[Dshield] ad.uk.tangozebra

Keith Gainford keith.gainford at btopenworld.com
Wed Jul 31 20:14:09 GMT 2002


Peter,

Answers posted below your questions, many thanks for your thoughts they are
very much appreciated.



----- Original Message -----
From: "Peter Stendahl-Juvonen" <peter.stendahl-juvonen at welho.com>
To: "Dshield General DShield Discussion List" <list at dshield.org>
Sent: Wednesday, July 31, 2002 4:32 PM
Subject: FW: [Dshield] ad.uk.tangozebra


> Keith, et al.
>
> 1) Regarding your and my previous posts (below) please take notice to
> that you have to have "ad.uk.tangozebra" (and the respective IP address)
> changed to Internet zone (or at least removed from blocked zone) in your
> firewall first in order to be able to see the possible Web site cookies
> pointing at that DNS or IP address.
> 2) Please also block cookies (at least those pointing at
> "ad.uk.tangozebra") in your browser. That way IE will show you the
> existence of the cookies. (And you will see the details by double
> clicking the symbol for "Security Report" [or what ever it is called in
> the English language version of IE] at the bottom frame of IE window),
> there you should see reference to http://ad.uk.tangozebra/....
>
> Best Regards,
> Peter
> -----
>
>
> | -----Original Message-----
> | From: Peter Stendahl-Juvonen [mailto:peter.stendahl-juvonen at welho.com]
> | Sent: Wednesday, July 31, 2002 6:16 PM
> | To: 'list at dshield.org'
> | Subject: RE: [Dshield] ad.uk.tangozebra
> |
> | Keith, et al.
> |
> | Could you please check if the following could be the cause or rather
> explanation to of the
> | phenomenon you're encountering.
> |
> | 1) On the page where your browser takes you when you launch it are
> there Web site cookies
> | that point at "ad.uk.tangozebra"?
> |
    My home page is btopenworld.com, there doesn`t appear to be any banners
or adverts for "ad.uk.tangozebra". I have also checked all my cookies and
have nothing pointing at "tangozebra".

2) If so, then by having "ad.uk.tangozebra" in the restricted or
> blocked zone you ask your firewall
> | not to allow connections to that address. Hence your browser blocks IE
> from connecting to that
> | particular DNS or IP address.

   In view of my reply above, this would not apply?.


> | 3) Because of the "ad.uk.tangozebra hit ZAPro numerous times with
> scans which ZA rejected. In
> | view of the number of scans I put the entire ISP space (Intellispace
> Inc) into ZA blocked zone."
> | in your original post "adware" might have been the number one suspect.
> Now I would say it was
> | coincidence or just indirectly related to the issue.


  In view of the massive number of probes, I typed the DNS address into IE.
This returned a "Page could not be displayed" message. Is it possible that
some form of connection could have been made, resulting in a very quick
download of something nasty?.



 | 4) With the information you gave in your latest post (below) I would
> suggest the explanation for
> | the phenomenon is as described in point (2) (above) providing your
> answer is "Yes" for point (1).
> |

   As you can see my answer to point (1) is negative.




 5) If the deduction would prove to be true, then there is in my
> opinion nothing to worry about and
> | you can remove "ad.uk.tangozebra" from the blocked zone. Or change
> "ad.uk.tangozebra" to
> | Internet zone giving the same effect and having an option to block it
> quickly again if it would be
> | required for some reason (which is unlikely in my opinion).
> |

   Is it of any importance that all the outgoing attempts are only on port
(80) http



 6) Would be happy to know your final conclusion. Thanks in advance and
> good luck.
> |

   Thanks Peter, if I get to the bottom of it I will post.


   | Best Wishes,
> | Peter
> | -----
> |
> |      "Everything must be taken seriously, nothing dramatically."
> |       Louis Adolphe Thiers (1797-1877); French statesman, historian
> |
> |
> | | -----Original Message-----
> | | From: list-admin at dshield.org [mailto:list-admin at dshield.org] On
> Behalf Of Keith Gainford
> | | Sent: Wednesday, July 31, 2002 2:24 PM
> | | To: Dshield
> | | Subject: [Dshield] ad.uk.tangozebra
> | |
> | | Well I`ve tried all suggestions without success. Even spybotS&D
> couldn`t
> | | find anything. A search of the Registry doesn`t show any obvious
> spyware so
> | | I`m stumped. Any more ideas?.
> | |
> | |
> | | Keith G
> | |
> | | _______________________________________________
> | | Dshield mailing list
> | | Dshield at dshield.org
> | | To change your subscription options (or unsubscribe), see:
> | | http://www.dshield.org/mailman/listinfo/list
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>




More information about the list mailing list