[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Conducent Spyware Beating on Telnet Server
""The news media has carried many stories about Real Networks who were caught 'red handed' secretly profiling their users' listening habits, Aureate/Radiate and Conducent Technologies whose advertising, monitoring, and profiling software sneaks into our machines without our knowledge or permission, Comet Cursor which secretly tracks our web browsing, GoHip who hijacks our web browser and alters our eMail signatures . . . and many other hopeful and exploitive newcomers on the horizon."" So to answer your question, yes, others DID see it. And they cataloged it too! For the rest of the story go to http://grc.com/optout.htm -----Original Message----- From: Jon R. Allen [mailto:[email protected]] Sent: Monday, October 02, 2000 12:15 PM To: [email protected] Subject: [FW1] Conducent Spyware Beating on Telnet Server Curious if anyone else is seeing this. While reviewing my logfiles I notice hundreds of strange entries denied by rule 0. The sessions originate from internal users and are trying to telnet to servers out on the Internet and are being denied by rule 0 since we only let certain users use outbound telnet sessions. The curious thing is that the telnet session contains http directives - in other words, HTTP traffic is being tunneled in an outbound telnet session (that is rejected since we don't allow outbound telnet by default). Further investigation shows these destination servers have Exodus addresses and belong to an ad-targeting company called 'Conducent' (www.conducent.com). What appears to happen is an internal user installs some product that contains the Conducent spyware and it then tries to tunnel HTTP traffic out to servers on the internet. A sniffer traces shows this clearly. My big concern is every session hits the HTTP security server and bangs against it - driving up the CPU usage on the firewall. This is very rude behaviour. Also since these do not succeed, I am not really sure what is being sent out (that is scary - it could be sending out all your company secrets!). Anyway, attached are a couple of examples from my firewall log file that were denied. As you can see the sofware doesn't realize it reached the authentication server (asking for username) and just dumps it's one line HTTP payload - which the firewall logs as an invalid user: service source dest User telnet <int_addr> 216.35.217.175 POST http://contents.conducent.com:23/BeginSession?P... telnet <int_addr> 216.35.217.175 Content-Type: application/x-www-form-urlencoded telnet <int_addr> 216.35.217.175 Content-Length: 242 telnet <int_addr> 216.35.217.175 Cache-Control: no-cache telnet <int_addr> 216.35.217.175 transaction= telnet <int_addr> 216.35.217.175 AGAAFEAAAwMUQ4MjNEOUJCMD... telnet <int_addr> 216.35.217.175 MjQwMDAwMDAwMDA... I have seen about 10 different destination addresses - most of which come up eventually when resolving 'contents.conducent.com' -Jon ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|