Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Suspicous File 2

Status
Not open for further replies.
hnd

hnd

Programmer
Apr 11, 2000
450
DE
Today i found a strange file on my Computer: The name was vsconfig.xml

the content:
_________________________________________________________
<?xml version=&quot;1.0&quot; ?>
- <securitypolicy version=&quot;1&quot;>
<lockupinfo server=&quot;147.208.130.167&quot; enable=&quot;true&quot; />
</securitypolicy>
__________________________________________________________

I have no Idea where it is belonging to. Has somebody ever seen this file?

The IP 147.208.130 167 is not assigned by IANA.

Very strange i think.


hnd
hasso55@yahoo.com

 
Sort by date Sort by votes
Do you have or had zone alarm? That could be it.. vs probably stands for virus scan
 
Upvote 0 Downvote
That is a possibility. About a year ago there was Zonealarm installed before Installed Norton Internet Security.

Interesting! Thank you crow053

hnd
hasso55@yahoo.com

 
Upvote 0 Downvote
Although there is no reverse DNS lookup for the IP address, if you ping the address it is up and operating. Not having a Reverse DNS entry is not the same as being unassigned. A simple traceroute reveals that it is part of intelonline.com's Class B domain.

traceroute to 147.208.130.167 (147.208.130.167), 30 hops max, 38 byte packets
1 10.65.28.26 (10.65.28.26) 108.318 ms 111.691 ms 200.607 ms
2 ge4-0-0.core1.lnh.md.rcn.net (207.172.11.131) 181.380 ms 107.600 ms 198.864 ms
3 ge1-0.border1.lnh.md.rcn.net (207.172.15.21) 107.567 ms 103.437 ms 194.996 ms
4 500.POS5-2.GW1.DCA5.ALTER.NET (63.122.231.73) 109.292 ms 107.631 ms 200.745 ms
5 0.so-2-0-0.XL1.DCA5.ALTER.NET (152.63.39.62) 105.376 ms 103.770 ms 197.078 ms
6 0.so-0-0-0.TL1.DCA6.ALTER.NET (152.63.38.69) 104.930 ms 101.462 ms 204.785 ms
7 0.so-5-0-0.TL1.SCL2.ALTER.NET (152.63.1.33) 181.620 ms 177.919 ms 281.031 ms
8 0.so-1-1-0.XL1.SJC2.ALTER.NET (152.63.50.153) 185.523 ms 181.478 ms 183.641 ms
9 POS1-0.XR1.SJC2.ALTER.NET (152.63.56.138) 279.075 ms 184.058 ms 272.918 ms
10 152.63.48.141 (152.63.48.141) 183.498 ms 314.293 ms 185.590 ms
11 intel-oc3-gw.customer.alter.net (157.130.199.22) 181.694 ms 179.622 ms 182.050 ms
12 i01cr102-d-gi30.ids1.intelonline.com (147.208.160.119) 298.180 ms 173.872 ms 296.503 ms
13 * * *
14 * * *
15 * * *


Starting nmap V. 2.54BETA31 ( )
Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
Interesting ports on (147.208.130.167):
(The 1551 ports scanned but not shown below are in state: filtered)
Port State Service
80/tcp open http
8081/tcp open blackice-icecap
8082/tcp open blackice-alerts

No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SInfo(V=2.54BETA31%P=i386-redhat-linux-gnu%D=12/13%Time=3DFA0813%O=80%C=-1)
TSeq(Class=RI%gcd=1%SI=5CEE5%IPID=I%TS=100HZ)
TSeq(Class=RI%gcd=1%SI=133B5C%IPID=I%TS=100HZ)
TSeq(Class=RI%gcd=1%SI=4AD04%IPID=I%TS=100HZ)
T1(Resp=Y%DF=Y%W=FB06%ACK=S++%Flags=AS%Ops=NNTNWME)
T2(Resp=N)
T3(Resp=N)
T4(Resp=N)
T5(Resp=N)
T6(Resp=N)
T7(Resp=N)
PU(Resp=N)


Uptime 34.789 days (since Fri Nov 8 16:21:52 2002)

Shows that a web server is present.

I tried to access it, but was denied.
pansophic
 
Upvote 0 Downvote
I have done the same and i found: The adressrange 147.208.130.nn belongs to Zonelabs. That means the assumption of crow053 seems to be ok.

