Anonymous Servers - Newsrover phones home

This is Interesting: Free IT Magazines  
Home > Archive > Anonymous Servers > February 2007 > Newsrover phones home





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author Newsrover phones home
TracerA

2007-02-14, 1:13 pm

NewsRover PHONES HOME

No. Time Source Destination Protocol Info
127 298.821758 192.168.2.120 192.168.2.1 DNS Standard query A news.easynews.com
128 298.832631 192.168.2.1 192.168.2.120 DNS Standard query response A 140.99.99.130
129 298.841570 192.168.2.120 140.99.99.130 TCP 1036 > nntp [SYN] Seq=0 Len=0 MSS=1460
130 298.997462 140.99.99.130 192.168.2.120 TCP nntp > 1036 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460
131 298.997699 192.168.2.120 140.99.99.130 TCP 1036 > nntp [ACK] Seq=1 Ack=1 Win=64240 Len=0
132 299.235802 140.99.99.130 192.168.2.120 NNTP Response: 200 Welcome to Easynews.com (need authentication) (Zilla-NNTP v1.4.1-)
133 299.242651 192.168.2.120 140.99.99.130 NNTP Request: AUTHINFO USER
134 299.398080 140.99.99.130 192.168.2.120 TCP nntp > 1036 [ACK] Seq=73 Ack=23 Win=5840 Len=0
135 299.398825 140.99.99.130 192.168.2.120 NNTP Response: 381 More Authentication Required
136 299.399516 192.168.2.120 140.99.99.130 NNTP Request: AUTHINFO PASS
137 299.580419 140.99.99.130 192.168.2.120 NNTP Response: 281 Authentication Accepted
138 299.590278 192.168.2.120 140.99.99.130 NNTP Request: MODE READER

Just After The Login The Phone Home Start

!! 139 299.614236 192.168.2.120 192.168.2.1 DNS Standard query A cki.sandh.com
!! 140 299.615113 192.168.2.1 192.168.2.120 DNS Standard query response A 70.43.164.212 (Newsrover-Site)
!! 141 299.617355 192.168.2.120 70.43.164.212 TCP 1038 > 7520 [SYN] Seq=0 Len=0 MSS=1460
!! 142 299.734898 70.43.164.212 192.168.2.120 TCP 7520 > 1038 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0
!! 143 299.735116 192.168.2.120 70.43.164.212 TCP 1038 > 7520 [ACK] Seq=1 Ack=1 Win=64240 Len=0
!! 144 299.739331 192.168.2.120 70.43.164.212 TCP 1038 > 7520 [PSH, ACK] Seq=1 Ack=1 Win=64240 Len=4

145 299.746373 140.99.99.130 192.168.2.120 NNTP Response: 200 Welcome to Easynews.com (need authentication) (Zilla-NNTP v1.4.1-)
146 299.747341 192.168.2.120 140.99.99.130 NNTP Request: GROUP alt.binaries.pictures.erotica.bondage
147 299.908160 140.99.99.130 192.168.2.120 NNTP Response: 211 382904 4324493 4707396 alt.binaries.pictures.erotica.bondage

Just After Selecting A Newsgroup Phone Home Again.

! 149 300.039946 70.43.164.212 192.168.2.120 TCP 7520 > 1038 [ACK] Seq=1 Ack=5 Win=8192 Len=0
! 150 300.040613 192.168.2.120 70.43.164.212 TCP 1038 > 7520 [PSH, ACK] Seq=5 Ack=1 Win=64240 Len=143 (Encrypted)

151 300.066087 140.99.99.130 192.168.2.120 NNTP Response: 211 382904 4324493 4707396 alt.binaries.pictures.erotica.bondage
152 300.067408 192.168.2.120 140.99.99.130 NNTP Request: XOVER 4707097-4707396
153 300.224191 140.99.99.130 192.168.2.120 NNTP Response: 224 Overview Information Follows

Phone Home Again (512 bytes encrypted)

! 154 300.239725 70.43.164.212 192.168.2.120 TCP 7520 > 1038 [ACK] Seq=1 Ack=148 Win=8192 Len=0
! 155 300.243395 70.43.164.212 192.168.2.120 TCP 7520 > 1038 [PSH, ACK] Seq=1 Ack=148 Win=8192 Len=4
! 156 300.247477 70.43.164.212 192.168.2.120 TCP 7520 > 1038 [ACK] Seq=5 Ack=148 Win=8192 Len=512 (Encrypted)
! 157 300.247865 192.168.2.120 70.43.164.212 TCP 1038 > 7520 [ACK] Seq=148 Ack=517 Win=63724 Len=0

