TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
Good info, Tim.
He can try Ad Terminator, or similar program to stop the PC "phoning" home.
This is the URL for Ad Terminator http://www.ledgerlabs.com/adterminator/
Please, as you must always do, test the program fully for possible exploits
and vulnerabilities.
Barry Garman
Corporate Security Analyst
>From: "Farley, Tim (ISSAtlanta)" <[EMAIL PROTECTED]>
>To: "'Blaine'" <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
>Subject: RE: www.cms1.net
>Date: Tue, 10 Apr 2001 18:33:16 -0400
>MIME-Version: 1.0
>Received: from [209.134.161.8] by hotmail.com (3.2) with ESMTP id
>MHotMailBC9FB331005A400437ACD186A10809B90; Thu Apr 12 19:45:21 2001
>Received: by phoenix.iss.net (Postfix)id CA9B7160F5; Thu, 12 Apr 2001
>14:20:13 -0400 (EDT)
>Received: by phoenix.iss.net (Postfix, from userid 15)id 9FB3E1604D; Thu,
>12 Apr 2001 14:19:51 -0400 (EDT)
>Received: from loki.iss.net (loki.iss.net [209.134.161.7])by
>phoenix.iss.net (Postfix) with ESMTP id 077EE1604Efor
><[EMAIL PROTECTED]>; Thu, 12 Apr 2001 14:19:47 -0400 (EDT)
>Received: from atla-mx1.iss.net (atla-mx1.iss.net [209.134.161.6])by
>loki.iss.net (8.9.3/8.9.3) with ESMTP id OAA20620for <[EMAIL PROTECTED]>;
>Thu, 12 Apr 2001 14:19:46 -0400
>Received: from atla-mx1.iss.net (localhost [127.0.0.1])by atla-mx1.iss.net
>(8.9.3+Sun/8.9.2) with ESMTP id OAA01239for <[EMAIL PROTECTED]>; Thu, 12 Apr
>2001 14:19:45 -0400 (EDT)
>Received: from email.iss.net (email.iss.net [209.134.160.167])by
>atla-mx1.iss.net (8.9.3+Sun/8.9.2) with ESMTP id OAA01214for
><[EMAIL PROTECTED]>; Thu, 12 Apr 2001 14:19:44 -0400 (EDT)
>Received: (from mod-issforum@localhost)by email.iss.net (8.9.3+Sun/8.9.3)
>id OAA04861for [EMAIL PROTECTED]; Thu, 12 Apr 2001 14:20:02 -0400 (EDT)
>Received: from loki.iss.net (loki.iss.net [209.134.161.7])by
>phoenix.iss.net (Postfix) with ESMTP id E151C1602Efor
><[EMAIL PROTECTED]>; Tue, 10 Apr 2001 18:38:42 -0400 (EDT)
>Received: from atla-mx1.iss.net (atla-mx1.iss.net [209.134.161.6])by
>loki.iss.net (8.9.3/8.9.3) with ESMTP id SAA10585for <[EMAIL PROTECTED]>;
>Tue, 10 Apr 2001 18:38:42 -0400
>Received: from atla-mx1.iss.net (localhost [127.0.0.1])by atla-mx1.iss.net
>(8.9.3+Sun/8.9.2) with ESMTP id SAA05352for <[EMAIL PROTECTED]>; Tue, 10 Apr
>2001 18:38:42 -0400 (EDT)
>Received: from msgatl03.iss.net (msgatl03.iss.net [209.134.160.148])by
>atla-mx1.iss.net (8.9.3+Sun/8.9.2) with ESMTP id SAA05344for
><[EMAIL PROTECTED]>; Tue, 10 Apr 2001 18:38:41 -0400 (EDT)
>Received: by msgatl03.iss.net with Internet Mail Service (5.5.2653.19)id
><2JN9ZQH9>; Tue, 10 Apr 2001 18:35:09 -0400
>From [EMAIL PROTECTED] Thu Apr 12 19:47:18 2001
>Delivered-To: [EMAIL PROTECTED]
>Delivered-To: [EMAIL PROTECTED]
>Message-ID: <[EMAIL PROTECTED]>
>X-Mailer: Internet Mail Service (5.5.2653.19)
>Sender: [EMAIL PROTECTED]
>Precedence: bulk
>X-Loop: issforum
>
>
>TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
>[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
>problems!
>----------------------------------------------------------------------------
>
> >>Is anyone familiar with this traffic and what it is
> >>related to?
>
>A little probing with WHOIS reveals that CMS1.NET is registered to an
>Israeli software company called CYDOOR Technologies:
>
>Registrant:
>Cydoor Technologies (CMS16-DOM)
> 22 Maskit St., P.O.Box 12627
> Herzliya, 46733
> IL
>
> Domain Name: CMS1.NET
>
> Administrative Contact:
> Meir, Zohar (ZM569) [EMAIL PROTECTED]
> Cydoor Technologies
> 22 Maskit St.
> Herzliya
> 46733
> IL
> 972-9-9554405 (FAX) 972-9-9555421
>
>According to one of their web pages
>(http://www.cydoor.com/Cydoor/services.htm), they have several services
>they
>offer. One is a component that other software vendors can license to put
>banner ads inside their software. There is a press release on their site
>that indicates they have licensed this technology to OPERA
>(http://www.opera.com/) which is an alternative web browser that has a free
>version supported by banner ads. (See press release here:
>http://www.cydoor.com/Cydoor/news20.htm).
>
>Another is a component that allows software vendors to be given a channel
>of
>communication back from users who download their software.
>
>I'm guessing your user probably downloaded some piece of software that uses
>this technology, and the software is just trying to "phone home" to fetch a
>banner ad or register itself or something like that. Probably harmless.
>
>A Google search on "www.cms1.net" turns up several firewall and proxy logs
>for other sites that also show lots of traffic to this domain.
>
>Those goofy filenames are a bit troubling, however. They would bear some
>further investigation.
>
>=====================================
>Tim Farley
>Senior Researcher
>Internet Security Systems
>
>[EMAIL PROTECTED]
>(404) 236-2600
>http://www.iss.net
>
>Internet Security Systems - The Power to Protect
>=====================================
>
>
>-----Original Message-----
>From: Blaine [mailto:[EMAIL PROTECTED]]
>Sent: Tuesday, April 10, 2001 10:43 AM
>To: [EMAIL PROTECTED]
>Subject: www.cms1.net
>
>
>
>TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
>[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
>problems!
>----------------------------------------------------------------------------
>
>We first saw traffic directed to this site about 3
>months ago from only 1 PC and the traffic was not
>getting through the firewall so I was not too
>concerned. We scanned the PC and did not find any
>obvious signs of a trojan or viri with the exception
>of 2 or three files with filenames like ���� ��.
>
>I noticed today that another PC is connecting to this
>site and transfering data. Here is an example:
>
>http://www.cms1.net/scripts/cms/CmsInit.ASP?ID=7380317&D2=??OACSCH????????&A
>W=168&LV=2036&CU=342957346
>
>Is anyone familiar with this traffic and what it is
>related to?
>
>__________________________________________________
>Do You Yahoo!?
>Get email at your own domain with Yahoo! Mail.
>http://personal.mail.yahoo.com/
>
>
>
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com
