Is a Loxinfo hacker after me?

[Guest]

 

 

I have Zone Alarm installed on my PC. For the last week or so whenever I log on to the Internet, (using Inet not Loxinfo) Zone Alarm reports that I am being bombarded with hits seeking access to my computer. The Whois report (copied below) says they are coming from a computer using Loxinfo, even giving an e-mail address of the computer (I think).

 

 

 

What?s this all about? A hacker trying to get at my PC? Anyone got any ideas or advice? Is anyone else experiencing this?

 

 

 

 

 

Whois Report from Zone Labs

 

 

 

Detailed information about 203.146.50.4, the IP address of the computer that caused the alert you received from Zone Alarm Pro, is provided in the Whois Report below. The information in the Whois Report comes from the Regional Internet Registry (RIR) responsible for the geographic region where 203.146.50.4 is located: ARIN, RIPE, or APNIC. The name of that RIR appears in the Whois report.

 

 

 

The Whois Report includes the name, address and contact information for the Internet Service Provider (ISP) who administers the block of IP addresses that includes 203.146.50.4. The report probably does not list the actual administrator of the computer whose IP address is 203.146.50.4. You should not assume that individuals listed in this report are responsible for the alert you received on your computer.

 

 

 

Whois information for 203.146.50.4

 

 

 

NETWORK: 203.146.50.4 [32]

 

inetnum: 203.146.50.0 - 203.146.50.31

 

netname: DIGITALISLAND-TH

 

descr: Digital Island

 

country: TH

 

admin-c: LIA1-AP

 

tech-c: LIA1-AP

 

mnt-by: LOXINFO-IS

 

changed: sureerat@loxinfo.co.th 20020312

 

source: APNIC

 

 

[adikgede]

Is the IP 203.146.50.4 always the one that Zone alarm reports?

 

More importantly is your IP address the same every time you login?

 

 

 

If their address is always the same they are not a very good cracker or they are faking the address.

 

 

 

If your address changes every time you connect (most likely the case if you use a modem) then their might be something on your computer that is telling the other party that you are on line.

[whosyourdaddy]

Do you use loxinfo? If so more than likely it is there server checking to see if you are still connected

[Guest]

Thanks for the replies!

 

 

 

To give an idea of the extent of the problem, yesterday I was logged on for about 4 and a half hours in total and got 117 hits from this SOB.

 

 

 

I logged on today using an old Anet package that had a few hours left on it (Jeez, Anet is so much slooooooower than Inet I remember now why I stopped using it) and only got 1 hit from the same Loxinfo source in a one hour period.

 

 

 

To answer some of the questions:

 

 

 

Yes the address is always 203.146.50.4

 

 

 

I think my IP address changes every time I log on as I use a dial up modem on my PC at home and a web package from Inet.

 

 

 

I sometimes use Loxinfo but very rarely, and not at all in the last month or two.

 

 

 

Whilst I am reassured by adikgede comments and DB?s that it is probably benign and probably down to inefficiency in the system is there any way that I can prevent my PC sending a message that I am on line or to stop Loxinfo checking whether I am connected or not as suggested by whosyourdaddy?

 

 

[adikgede]

Save the possibility that some one is after you I would suspect that it is a daemon to determine if a link is down even if the local PPP service is still running for that link. A reasonable service to run when local phone lines are noisy because it frees up a modem for another dialer. DB's thoghts about some loxinfo software installed on your computer also merit investigation.

 

 

 

As for your friend not really a very interesting suspect:

 

 

+ 203.146.50.4 :

 

. List of open ports :

 

o ssh (22/tcp)

 

o http (80/tcp)

 

o truecm (8804/tcp)

 

o unknown (8806/tcp)

 

o unknown (8807/tcp)

 

o unknown (8808/tcp)

 

o entextxid (12000/tcp)

 

 

 

. Information found on port http (80/tcp)

 

 

 

 

 

The remote web server type is :

 

 

 

Footprint V2.05

 

 

 

 

 

. Information found on port entextxid (12000/tcp)

 

 

 

 

 

The remote web server type is :

 

 

 

thttpd/2.04 10aug98

 

 

 

 

 

 

The only publically accessable item on the server is:

 

 

 

203.146.50.4:12000/Footprint/nwprints.gif

 

 

 

 

[Guest]

Post deleted by DoxyBlue

[Guest]

Loved DB?s conspiracy theory!

 

 

 

Hilarious to think that the snoops should be wasting their time trying to find out about my very modest, quiet and uneventful lifestyle (aka boringly ordinary!).

 

 

 

I shall have to think about changing my log in name to something like ?the CIA super sleuth ? or ?the KGB we have ways on making you squirm agent? or ?the shifty looking guy in the dark glasses with the exploding cigar? just to get them excited, or at least keep them awake.

 

 

 

But many thanks to you both for taking the trouble to do all that weird technical stuff to try and track down my problem, much appreciated.

 

 

 

I don?t use a Loxinfo dialer nor is my IE from Loxinfo ? got it at Pantip and upgraded with SP1 from the MS site.

 

 

 

Searched for all references to Loxinfo in my files and folders, nothing untoward, ran AdAawre to see if there was any spyware etc. nothing revealed, checked MS config to see what was running but nothing unusual spotted. Also ran Evidence Eliminator which did whatever it does ? including screwing up my favorites list as per usual.

 

 

 

I checked the url that adikgede found (203.146.50.4:12000/Footprint/nwprints.gif) and I recognize that gif. Have seen it before but for the life of me can?t remember where or in what context.

 

 

 

Anyway I have now cranked up the Zone Alarm security level a few notches in the hope that it will prevent any dodgy software on my machine calling up the mother ship ? which also means that I have to disable Zone Alarm to be able to post here, but that?s not a great problem as I don?t post much at all.