Discussion:
Posible security problem? Follow up to a post by Mike Scott
(too old to reply)
Robbie
2005-05-24 02:16:56 UTC
Permalink
A poster called Mike Scott posted this message in this newsgroup on
March 29 this year:



I've found today that all three of our windows machines connect
ocasionally to machines in the range 82.71.193.xxx, which seems to be
zen internet. I haven't a clue why, and so have set our firewall to
block outbound traffic directed there: I'll wait for something to
break!

The connection is always to tcp port 80, but looking there with a
browser gives a message along the lines of 'invalid url, / not found'
(can't check now because of the firewall :-) )

I can't think of anything installed on one, never mind all three
machines that would cause this. Maybe it's actually innocuous: any
ideas
please? I've not managed to catch any of the actual traffic, just a
note of the connection being made.

Oh yes, complete list found so far is:
82.71.193.197
82.71.193.198
82.71.193.200
82.71.193.205
82.71.193.206
82.71.193.207
82.71.193.208
82.71.193.214
82.71.193.215
82.71.193.216
82.71.193.221
82.71.193.224
82.71.193.230




I've come across this post following a google search because all of a
sudden one of those IP addresses is showing as being connected at times
via port 80 to my computer. If Mike is still posting here did you find
out what was going on behind these connections, which are to Zen
Internet?

It's very puzzling, and a bit worrying. I too am on NTL and wonder if
this is in someway connected?

Has anyone got any further ideas on what this could be. I've checked
the computer, no spyware or adware etc.

Puzzling!

Robbie
Mike Scott
2005-05-24 08:06:45 UTC
Permalink
Post by Robbie
A poster called Mike Scott posted this message in this newsgroup on
I've found today that all three of our windows machines connect
ocasionally to machines in the range 82.71.193.xxx, which seems to be
zen internet. I haven't a clue why, and so have set our firewall to
block outbound traffic directed there: I'll wait for something to
break!
The connection is always to tcp port 80, but looking there with a
browser gives a message along the lines of 'invalid url, / not found'
(can't check now because of the firewall :-) )
...
Post by Robbie
I've come across this post following a google search because all of a
sudden one of those IP addresses is showing as being connected at times
via port 80 to my computer. If Mike is still posting here did you find
out what was going on behind these connections, which are to Zen
Internet?
It's very puzzling, and a bit worrying. I too am on NTL and wonder if
this is in someway connected?
Has anyone got any further ideas on what this could be. I've checked
the computer, no spyware or adware etc.
Hi, I'm still here.

After more investigation, (with ethereal, iirc) I decided that Zen must
be supplying a server farm of some sort. As I remember, the
Zen-directed traffic turned out to be for AVG updates, and maybe other
'legit' accesses. I seem to recall I had to re-enable the Zen addresses
for ebay to work correctly, which was a suprise.

I apologise for not getting back to the group - it was one of those
"half-fixed" queries - not really sure enough either way to give answers
(and still, I might add, not entirely happy).

FWIW I've just checked, and the note in my firewall config file says:

# zen is suspicious. All three win m/c have been calling out to port
# 80 on various zen machines. No idea why. 29/3/05
# Looks like they run servers used by eg grisoft/avg and ebay
##block in log body quick on WORLD proto tcp/udp from 82.68.0.0/14 to any
##block out log body quick on WORLD from any to 82.68.0.0/14

And I've obviously commented out the restrictions -- must have had a
good reason, just wish I could remember it :-)
--
Please use the corrected version of the address below for replies.
Replies to the header address will be junked, as will mail from
various domains listed at www.scottsonline.org.uk
Mike Scott Harlow Essex England.(unet -a-t- scottsonline.org.uk)
Robbie
2005-05-24 13:53:50 UTC
Permalink
Post by Mike Scott
After more investigation, (with ethereal, iirc) I decided that Zen must
be supplying a server farm of some sort. As I remember, the
Zen-directed traffic turned out to be for AVG updates, and maybe other
'legit' accesses. I seem to recall I had to re-enable the Zen
addresses
Post by Mike Scott
for ebay to work correctly, which was a suprise.
Thanks for the reply. Yes, just noticed this. I blocked the IP range in
Zone Alarm Pro - ebay.co.uk doesn't operate with any graphics / links
AND I noticed that when I log out from HSBC the graphics / links are
missing too. Deleting the IP range from the blocked list:

allows the graphics to be shown on both sites
allows links to be displayed on both sites
at the same time an IP number in that range above magically reappears

