cmdagent.exe making odd connection

jenrogs · April 14, 2011, 12:24am

Hello,

I recently happened to see that cmdagent was connecting to 144.99.93.175, which seems to be related to the USAISC, does anyone know why did cmdagent attempt that connection? (sadly i cant give more details since due to a powercut my logger shutdown without saving its log so i cant state what port it was using but i’ll try and guess it was http). I’m not even american im from europe O_o

Actually im rather scared of this, totally unknown and unrelated to me ip so any help would be greatly appreciated.

thanks in advance

Boris_3 · April 14, 2011, 11:54am

Hi jenrogs,

It seems to be an address of the CARLISLE group which is on the Trust Vendors List.

The connection made is surely safe, but I hope someone else could explain why cmdagent has to connect to Carlisle.

Boris

Radaghast · April 14, 2011, 3:09pm

Another good reason to block cmdagent connecting to anywhere and, if used, removing all entries from the TVL.

Citizen_K · April 14, 2011, 4:26pm

The Whois information I retrieved is ambiguous. May be the IP range was sold from one party of the other.

The information shows Carlisle (ISP in Carlisle Pennsylvania) and Information Systems Engineering Command (USAISEC):

The United States Army Information Systems Engineering Command (USAISEC) is located at the foot of the Huachuca Mountains in Fort Huachuca, Arizon

Src: http://www.globalsecurity.org/military/agency/army/isec.htm

jenrogs · April 14, 2011, 4:42pm

i hope so too i’m so scared right now

may i ask you how? doesn’t seem that easy to do

in any case what would they want from me? I mean doesn’t make sense that cmdagent connects to them does it?

Citizen_K · April 14, 2011, 5:21pm

At what port is cmdagent.exe trying to contact that IP address?

jenrogs · April 14, 2011, 5:44pm

sorry i can’t say that for sure, i havent checked the port (dumb of me) i only written down the ip for a later whois from my other pc, i can imagine 80 because most were, but as i said 1 i didnt check 2 my logger went down

jenrogs · April 15, 2011, 12:38am

err…noone got a clue?

Radaghast · April 15, 2011, 6:49am

Pretty spooky stuff. All indications I can find point to USAISC :o The Carlisle in the whois refers to carlisle-www.army. mil, which is the US Army War College. It also refers to the Carlisle Barracks, which is a home of the USAISC.

You can block cmdagent by deleting the existing rule and creating another with a block out everywhere. However, doing so will remove some functionality, such as cloud scanning and updates.

jenrogs · April 15, 2011, 9:43am

i wonder why the heck it’s happening, if i use it on another pc it doesnt do it O_o either comodo hates dell or usa army is after me

Citizen_K · April 15, 2011, 1:07pm

I sent umesh a pm asking whether that IP address was being used by Comodo. Here is his reply:

Yes, it is one of IPs connected with download.comodo.com

I hope that answers the question.

jenrogs · April 15, 2011, 4:55pm

it was very very kind bothering yourself that much for me, thanks i appreciate it very much.

It kinda answers the question but i still would like to get why that ip, i mean we all seen the whois its not COMODO GROUP so why was it going there? If its possible id like to know still thanks to both for your time and your precious help

ps:

it doesnt change O_o i hope you’ll forgive my paranoia but lol i pinged it like 40 times its soon going to pass for a DoS but stil never changed to that one

BoredNow · April 15, 2011, 8:46pm

Do you have a blog?
http://www.myhumbleopinion.org/index/was-it-something-i-said-my-site-s-shadowy-government-visitors

Have you mentioned WikiLeaks or Julian assange?
http://www.wikileaks.ch/wiki/US_military_webstalks_blogs_for_Wikileaks_investigations_editor,_9_Feb_2009

Citizen_K · April 15, 2011, 9:20pm

I traded a couple of pm’s about this with umesh. The IP address belongs to Cachefly that is hosting the CIS updates for Comodo.

About the inconclusive whois information umesh said he would notify Cachefly that the IP range is not showing up as belonging to them. The IP range has probably been sold a couple of times and the information by Arin is not up to date.

jenrogs · April 15, 2011, 11:34pm

lol?

thank you soooooooo much!!! although its odd that that ip got contacted only once knowing that im safe made my day, thank you!

jenrogs · April 21, 2011, 9:34am

After 6 days i wonder, why isnt cmdagent.exe making that connection anymore? Ever again since then and even on multiple computers?

Citizen_K · April 22, 2011, 12:14am

I have seen Comodo change hosting provider a couple of times in the past half year. May be they changed.

jenrogs · May 14, 2011, 12:05am

Hi again

Sorry if i keep bothering but im a very paranoid person.
I recently found log entries of 1 month before and after this incident and this IP was never listed actually you said you talked to “umesh” about this may i have some public official explanation from him? (unless you re in the comodo’s staff).

I’m getting really frustrated right now, if there is something that cant be discussed publicly i invite you to send me a pm. (i actually dont mind if i find my inbox with “comodo has a governative backdoor in it” even my old modem had one and the only way i got rid of it was when it broken on me and they wouldnt replace it so its np aslong as its documented, just saying, im NOT claiming comodo has such things)

jenrogs · May 19, 2011, 10:03pm

bump

jenrogs · May 20, 2011, 10:46pm

it happened again but the ip is still apparently usaisc’s anyone can help me out? I’m really frustrated now