There is only one thing: The adress is not registered in the Ripe-Database. That made first doubt to me if this is a serious Address.
hnd
hasso55@yahoo.com

 
Upvote 0 Downvote
When I queried the RIPE db I got the following:

inetnum: 0.0.0.0 - 255.255.255.255
netname: IANA-BLK
descr: The whole IPv4 address space
country: NL
admin-c: IANA1-RIPE
tech-c: IANA1-RIPE
status: ALLOCATED UNSPECIFIED
remarks: The country is really worldwide.
remarks: This address space is assigned at various other places in
remarks: the world and might therefore not be in the RIPE database.
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: RIPE-NCC-HM-MNT
mnt-routes: RIPE-NCC-NONE-MNT
changed: bitbucket@ripe.net 20010529
changed: bitbucket@ripe.net 20020625
source: RIPE

which shows the status as ALLOCATED UNSPECIFIED.
pansophic
 
Upvote 0 Downvote
The answer to this question about the file named &quot;vsconfig.xml&quot;

<?xml version=&quot;1.0&quot; ?>
- <securitypolicy version=&quot;1&quot;>
<lockupinfo server=&quot;147.208.130.167&quot; enable=&quot;true&quot; />
</securitypolicy>

Forbidden
You don't have permission to access / on this server.

Apache/1.3.27 Server at lockup.zonelabs.com Port 80



***********************************************************
Search results for: 147.208.130.167


OrgName: Intel Corporation
OrgID: NTLS

NetRange: 147.208.0.0 - 147.208.255.255
CIDR: 147.208.0.0/16
NetName: INTEL-FSO
NetHandle: NET-147-208-0-0-1
Parent: NET-147-0-0-0-0
NetType: Direct Allocation
NameServer: NS011.INTELONLINE.COM
NameServer: NS021.INTELONLINE.COM
NameServer: NS012.INTELONLINE.COM
NameServer: NS022.INTELONLINE.COM
Comment:
RegDate: 1991-07-19
Updated: 2002-07-01

TechHandle: IH105-ARIN
TechName: Hostmaster, Intel
TechPhone: +1-408-765-2935
TechEmail: security@intelonline.com


Tips: Enter the IP # in the input var and go!

 
Upvote 0 Downvote
Anyone think to check with zonelabs?.....See quote below from zone alarm pro FAQ.

-----------------------------------------------
8. What is lockup.zonelabs.com?

Your dialer may indicate a destination address of lockup.zonelabs.com. This is a landing page with instructions for people who have experienced firewall hardening. Firewall hardening is a failsafe security measure built in to our products. If a hacker or malware attempts to directly assault ZoneAlarm, Plus, or Pro, the software prevents Internet access for any applications not already running. When this happens, the user's browser automatically displays lockup.zonelabs.com. Firewall hardening is rarely triggered, but when it is, it's important for you to know what has happened.
-------------------------------------------------

Looks like a reasonable explanation to me
 
Upvote 0 Downvote
I am no expert but I'm pretty sure I know what this is. I(zonealarm) found a file called explorer.exe trying to access the internet. I knew this ain't kosher cause why would Windows need to get on the internet. I searched my HD for the file and came up with it in c:/windows/system/ I tried to move it but it was in use by windows. I boot into dos and move it to my desktop. I go back to the system folder to look for others made by it, and find system.dbs and vsconfig.xml and fwlog.txt that were around it when I sorted by last modified. I take a look in system.dbs and what do I see? A key log of everything. I don't think zonealarm wants my passwords, I think it was trying to help. Delete all these files, they're keyloggers. PS, HND what P2P apps are you using? I'm interested to see where you got it, or where I got it :)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

markd885
  • Locked
  • Question
PAC file redirect web page to another gateway
Replies
0
Views
122
markd885
markd885
decyberworld
  • Locked
  • Question
Where start-up config and capture file saved in ASA
Replies
0
Views
111
decyberworld
decyberworld
alex1002
  • Locked
  • Question
Sonicwall SSLVPN very slow Throughput accessing network files
Replies
1
Views
246
alex1002
alex1002
OldSkoolSkater
  • Locked
  • Question
RDP to TS gateway through company proxy using PAC file
Replies
0
Views
96
OldSkoolSkater
OldSkoolSkater
irbk
  • Locked
  • Question
McAfee Web Protection using a pac file
Replies
0
Views
91
irbk
irbk

Part and Inventory Search

Sponsor

Back
Top