I first noticed the issue purely by chance when running and looking at
"Active Ports" after I had clicked on "more info" in the Zone Alarm
Alerts and Logs area - it opens a page in my browser to show an
analysis. One of those IP numbers suddenly appeared. Again, unblocking
the IP range causes this to funtion properly and sure enough, the IP
number magically reappears again.

The thing all three sites that now funtion properly have in common are
advertising links, albeit for products provided or sold by that
particular company, and seemingly linking to other pages within that
site (ie ebay links to other pages in ebay, HSBC to HSBC, ZA to ZA). It
has to be for a commercial reason of some sort why that range of IP
numbers appears. I guess its nothing malicious though.

Robbie
Robbie
2005-05-24 14:05:18 UTC
Permalink
Robbie wrote:

In addition, exactly like you mentioned, my AVG has now downloaded an
update. With the IP range blocked, no updates were showing as being
available.

Thanks again for the replies.

Robbie
SR
2005-05-24 08:33:19 UTC
Permalink
Post by Robbie
Has anyone got any further ideas on what this could be. I've checked
the computer, no spyware or adware etc.
If you haven't already done so, use a packet sniffer (network analyser) to
see what data is being sent/received.
David Norris
2005-05-25 14:04:02 UTC
Permalink
Post by Robbie
A poster called Mike Scott posted this message in this newsgroup on
I've found today that all three of our windows machines connect
ocasionally to machines in the range 82.71.193.xxx, which seems to be
zen internet. I haven't a clue why, and so have set our firewall to
block outbound traffic directed there: I'll wait for something to
break!
The connection is always to tcp port 80, but looking there with a
browser gives a message along the lines of 'invalid url, / not found'
(can't check now because of the firewall :-) )
I can't think of anything installed on one, never mind all three
machines that would cause this. Maybe it's actually innocuous: any
ideas
please? I've not managed to catch any of the actual traffic, just a
note of the connection being made.
82.71.193.197
82.71.193.198
82.71.193.200
82.71.193.205
82.71.193.206
82.71.193.207
82.71.193.208
82.71.193.214
82.71.193.215
82.71.193.216
82.71.193.221
82.71.193.224
82.71.193.230
I've come across this post following a google search because all of a
sudden one of those IP addresses is showing as being connected at times
via port 80 to my computer. If Mike is still posting here did you find
out what was going on behind these connections, which are to Zen
Internet?
It's very puzzling, and a bit worrying. I too am on NTL and wonder if
this is in someway connected?
Has anyone got any further ideas on what this could be. I've checked
the computer, no spyware or adware etc.
Puzzling!
Robbie
No clues in the names:

