Main Area and Open Discussion > Living Room

VPN Gate - Univ. of Tsukuba launches Academic Experimental [Crowd] Project.

<< < (4/5) > >>

Shades:
Amsterdam is home of AIX (Amsterdam Internet Exchange) and can be considered one of the fastest backbones of the internet. It was the fastest when I was working at an internet company, many, many moons ago. As far as I know, today it shares that crown with one university in GB and the city-ring around Frankfurt, Germany.

So it doesn't surprise me that any rerouted traffic ends up going through Amsterdam. Holland is also one of the countries with the highest underground cable density in the world. Only some Asian countries outmatch Holland in network capacity and prices for internet connections.Lots of US sites (and I assume other countries now as well) reroute traffic (for Europe, EurAsia, Middle East, Africa) through AIX, because Holland does it better/cheaper or just cheaper, while having excellent up-time and not so strict laws regarding content. Lets just say that Amsterdam has two red light districts...and the virtual one is a lot nastier than the physical one.

Ok, more on-topic again. A big part of all the traffic flowing through AIX consist is SPAM and whatever is being generated by viruses and malware all over the world, hence some software treats traffic coming from the Dutch backbone with a suspicious eye.

The ISP handling your traffic appears to be registered under the German flag (hence the GmbH in their name). The name EcaTel LTD doesn't ring a bell, their website gives me the impression that they manage networking hardware/servers. Likely the ISP leases their equipment.

Landlines always have preference over the lines that float in water...as "fishing trawlers" break those cables from time to time  ;)  Landlines also have more capacity, which in most cases means that your traffic can arrive faster on it's destination traveling over the whole world than through the shortest distance cable. So, at first glance, nothing too strange is going on.

However, feel free to correct me as I am not up-to-date anymore with this stuff.

[off-topic]
Working for that internet company was really fun. About 15 years ago the main office of that company was located about 150 kilometers away from the AIX and it was already possible to burn CD's directly (at top speed) on my local PC from our servers in the AIX. Lots of Debian images passed over that line, I can tell you that.
[/off-topic]

IainB:
My contribution: does their webpage get kicked by Ghostery/other for any trackers?
-TaoPhoenix (September 26, 2013, 09:32 PM)
--- End quote ---
I have been reluctant to drop my phaser shields to find out...

IainB:
Got this comment/suggestion from someone on the MBAM forum:
IP Address   80.82.64.193= ET-RBN Known Russian Buisness Network IP with malicious detections as of Today-9-27-2013
It would seem your software is allowing you to connect to IP's that can be malicious.
You might want to wait for a Admin or Expert's opinion as I am neither, just a helper

--- End quote ---

IainB:
After some experimentation, I think I have this sussed, but cannot fix it.
So, I made this post at the SoftEther VPN forum:
Post subject: Evidence that SoftEther VPN Service exe has embedded malware
Posted: Fri Sep 27, 2013 10:33 am 

WARNING: Evidence that SoftEther VPN Service exe has embedded malware.

Thought I should report that the Windows Service called SoftEther VPN Client (program executable is vpnclient_x64.exe) is sending outbound messages to IP address 80.82.64.193 - a suspicious site that is blocked by Malwarebytes. These outbound messages are being sent even when the SoftEther VPN Client Manager is NOT connected to a VPNGate node - i.e., when it is inactive.
Also 80.82.64.193 (dea.anonymouse.me) is often listed on the VPNGate Hostname list in the VPN Client Manager GUI.

I asked on the Malwarebytes support forum why Malwarebytes is blocking outgoing VPN Gate IP address 80.82.64.193 (WHOIS says Host dea.anonymouse.me Country Netherlands).
They advised that this IP address was on their blocked list, because:
____________________
That IP is on a range of servers that are known to recently be participating or housing threats that can potentially harm someones computer and why the IP is blocked.
IP Address 80.82.64.193= ET-RBN Known Russian Buisness Network IP with malicious detections as of Today-9-27-2013
It would seem your software is allowing you to connect to IP's that can be malicious.
____________________

I had been running VPNGate using installer vpngate-client-2013.07.20-build-9091.127245.zip

So, I fully uninstalled/expunged the SoftEther VPN and all related VPN Gate system files, and clean reinstalled from vpngate-client-2013.09.27-build-9387.127802.zip (downloaded from http://download.vpngate.jp/common/cd.as ... 127802.zip)

However, the outbound requests to IP Address 80.82.64.193 continued as before.

This would seem to indicate that the installer package may have malware embedded in it, resident in the SoftEther VPN Service exe, and that it is ALWAYS ACTIVE when the Service is running.

Hope this makes sense or is of use.

--- End quote ---

Shades:
RIPE is the organization responsible for handing out IP numbers in Europe and allow you to search through their database.

80.62.64.193

Search results
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Information related to '80.82.64.0 - 80.82.64.255'

                                           

inetnum:        80.82.64.0 - 80.82.64.255
netname:        NL-ECATEL
descr:          AS29073, Ecatel LTD
country:        NL
admin-c:        EL25-RIPE
tech-c:         EL25-RIPE
status:         ASSIGNED PA
mnt-by:         ECATEL-MNT
mnt-lower:      ECATEL-MNT
mnt-routes:     ECATEL-MNT
changed:        [email protected] 20100919
source:         RIPE



role:           Ecatel LTD
address:        P.O.Box  19533
address:        2521 CA The Hague
address:        Netherlands
abuse-mailbox:  [email protected]
remarks:        ----------------------------------------------------
remarks:        ECATEL LTD
remarks:        Dedicated and Co-location hosting services
remarks:        ----------------------------------------------------
remarks:        for abuse complaints : [email protected]
remarks:        for any other questions : [email protected]
remarks:        ----------------------------------------------------
e-mail:         [email protected]
admin-c:        EL25-RIPE
tech-c:         EL25-RIPE
nic-hdl:        EL25-RIPE
mnt-by:         ECATEL-MNT
changed:        [email protected] 20130201
source:         RIPE



% Information related to '80.82.64.0/24AS29073'

                                           

route:          80.82.64.0/24
descr:          AS29073 Route object
origin:         AS29073
mnt-by:         ECATEL-MNT
changed:        [email protected] 20100919
source:         RIPE

% This query was served by the RIPE Database Query Service version 1.69 (WHOIS3)


--- End quote ---

This looks like a postal box company and although that kind of company can be legit, it usually isn't.

Looking at the peering "partners", I see some from Eastern Europe/former Russian states. That does not inspire trust. The original intent of peering was that you place another network card in your server at the backbone and connect it with another server at the backbone to the benefit of the users requiring the services that are being hosted on these servers.

However this can also be misused and that seems more and more the case.

Navigation

[0] Message Index

[#] Next page

[*] Previous page