""The news media has carried many stories about Real Networks who were
caught 'red handed' secretly profiling their users' listening habits,
Aureate/Radiate and Conducent Technologies whose advertising, monitoring,
and profiling software sneaks into our machines without our knowledge or
permission, Comet Cursor which secretly tracks our web browsing, GoHip who
hijacks our web browser and alters our eMail signatures . . . and many other
hopeful and exploitive newcomers on the horizon.""
So to answer your question, yes, others DID see it. And they cataloged it
too!
For the rest of the story go to http://grc.com/optout.htm
-----Original Message-----
From: Jon R. Allen [mailto:[EMAIL PROTECTED]]
Sent: Monday, October 02, 2000 12:15 PM
To: [EMAIL PROTECTED]
Subject: [FW1] Conducent Spyware Beating on Telnet Server
Curious if anyone else is seeing this. While reviewing my logfiles I notice
hundreds
of strange entries denied by rule 0. The sessions originate from internal
users and
are trying to telnet to servers out on the Internet and are being denied by
rule 0
since we only let certain users use outbound telnet sessions. The curious
thing is
that the telnet session contains http directives - in other words, HTTP
traffic is
being tunneled in an outbound telnet session (that is rejected since we
don't allow
outbound telnet by default).
Further investigation shows these destination servers have Exodus addresses
and belong
to an ad-targeting company called 'Conducent' (www.conducent.com). What
appears to
happen is an internal user installs some product that contains the Conducent
spyware
and it then tries to tunnel HTTP traffic out to servers on the internet. A
sniffer
traces shows this clearly. My big concern is every session hits the HTTP
security
server and bangs against it - driving up the CPU usage on the firewall.
This is very
rude behaviour. Also since these do not succeed, I am not really sure what
is being
sent out (that is scary - it could be sending out all your company
secrets!). Anyway,
attached are a couple of examples from my firewall log file that were
denied. As you can
see the sofware doesn't realize it reached the authentication server (asking
for username)
and just dumps it's one line HTTP payload - which the firewall logs as an
invalid user:
service source dest User
telnet <int_addr> 216.35.217.175 POST
http://contents.conducent.com:23/BeginSession?P...
telnet <int_addr> 216.35.217.175 Content-Type:
application/x-www-form-urlencoded
telnet <int_addr> 216.35.217.175 Content-Length: 242
telnet <int_addr> 216.35.217.175 Cache-Control: no-cache
telnet <int_addr> 216.35.217.175 transaction=
telnet <int_addr> 216.35.217.175 AGAAFEAAAwMUQ4MjNEOUJCMD...
telnet <int_addr> 216.35.217.175 MjQwMDAwMDAwMDA...
I have seen about 10 different destination addresses - most of which come up
eventually
when resolving 'contents.conducent.com'
-Jon
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