Host akamai-5-serverc-wh.zen.co.uk (82.71.193.197)
Host akamai-6-serverc-wh.zen.co.uk (82.71.193.198)
Host akamai-7-serverc-wh.zen.co.uk (82.71.193.199)
Host akamai-8-serverc-wh.zen.co.uk (82.71.193.200)
Host akamai-9-serverc-wh.zen.co.uk (82.71.193.201)
Host akamai-10-serverc-wh.zen.co.uk (82.71.193.202)
Host akamai-11-serverc-wh.zen.co.uk (82.71.193.203)
Host akamai-12-serverc-wh.zen.co.uk (82.71.193.204)
Host akamai-13-serverc-wh.zen.co.uk (82.71.193.205)
Host akamai-14-serverc-wh.zen.co.uk (82.71.193.206)
Host akamai-15-serverc-wh.zen.co.uk (82.71.193.207)
Host akamai-16-serverc-wh.zen.co.uk (82.71.193.208)
Host akamai-17-serverc-wh.zen.co.uk (82.71.193.209)
Host akamai-18-serverc-wh.zen.co.uk (82.71.193.210)
Host akamai-19-serverc-wh.zen.co.uk (82.71.193.211)
Host akamai-20-serverc-wh.zen.co.uk (82.71.193.212)
Host akamai-21-serverc-wh.zen.co.uk (82.71.193.213)
Host akamai-22-serverc-wh.zen.co.uk (82.71.193.214)
Host akamai-23-serverc-wh.zen.co.uk (82.71.193.215)
Host akamai-24-serverc-wh.zen.co.uk (82.71.193.216)
Host akamai-25-serverc-wh.zen.co.uk (82.71.193.217)
Host akamai-26-serverc-wh.zen.co.uk (82.71.193.218)
Host akamai-27-serverc-wh.zen.co.uk (82.71.193.219)
Host akamai-28-serverc-wh.zen.co.uk (82.71.193.220)
Host akamai-29-serverc-wh.zen.co.uk (82.71.193.221)
Host akamai-30-serverc-wh.zen.co.uk (82.71.193.222)
Host akamai-31-serverc-wh.zen.co.uk (82.71.193.223)
Host akamai-32-serverc-wh.zen.co.uk (82.71.193.224)
Host akamai-33-serverc-wh.zen.co.uk (82.71.193.225)
Host akamai-34-serverc-wh.zen.co.uk (82.71.193.226)
Host akamai-35-serverc-wh.zen.co.uk (82.71.193.227)
Host akamai-36-serverc-wh.zen.co.uk (82.71.193.228)
Host akamai-37-serverc-wh.zen.co.uk (82.71.193.229)
Host akamai-38-serverc-wh.zen.co.uk (82.71.193.230)
news
2005-05-28 08:25:15 UTC
Permalink
Post by Robbie
A poster called Mike Scott posted this message in this newsgroup on
I've found today that all three of our windows machines connect
ocasionally to machines in the range 82.71.193.xxx, which seems to be
zen internet. I haven't a clue why, and so have set our firewall to
block outbound traffic directed there: I'll wait for something to
break!
[Snip]


I too discovered a connection to zen this morning, and have no idea why.
I am on NTL broadband.
--
Ian
news
2005-05-29 18:19:44 UTC
Permalink
In message <***@care4free.net>, news <***@care4free.net>
writes
Post by news
Post by Robbie
A poster called Mike Scott posted this message in this newsgroup on
I've found today that all three of our windows machines connect
ocasionally to machines in the range 82.71.193.xxx, which seems to be
zen internet. I haven't a clue why, and so have set our firewall to
block outbound traffic directed there: I'll wait for something to
break!
[Snip]
I too discovered a connection to zen this morning, and have no idea
why. I am on NTL broadband.
Following up my own post, I have discovered that a connection is made to
a zen host whenever I open the Opera browser. Also, at the same time,
several (around 7 or 8) TCP connections are made simultaneously to
servedby.advertising.com.

Are you running Opera, I wonder?
--
Ian
Mike Scott
2005-05-30 13:36:13 UTC
Permalink
news wrote:
...
Post by news
Following up my own post, I have discovered that a connection is made to
a zen host whenever I open the Opera browser. Also, at the same time,
several (around 7 or 8) TCP connections are made simultaneously to
servedby.advertising.com.
Are you running Opera, I wonder?
If the 'you' is me (the OP, if you see what I mean :-) ) then no. I use
firefox, but I've seen the zen accesses occur before I do anything other
than boot the XP box (my trusty firewall machine logs all outbound SYN
requests. Quite revealing; but I suspect a bit like reading a medical
book. What you don't know often doesn't hurt anyway.)
--
Please use the corrected version of the address below for replies.
Replies to the header address will be junked, as will mail from
various domains listed at www.scottsonline.org.uk
Mike Scott Harlow Essex England.(unet -a-t- scottsonline.org.uk)
Loading...