 sj |
||
|
||
Tech: Sagonet???
|
|
|
|||||||
|
Tech: Sagonet??? |
Share Thread
|
||||||
|
Subject: Tech: Sagonet??? From: Bev and Jerry Date: 21 Dec 04 - 09:32 PM In the past three months we have had over 1200 hits on our web site from "unknown.sagonet.net". The total amount of bancwidth used is zero! Anyone know what this is? Bev and Jerry |
|
Subject: RE: Tech: Sagonet??? From: JohnInKansas Date: 21 Dec 04 - 11:46 PM A quick Google on "sagonet" turned up Wilders Security Forms who seem to think it's a crud. I can't confirm, and I don't know this site, so take it with a grain... John |
|
Subject: RE: Tech: Sagonet??? From: Bill D Date: 21 Dec 04 - 11:59 PM a search with "Sam Spade"... a WHOIS program... gives this:
12/21/04 23:50:11 whois sagonet.net
|
|
Subject: RE: Tech: Sagonet??? From: Bill D Date: 22 Dec 04 - 12:03 AM TUCOWS is a software downloading place...they make money advertising shareware programs...I'm not sure if that means THEY have some automated thing connected to you....strange. |
|
Subject: RE: Tech: Sagonet??? From: JohnInKansas Date: 22 Dec 04 - 12:08 AM There is a "legitimate" Sagonet that provides ISP services, but if the Wilders comment is correct the traffic you're seeing is probably from someone attempting to download crud onto you. The "dropper" group of worms cited at the Wilders site opens backdoors that can subsequently be used to "install" other malware. Often there are no "symptoms" of such installation until the installed crudware is turned on to do something. A typical use is to turn your machine into a "zombie" to broadcast spam. The suspicion would be that the "door" has been installed, and someone is visiting you to install additional stuff. The installation may be incremental, in bits too small to register as unusual activity. It is also possible that someone is just searching for machines that have the backdoor open, so the "visits" don't necessary mean you have an infection, although they do suggest that you are infected. The general class of worms that includes this one was generally disabled by Windows/IE updates at least a few months ago, and current AV can usually detect it easily. There's no indication for the variants I looked at that registry changes are made, so deleting infected files should clear it. To be sure, you should turn off system restore, update virus signatures, do a full AV scan (or go to an AV vendor site and be scanned) and get anything related to this worm cleared. This is based on a quick look via Google and Symantec (Norton), so you may want to look a little deeper; but the scan with current signatures won't hurt anything, even if you do find more needs done later. John |
|
Subject: RE: Tech: Sagonet??? From: JohnInKansas Date: 22 Dec 04 - 12:12 AM I had a link to Wilders when I previewed, but apparently I screwed something up between preview and post. Sorry about that. John |
|
Subject: RE: Tech: Sagonet??? From: Bev and Jerry Date: 22 Dec 04 - 02:35 AM John: We already discovered the Wilders site but it made very little sense to us. That's why we started this thread. We ran the Symantec virus scan as described two days ago and it turned up nothing. Our web site does not reside on our machine anyway. It lives on a host machine somewhere else in the galaxy. Does this mean that there is a threat against the host machine? Should we tell them that this is happening? Should we tell the owners of Sagonet as shown in the WHOIS search that Bill D. did? Obviously, we're still confused. Bev and Jerry |
|
Subject: RE: Tech: Sagonet??? From: JohnInKansas Date: 22 Dec 04 - 04:37 AM If the hits are only at your remote server, you probably have little reason to be concerned about your own machine being infected because of them, particularly since you've gotten a clean reading from a current AV. Obviously you do want to keep your own AV current, and use it full time. Your best contact for an explanation would be with the host at your server. While you could attempt to ask sagonet.com about this, you're not really their customer so your chances of getting them to even investigate are probably pretty slim. A query from your server's webmeister would be more likely to get a response, or he/she may have an explanation for you without contacting them. If your service is current with bug patches and runs AV to protect itself, it's possible that these "zero bandwidth" hits are something your service is aware of and is rejecting because of viral content or "suspicious origin." There are a number of "searchers" that hit on web connections just looking for open ports. The contact can be very brief, and if they don't find one they move on. Since they often "generate" URLs pretty much at random, you can get quite a few repeated hits from one of them if one is "working" a range of addresses that includes yours. There have been recent reports of increased traffic of this kind directed specifically at servers, but operators who keep their machines up to date are seldom affected by them - except for the nuisance excess traffic. Unless you can identify some "damage" that needs repair, complaining to the service that hosts an "unknown.something" is a little like emailing a spammer to ask them to remove your name. Not likely to be productive. John |
|
Subject: RE: Tech: Sagonet??? From: Bev and Jerry Date: 22 Dec 04 - 02:01 PM Thanks for the advice, John. We'll let our server know about this. Although they do not allow us to contact them by phone, they have been very responsive to e-mail and seem to be generally interested in what we have to say. What a concept! By the way, there have been 24 more hits since our first posting on this thread. Bev and Jerry |
|
Subject: RE: Tech: Sagonet??? From: John MacKenzie Date: 22 Dec 04 - 02:23 PM It must be a very fine mesh indeed to net sago. I thought that was what you did to start a pudding race; say GO. Giok ;~) |
|
Subject: RE: Tech: Sagonet??? From: Bev and Jerry Date: 22 Dec 04 - 06:03 PM We got two responses from our web site host. The first one was in 80 minutes and asked for more information. After we sent more info, we got a response in 21 minutes! Our host is Jatol and, once again, their response has been excellent. And, by the way, their price for hosting our site is microscopic. check 'em out. What we are seeing is coming from WebRescuer, a service you can buy to constantly ping your site and report if it's up or not. We did not ask for this service and a Google search revealed that others have had this problem as well. Using a simple tool which Jatol provides routinely, we simply blocked that IP from contacting our site. This should fix the problem. Bev and Jerry |
| Share Thread: |