Suspicious Diald Attempts to nsmialogin.passport.com:443 Etc
Every time I boot into linux, diald automatically dials up. I
tracked this down to the following series of connection attempts:
65.54.131.249:443
equivalent to https://msnialogin.passport.com
207.46.106.191:1863
name = baym-cs191.msgr.hotmail.com
4.65.209.127:1901
4.65.209.127:1975
name = lsanca1-ar22-4-65-209-127.lsanca1.dsl-verizon.net
207.68.171.238:80
equivalent to http://msimg.com
This has me very concerned. I recently did a dist-upgrade to the
testing distribution, and was expecting that the diald dialup was
being triggered by an exim cronjob or something. But this is not
e-mail, and it looks very suspicious to me.
When I investigate the first link in a web browser, I am taken to
https://login.passport.net/uilogin.srf page, probably through
forwarding. That is a ".NET Passport Sign-in" page. I am not
seeing any automatic connections there through "dctrl" however, just
through my mozilla firebird when I investigate.
The next three connections (to two hosts) that I see by watching
"dctrl" are even more disturbing, since the names that are resolved
look like other dialup connections, but not through my ISP. I think
that port 1863 might be used by MSN messenger, judging from google
searches. Ports 1901 and 1975 don't turn up anything that I
recognize. I do not have squid installed.
The last conection might have happened after I started investigating
things with a web browser. I am not sure. I didn't go there, but
it might have been an ad or something. But the "msimg.com" domain
might have something to do with micro$loth something or other.
I cannot seem to get lsof to tell me anything. Any ideas?
Thanks,
David Crane
Reply to: