Port sniffer

[chick]

I had posted about a browser hijacking.... but I now think it has something to do with my comcast cable connection.

(this issue is on my laptop only)

PLUGGED INTO HOME COMCAST CABLE SYMPTOMS:
my browser is hijacked, my desktop URL icons hijacked, and my homepage plus no matter what URL I type into the browser I get a RUSE phony comcast page, wanting me to download and executable file.

If you run your mouse over the link it says, http://cdn/downloadable_wizard.exe

plus I have to keep repairing my connection and IP etc... or I'm disconnected for no reason.

BUT

if I look at the source code of this phony comcast page, it shows no link and appears to be residing on my PC somewhere unknown, possibly already hiding in my PC.
------------------------
totally disconnected and OFF comcast cable and running just on my Verizon wireless dial up card I have NO problems at all, except run slow cause I am on dial up.
------------------------

MY QUESTION:
I now think it has to do with the port when I'm on comcast cable. Will a port sniffer help me isolate this issue? If so which free one as I am tired of paying for programs and they aren't helping.

[mikelbeck]

What do you mean that your browser and desktop icons are hijacked?

Can you post the source to the page you're talking about?

A port sniffer won't help you at all, that would be used to trying to determine what inbound ports are open on a computer... port 80 for a web server, for example.

[chick]

ok here is the souce code behind the page that has hijacked everthing ONLY when i am plugged into my home cable.

Code:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
    <meta http-equiv="content-type" content="text/html; charset=iso-8859-1"/>
    <title>Comcast.net</title>
    <link rel="stylesheet" href="images/wg.css" type="text/css" media="screen,print"/>
</head>

<body id="comcastnet">

<!-- Start Container -->
<div id="container">

    <!-- Start Header -->
    <div id="header">
        <h1><a href="http://www.comcast.net/" title="Home" accesskey="0"><span>Comcast</span></a></h1>
    </div>

    <div id="content">
        <!-- START CONTENT (content goes here) -->

        <h2 id="h-welcome">Welcome to Comcast High Speed Internet, The fast and easy way to get online</h2>

        <p>This installation process will take just a few minutes to complete. You will be required to provide<br/> your
            account information to complete registration.</p>

        <div id="column-container">
            <div id="col1-wrapper">
                <div id="col1">
                    <h3>New Customers</h3>
                    <img class="thumbnail" src="images/thumbnails/new_customers.jpg" alt="New Customers"/>

                    <p class="last">You will need to activate your account and create your Comcast.net email address and
                        password. To continue, please follow the installation instructions.</p>

                    <div class="clear"></div>

                    <h4>Installation Instructions</h4>

                    <p>Click the "Download" button below to download the Comcast installation software and begin the
                        installation process for new customers.</p>

                    <p class="last"><em>Note:</em> Please temporarily disable any firewall, anti-virus and pop-up
                        blocking software currently running on your computer before running the installation software
                    </p>
                </div>
            </div>

            <div id="col2-wrapper">
                <div id="col2">
                    <h3>Existing Customers</h3>
                    <img class="thumbnail" src="images/thumbnails/existing_customers.jpg" alt="Existing Customers"/>

                    <p class="last">If you have a Comcast.net email address and password, please follow the installation
                        instructions.</p>

                    <div class="clear"></div>

                    <h4>Installation Instructions</h4>

                    <p>Click the "Download" button below to download the Comcast installation software and begin the
                        installation process for existing customers.</p>

                    <p class="last"><em>Note:</em> Please temporarily disable any firewall, anti-virus and pop-up
                        blocking software currently running on your computer before running the installation software
                    </p>
                </div>
            </div>

            <div class="clear"></div>
        </div>

        <div id="button-container">
            <!-- <p class="buttons"><a href="http://cdn/downloadable_install_wizard.exe"><img src="images/buttons/downloadinstallation.gif" alt="Download Installation Software" /></a></p> -->
        </div>

        <!-- END CONTENT -->
    </div>

    <div id="footer">
        <ul>
            <li id="copyright"><a href="http://www.comcast.com/" rel="external">&copy; <script
                    type="text/javascript">var now = new Date; document.write(now.getFullYear());</script> Comcast Cable
                Communications, LLC. All rights reserved.</a></li>
        </ul>
    </div>

</div>
<!-- End Container -->

<script type="text/javascript">
    if ((navigator.appVersion.indexOf("Win") == -1) && (navigator.appVersion.indexOf("Mac") == -1)) {
        document.getElementById("content").innerHTML = "<h3>Your operating system is not supported by Comcast's Installation Wizard. Please call 1-800-COMCAST to setup your account.</h3>";
    }

    if (navigator.appVersion.indexOf("Mac") != -1) {
        downloadFile = "ComcastInstaller.hqx";
    }
    else {
        downloadFile = "downloadable_install_wizard.exe";
    }

    document.getElementById("button-container").innerHTML = "<p class=\"buttons\"><a href=\"http://cdn/" +
                                                            downloadFile +
                                                            "\"><img src=\"images/buttons/downloadinstallation.gif\" alt=\"Download Installation Software\" /></a></p>";
</script>

</body>
</html>

[chick]

I have bolded the bad lines

[Greg]

You modem seems to be in startup mode. I had the same thing happen once. The solution for me was to turn the modem on and hold the reset button for 45 seconds.

Mine was a DSL modem however. But I bet the same thing is going on. It's your modem, not your computer.

[mikelbeck]

Either that, or Comcast doesn't think you're a customer. The key is this line in that code:

"You will need to activate your account and create your Comcast.net email address and password. To continue, please follow the installation instructions"

It doesn't seem that you're hijacked at all, it's just that you're not properly configured to use Comcast's service. Did you change your modem recently, or did you just get the service? The modem needs to be registered with Comcast for it to recognize you as a customer, that's probably what the program they want you to download does.

[bigH2O]

This seems to be a consistent problem with comcast, and doesn't appear to be a virus. The "cdn" in the address is a Comcast shortcut of sorts that will resolve to your local comcast download server. You should be able to "ping cdn" through your network and see how that resolves. It should give you the server name and the IP address.

I'm thinking you should run this application and let it do it's thing. I've researched this topic widely over the internet since you first brought it up and can find nothing to indicate that it's bad... only that it's necessary to get your broadband internet functioning properly as a comcast customer.

PS, it seems that in a lot of cases, a call to comcast to get them to tweak the settings on their end will be in order as well, so be prepared.

[chick]

ok just talked to comcast it is not from them, no way... I now think this is coming from wifi connecting... the saga continues. Thank you all.

[chick]

I am all set with my cable hookup for my laptop, no issues now... it is some type of wifi issue... doh to me

[bufordt]

A friend of mine was just forced to ComCrap by a merger. They sent him a CD and a new modem as part of the upgrade. He ran the CD and every time he tried to connect, It forced a connection to one of ComCraps servers. He finally allowed it to do its thing, and all of his links finally started to work.

Now heres the kicker. After all of this his computer became riddled with popups and the system came to a crawl. The connection lights were on constantly. After numerous calls to ComCrap techs, we finally got one to admit that they have been getting numerous calls for the exact same issue. There solution to the issue is to do a complete reinstall of the OS. Now if I connect the LapTop to my DSL connection through Verizon, it works normally. There was a time when I would have been very intrigued by this stuff, but because it is ComCrap involved, and they have a habit of making life hell for security researchers, I am letting this one go.

My solution to this issue was to reinstall the OS on his machin and do the connection to ComCrap manually. This issue only happened to his LapTop as that is the only system that he ran the CD on. It is also wireless, so you may be right about the wireless connection having something to do with it.