158 300.253183 140.99.99.130 192.168.2.120 NNTP Response: 4707097\hogtie1(a).jpg (1/1) 235 of 243\ta@b.c (G)\tTue,
13 Feb 2007 18:24:28 -0600\t< FsGdnXCZr5Mhy0_YnZ2dnUVZ8sLinZ2d@giganew
s.com>
\t\t85657\t1344\tXref: core-easynews alt.binaries.pictures.erotica.bondage:4707097
159 300.254125 192.168.2.120 140.99.99.130 TCP 1036 > nntp [ACK] Seq=172 Ack=1834 Win=64240 Len=0

And Yes Phone Home Again

! 160 300.368733 70.43.164.212 192.168.2.120 TCP 7520 > 1038 [ACK] Seq=517 Ack=148 Win=8192 Len=512 (Encrypted)
! 161 300.371541 70.43.164.212 192.168.2.120 TCP 7520 > 1038 [ACK] Seq=1029 Ack=148 Win=8192 Len=512 (Encrypted)
! 162 300.371805 192.168.2.120 70.43.164.212 TCP 1038 > 7520 [ACK] Seq=148 Ack=1541 Win=64240 Len=0
! 163 300.374521 70.43.164.212 192.168.2.120 TCP 7520 > 1038 [ACK] Seq=1541 Ack=148 Win=8192 Len=512 (Encrypted)

So they have at least a trace wich newsgroups your visit and how often and when, all nicely marked with you IP of course!

(Stunnel is of no help here!, Put a line in your HOST file does!)

I use 3 machines for testing like this,

Machine 1.
Host with vmware (does phone home also when you start the virtual-machine, but send no data, think just for stats)
In the virtual machine I run the test proggie in this case (NewsRover).

Machine 2.
Is running Whireshark (Ethereal) wich monitors the Host.

Machine 3.
Is running Whireshark wich monitors the Virtual machine where the proggie (Newsrover) runs.


This way nothing can slip the capture!

(Next To Test?)

Surf Safe,

TracerA

Far Canal

2007-02-14, 7:13 pm

TracerA wrote

> NewsRover PHONES HOME
>
>
> core-easynews alt.binaries.pictures.erotica.bondage:4707097
>

I can see why you're worried ...


Gerald

2007-02-14, 7:13 pm


how does the HOSTS file do anything?


Stray Cat

2007-02-14, 7:13 pm

On Feb 14, 3:32 pm, "Gerald" <nos...@nospam.com> wrote:
> how does the HOSTS file do anything?

The phone home is to cki.sandh.com which is being resolved as
70.43.164.212.

If you put this in

127.0.0.1 cki.sandh.com

in your hosts file, it would never go home to 70.43.164.212.


Far Canal

2007-02-14, 7:13 pm

Gerald wrote

>
> how does the HOSTS file do anything?
>
>
>

http://www.mvps.org/winhelp2002/hosts.htm

Andy Walker

2007-02-14, 7:13 pm

TracerA wrote:

>NewsRover PHONES HOME
>
>No. Time Source Destination Protocol Info
>!! 141 299.617355 192.168.2.120 70.43.164.212 TCP 1038 > 7520 [SYN] Seq=0 Len=0 MSS=1460
>!! 142 299.734898 70.43.164.212 192.168.2.120 TCP 7520 > 1038 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0
>!! 143 299.735116 192.168.2.120 70.43.164.212 TCP 1038 > 7520 [ACK] Seq=1 Ack=1 Win=64240 Len=0
>!! 144 299.739331 192.168.2.120 70.43.164.212 TCP 1038 > 7520 [PSH, ACK] Seq=1 Ack=1 Win=64240 Len=4

"We are aware that a wide variety of information and files are
available on Usenet newsgroups. We have no interest in what newsgroups
you utilize or what messages you read or post. We do not log any
information about what you download using News Rover, but you may want
to contact the news server that you use to find out if they log any
information about your downloads or message posts.

Periodically, News Rover checks our site to see if a new version of
News Rover is available. If a new version is available, an
announcement message is displayed. During the version check, your
registered name and licensing status is also checked. This check is
made by connecting to port 7520 on an update server we operate; so if
you have a firewall, you must open port 7520 to enable new version
checks. This process is very similar to the "Genuine Advantage" system
used by Microsoft to validate Windows licensing."
http://www.newsrover.com/company_privacy.htm

If they are violating their privacy policy, then you have legal
recourse. Since you only show a small sample of the communication, it
would seem to me that you are mistaken about what is being
communicated to the NewsRover site. There may be a way to disable
version checking within NewsRover, but I have no interest in checking
this for you.
Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2008 webservertalk.com