | eflate..User-Age 0230: 6E 74 3A 20 4D 6F 7A 69 : 6C 6C 61 2F 34 2E 30 20 | nt: Mozilla/4.0 0240: 28 63 6F 6D 70 61 74 69 : 62 6C 65 3B 20 4D 53 49 | (compatible; MSI 0250: 45 20 36 2E 30 3B 20 57 : 69 6E 64 6F 77 73 20 4E | E 6.0; Windows N 0260: 54 20 35 2E 31 3B 20 53 : 56 31 3B 20 2E 4E 45 54 | T 5.1; SV1; .NET 0270: 20 43 4C 52 20 31 2E 31 : 2E 34 33 32 32 29 0D 0A | CLR 1.1.4322).. 0280: 43 6F 6E 6E 65 63 74 69 : 6F 6E 3A 20 4B 65 65 70 | Connection: Keep 0290: 2D 41 6C 69 76 65 0D 0A : 48 6F 73 74 3A 20 77 77 | -Alive..Host: ww 02A0: 77 2E 68 63 73 2D 74 75 : 6E 69 6E 67 2E 64 65 0D | w.hcs-tuning.de. 02B0: 0A 0D 0A : | ... > An http server should not attempt to establish a connection with your machine > through normal use; it looks to me as though an image request is triggering a > port scan of some kind, possible worm infection type activity. The longer the thread, the more images there are. I really doubt it's a port scan. I'm sticking with the 'guy loaded some images in his sig' theory. This is from viewing The Mission on Mars status thread in the science folder. TCP testbox:1445 klaatu.ssl.berkeley.edu:http ESTABLISHED TCP testbox:1446 klaatu.ssl.berkeley.edu:http ESTABLISHED TCP testbox:1447 klaatu.ssl.berkeley.edu:http ESTABLISHED TCP testbox:1448 klaatu.ssl.berkeley.edu:http ESTABLISHED TCP testbox:1449 klaatu.ssl.berkeley.edu:http ESTABLISHED TCP testbox:1451 klaatu.ssl.berkeley.edu:http ESTABLISHED TCP testbox:1452 klaatu.ssl.berkeley.edu:http ESTABLISHED TCP testbox:1454 beavis.dts-online.net:http ESTABLISHED TCP testbox:1456 beavis.dts-online.net:http ESTABLISHED TCP testbox:1457 beavis.dts-online.net:http ESTABLISHED TCP testbox:1459 unknown.Level3.net:http ESTABLISHED TCP testbox:1464 beavis.dts-online.net:http ESTABLISHED TCP testbox:1465 user-11218np.dsl.mindspring.com:8018 ESTABLISHE D TCP testbox:1466 pre005.lifemedien.de:http ESTABLISHED TCP testbox:1468 unknown219.9.157.204.defenderhosting.com:http E STABLISHED |
N/A Send message Joined: 18 May 01 Posts: 3718 Credit: 93,649 RAC: 0 |
Sorry, but all I'm seeing here
http://boinc.mundayweb.com/seti2/stats.php?blahblahblah http://setiweb.ssl.berkeley.edu/forum_thread.php?blahblahblah http://setiweb.ssl.berkeley.edu/blahblahblah http://setiweb.ssl.berkeley.edu/user_profile/images/blahblahblah, and http://www.boincsynergy.com/images/stats/blahblahblah I don't think it's a SIG. |
Alex Send message Joined: 26 Sep 01 Posts: 260 Credit: 2,327 RAC: 0 |
If you visit mundaysweb, http://www.boinc.mundayweb.com/ you'll know that people donate the use of mirrors to help him out. If you resolve the IP addy of www.hcs-tuning.de You'll see that it's hosted by lifemedien.de http://www.network-tools.com/default.asp?prog=trace&Netnic=whois.arin.net&host=www.hcs-tuning.de |
N/A Send message Joined: 18 May 01 Posts: 3718 Credit: 93,649 RAC: 0 |
And the moral of the story is Don't Dare Debug at 4AM while Drinking Decaf. I owe you a +1 (my RAC is too low!). |
Captain Avatar Send message Joined: 17 May 99 Posts: 15133 Credit: 529,088 RAC: 0 |
> And the moral of the story is Don't Dare Debug at 4AM while Drinking > Decaf. > > I owe you a +1 (my RAC is too low!). > OK, What are your suggestions other than turning off images? A computer in your Banned IP list at pre005.lifemedien.de has attempted to access TCP port 2819 on your computer. TCP port 2819 is commonly used by the "FC Fault Notification" service or program. |
Captain Avatar Send message Joined: 17 May 99 Posts: 15133 Credit: 529,088 RAC: 0 |
> > OK, What are your suggestions other than turning off images? I turned off all images and the attacks stopped Of course this sucks for me since I am Captain Avatar and this is very bad for biz...... Not that I charge money for my efforts! .... |
Celtic Wolf Send message Joined: 3 Apr 99 Posts: 3278 Credit: 595,676 RAC: 0 |
> > > > > OK, What are your suggestions other than turning off images? > > > > > I turned off all images and the attacks stopped > > Of course this sucks for me since I am Captain Avatar > and this is very bad for biz...... Not that I charge > money for my efforts! > > > .... > I have contacted Neil Munday and informed him of the problem Timmy.. If you look at your firewall you'll probably see my domain there too. I am a Munday Web Mirror too I'd rather speak my mind because it hurts too much to bite my tongue. American Spirit BBQ Proudly Serving those that courageously defend freedom. |
Alex Send message Joined: 26 Sep 01 Posts: 260 Credit: 2,327 RAC: 0 |
>>I turned off all images and the attacks stopped I really doubt that your pc is being attacked. |
Captain Avatar Send message Joined: 17 May 99 Posts: 15133 Credit: 529,088 RAC: 0 |
I am sending you and Rom my Logs so you can see whats happening. I took a snapshot with graphics turned off and I am clearing the logs and turning the graphics back on and will send that also.... In a few min... |
N/A Send message Joined: 18 May 01 Posts: 3718 Credit: 93,649 RAC: 0 |
+ed you. |
©2024 University of California
SETI@home and Astropulse are funded by grants from the National Science Foundation, NASA, and donations from SETI@home volunteers. AstroPulse is funded in part by the NSF through grant AST-0307956.