OT: Windoze spyware?

To: Debian User List <debian-user@lists.debian.org>
Subject: OT: Windoze spyware?
From: Marty <martyb@ix.netcom.com>
Date: Fri, 08 Jul 2005 20:52:55 -0400
Message-id: <[🔎] 42CF1FE7.8090806@ix.netcom.com>

This is for readers who are unfortunate enough to have
more Windows administration knowledge than I.  The sole
Windoze XP box on my LAN is sending http requests to
a site named movies.go.com, although there is no web
client running on the XP box (at least none obvious).
I am analyzing the LAN traffic and appreciate any
ideas about where to go next.

The XP box regularly runs a major brand virus and spyware
checker, and it otherwise shows no signs of misbehaving.
I checked the Windows Explorer history and movies.go.com
has not been accessed in weeks, at least, although it
is on the favorites list and has been accessed several
times in the last year.

I've heard all the chilling spyware stories, but this is
an eye opener for the sheer volume of data being passed
24/7 to or from this box.  But what data and to whom?

Below I've pasted some tcpdump output. Thanks for any insights.

# tcpdump -i eth0 |grep movies
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
18:55:59.975958 IP movies.go.com.www > ibmpc.2540: . ack 3671296053 win 8192
18:55:59.976516 IP ibmpc.2540 > movies.go.com.www: . ack 1 win 63732
19:01:00.057588 IP movies.go.com.www > ibmpc.2540: . ack 1 win 8192
19:01:00.059724 IP ibmpc.2540 > movies.go.com.www: . ack 1 win 63732
19:03:48.957857 IP ibmpc.2541 > movies.go.com.www: S 3863221253:3863221253(0) win 64240 <mss 1460,nop,nop,sackOK>
19:03:49.054013 IP movies.go.com.www > ibmpc.2541: S 1727266786:1727266786(0) ack 3863221254 win 57344 <mss 1460>
19:03:49.054664 IP ibmpc.2541 > movies.go.com.www: . ack 1 win 64240
19:03:49.055808 IP ibmpc.2541 > movies.go.com.www: P 1:539(538) ack 1 win 64240
19:03:49.204283 IP movies.go.com.www > ibmpc.2541: P 1:515(514) ack 539 win 56806
19:03:49.220199 IP movies.go.com.www > ibmpc.2541: . 515:1967(1452) ack 539 win 56806
19:03:49.222909 IP ibmpc.2541 > movies.go.com.www: . ack 1967 win 64240
19:03:49.234411 IP movies.go.com.www > ibmpc.2541: . 1967:3419(1452) ack 539 win 56806
19:03:49.330945 IP movies.go.com.www > ibmpc.2541: . 3419:4871(1452) ack 539 win 56806
19:03:49.332397 IP movies.go.com.www > ibmpc.2541: P 4871:4932(61) ack 539 win 56806
19:03:49.333634 IP ibmpc.2541 > movies.go.com.www: . ack 4871 win 64240
19:03:49.498236 IP ibmpc.2541 > movies.go.com.www: . ack 4932 win 64179
19:03:51.503424 IP ibmpc.2540 > movies.go.com.www: F 1:1(0) ack 1 win 63732
19:03:51.596330 IP movies.go.com.www > ibmpc.2540: . ack 2 win 56805
19:03:51.597541 IP movies.go.com.www > ibmpc.2540: F 1:1(0) ack 2 win 56805
19:03:51.598137 IP ibmpc.2540 > movies.go.com.www: . ack 2 win 63732
19:08:49.518574 IP movies.go.com.www > ibmpc.2541: . ack 539 win 8192
19:08:49.520708 IP ibmpc.2541 > movies.go.com.www: . ack 4932 win 64179
19:13:49.580800 IP movies.go.com.www > ibmpc.2541: . ack 539 win 8192
19:13:49.582745 IP ibmpc.2541 > movies.go.com.www: . ack 4932 win 64179
19:16:39.075708 IP ibmpc.2542 > movies.go.com.www: S 4055189517:4055189517(0) win 64240 <mss 1460,nop,nop,sackOK>
19:16:39.169102 IP movies.go.com.www > ibmpc.2542: S 2726985494:2726985494(0) ack 4055189518 win 57344 <mss 1460>
19:16:39.169779 IP ibmpc.2542 > movies.go.com.www: . ack 1 win 64240
19:16:39.172793 IP ibmpc.2542 > movies.go.com.www: P 1:539(538) ack 1 win 64240
19:16:39.314199 IP movies.go.com.www > ibmpc.2542: P 1:511(510) ack 539 win 56806
19:16:39.329757 IP movies.go.com.www > ibmpc.2542: . 511:1963(1452) ack 539 win 56806
19:16:39.332466 IP ibmpc.2542 > movies.go.com.www: . ack 1963 win 64240
19:16:39.339350 IP movies.go.com.www > ibmpc.2542: P 1963:2968(1005) ack 539 win 56806
19:16:39.443947 IP movies.go.com.www > ibmpc.2542: . 2968:4420(1452) ack 539 win 56806
19:16:39.446660 IP ibmpc.2542 > movies.go.com.www: . ack 4420 win 64240
19:16:39.448862 IP movies.go.com.www > ibmpc.2542: P 4420:4928(508) ack 539 win 56806
19:16:39.620652 IP ibmpc.2542 > movies.go.com.www: . ack 4928 win 63732
19:16:41.527799 IP ibmpc.2541 > movies.go.com.www: F 539:539(0) ack 4932 win 64179
19:16:41.624785 IP movies.go.com.www > ibmpc.2541: . ack 540 win 56805
19:16:41.626892 IP movies.go.com.www > ibmpc.2541: F 4932:4932(0) ack 540 win 56805
19:16:41.627498 IP ibmpc.2541 > movies.go.com.www: . ack 4933 win 64179
19:21:39.579441 IP movies.go.com.www > ibmpc.2542: . ack 539 win 8192
19:21:39.581429 IP ibmpc.2542 > movies.go.com.www: . ack 4928 win 63732

Reply to:

Follow-Ups:
- Re: OT: Windoze spyware?
  - From: Robert Brockway <rbrockway@opentrend.net>
- Re: OT: Windoze spyware?
  - From: Carl Fink <carlf@fink.to>

Prev by Date: Re: sarge or etch?
Next by Date: Re: debian gnome splash screen
Previous by thread: Re: Problem with apcupsd and kernel 2.6
Next by thread: Re: OT: Windoze spyware?
Index(es):
- Date
- Thread