lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <0E565C4C9391DE4D856F725294E8730D030EC19F@MI8NYCMAIL04.Mi8.com>
From: pwicks at oxygen.com (James Patterson Wicks)
Subject: Careless User = New Popup Issue

One of our users went to a vacation web site and decided to download a
"new" video viewer to look at the beach.  She immediately started
getting pop-up ads.  The user knew that this download caused the issue,
but she did not tell the help desk about it for two weeks.  

The user has a Windows XP Pro system using IE 6.0.2.  

When the popup became unbearable, the help desk was eventually called.
The help desk team did the usual stuff to try to eliminate the popups:
- Made sure all of the latest patches were installed (Service Pack 2 has
not been approved for the enterprise yet, so it was the only patch not
installed).
- Ran anti-virus scan with latest definitions
- Ran Ad-Aware and Spybot
- Cleaned out the object in IE
- Removed all strange entries in the RUN folder of the registry
- Ran MSCONFIG and removed unknown entries from the Startup folder
- Looked in task manager and identified all running applications
- Looked through the history to find the site but the history had been
erased by the user

Everything looked clean, but the popups kept coming.  I was called in
since the senior desktop support dude was out sick. I noticed that there
was a brief period between browser activation and when the popup
appeared.  I looked at the network connections and noticed connections
to 'akamaitechnologies.com'.  Tried to look up 'akamaitechnologies.com'
and encountered the message " IP Address 216.21.228.13 - Maximum Daily
connection limit reached.  Lookup refused."

I created a host entry to send 'akamaitechnologies.com' traffic to
127.0.0.1 and it stopped the popups.  That seemed strange since creating
the same sort of records for companies like 'adclick.com' usually
results in a popup with a "Cannot find server or DNS Error" message in
the popup window. 

I finished the host entry around 5:00, so I typed up a report and sent
it to senior desktop dude to finish up in the morning.  I recommended
that he remove the host entry and run a Regmon and Filemon to find the
application(s) creating the popups.

Has anyone encountered this type of problem?  Don't know if it's new,
but I have never encountered it before.  I understand that since the
user voluntarily installed the application, finding the exact
application might be a tedious process.  Thanks in advance.


- JPW



This e-mail is the property of Oxygen Media, LLC.  It is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential, or otherwise protected from disclosure. Distribution or copying of this e-mail or the information contained herein by anyone other than the intended recipient is prohibited. If you have received this e-mail in error, please immediately notify us by sending an e-mail to postmaster@...gen.com and destroy all electronic and paper copies of this e-mail.



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