my network shows constant data to/from serial.alcohol-soft.com going out through Firefox. I’ve blocked it in Firefox but that stops nothing. And it’s up and open all the time. There is not Alcohol Software on my machine. A search for alcohol also finds nothing. How can I block that output at the firewall?
Mod edit: I changed the all caps part to normal case. Eric
Welcome to the forum.
The company alcohol-soft produce CD burning software Alcohol 120/52 and the connection you’re seeing is for checking the activation serial. If you’ve ever installed Alcohol 120, this could be the reason you’re seeing this. Can you confirm the remote IP address please.
Windows performance Monitor shows it locked on to the site serial.alcohol-soft.COM
Komodo shows it logged on to 2 different sites:
91.99.212.151:443
[Spam Server] [Dictionary Attacker] The Project Honey Pot system has detected behavior from the IP address consistent with that of a mail server and dictionary attacker.
173.194.43.21:443 which is somewhere in google
So suppose I should also ask how to block my system from going to
91.99.212.151:443
You could block all connections for this address by creating a Global firewall rule:
Action - Block
Protocol - IP
Direction - Out
Source Address - ANY
Destination Address - 91.99.212.151
IP Details - ANY
However, you would be better off trying to find out why your browser keeps trying to connect…
You likely have an extension in Firefox installed that does this. Check the FF extensions and uninstall one that belongs to Alcohol Software.
What is interesting is that I am an Alcohol 120% user and have two paid licenses on two Win 8x64 PC’s running CIS 6 and have never seen them phone home once to serial.alcohol-soft.com. I have activated and reactivated and haven’t seen Comodo firewall popups or log events to this address whatsoever.
1)The real ip address of serial.alcohol-soft.com is below(195.137.236.101). it’s a cover for that IRAN ip address see below
C:\WINDOWS\system32>ping serial.alcohol-soft.com
Pinging serial.alcohol-soft.com [195.137.236.101] with 32 bytes of data:
Reply from 195.137.236.101: bytes=32 time=156ms TTL=51
Reply from 195.137.236.101: bytes=32 time=153ms TTL=51
Reply from 195.137.236.101: bytes=32 time=161ms TTL=51
Reply from 195.137.236.101: bytes=32 time=155ms TTL=51
[size=10pt]Look at The WHOIS of 91.99.212.151[/size]
It’s connected to something in IRAN.
Look at the Tehran, Iran whois record below
01/27/13 17:41:02 whois 91.99.212.151[at]whois.geektools.com
whois -h whois.geektools.com 91.99.212.151 …
GeekTools Whois Proxy v5.0.5 Ready.
Checking access for 72.186.70.72… ok.
Final results obtained from whois.ripe.net.
Results:
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf
% Note: this output has been filtered.
% To receive output for a database update, use the “-B” flag.
% Information related to ‘91.99.104.0 - 91.99.255.255’
inetnum: 91.99.104.0 - 91.99.255.255
netname: PARSONLINE-DYNAMIC-DSL
descr: Static-Pool-PR00
country: IR
admin-c: PNOC5-RIPE
tech-c: PNOC5-RIPE
status: ASSIGNED PA
mnt-by: PARSONLINE-MNT
mnt-lower: PARSONLINE-MNT
mnt-domains: PARSONLINE-MNT
mnt-routes: PARSONLINE-MNT
source: RIPE # Filtered
role: ParsOnline Network Operations Center
address: 224 Khoramshahr ave., No. 6C
address: Tehran 15337
address: Iran
phone: +98 21 8220 8333
fax-no: +98 21 8874 9505
abuse-mailbox: abuse[at]parsonline.net
admin-c: AE551-RIPE
tech-c: AE551-RIPE
nic-hdl: PNOC5-RIPE
mnt-by: PARSONLINE-MNT
source: RIPE # Filtered
% Information related to ‘91.98.0.0/15AS16322’
route: 91.98.0.0/15
descr: ParsOnline Co.
descr: ParsOnline Co. Route
origin: AS16322
mnt-by: PARSONLINE-MNT
source: RIPE # Filtered
% This query was served by the RIPE Database Query Service version 1.51.1 (WHOIS1)
Results brought to you by the GeekTools WHOIS Proxy
Server results may be copyrighted and are used with permission.
Here is the other IP address which is Google. You definitely have something interesting going on on your system.
01/27/13 17:43:09 whois 173.194.43.21[at]whois.geektools.com
whois -h whois.geektools.com 173.194.43.21 …
GeekTools Whois Proxy v5.0.5 Ready.
Checking access for 72.186.70.72… ok.
Final results obtained from whois.arin.net.
Results:
NetRange: 173.194.0.0 - 173.194.255.255
CIDR: 173.194.0.0/16
OriginAS: AS15169
NetName: GOOGLE
NetHandle: NET-173-194-0-0-1
Parent: NET-173-0-0-0-0
NetType: Direct Allocation
RegDate: 2009-08-17
Updated: 2012-02-24
Ref: http://whois.arin.net/rest/net/NET-173-194-0-0-1
OrgName: Google Inc.
OrgId: GOGL
Address: 1600 Amphitheatre Parkway
City: Mountain View
StateProv: CA
PostalCode: 94043
Country: US
RegDate: 2000-03-30
Updated: 2011-09-24
Ref: http://whois.arin.net/rest/org/GOGL
OrgTechHandle: ZG39-ARIN
OrgTechName: Google Inc
OrgTechPhone: +1-650-253-0000
OrgTechEmail: arin-contact[at]google.com
OrgTechRef: http://whois.arin.net/rest/poc/ZG39-ARIN
OrgAbuseHandle: ZG39-ARIN
OrgAbuseName: Google Inc
OrgAbusePhone: +1-650-253-0000
OrgAbuseEmail: arin-contact[at]google.com
OrgAbuseRef: http://whois.arin.net/rest/poc/ZG39-ARIN
Results brought to you by the GeekTools WHOIS Proxy
Server results may be copyrighted and are used with permission.
What do you mean “it’s a cover for that IRAN ip”? They’re completely different address blocks in entirely different countries.
C:\WINDOWS\system32>ping serial.alcohol-soft.com
Pinging serial.alcohol-soft.com [195.137.236.101] with 32 bytes of data:
Reply from 195.137.236.101: bytes=32 time=156ms TTL=51
Reply from 195.137.236.101: bytes=32 time=153ms TTL=51
Reply from 195.137.236.101: bytes=32 time=161ms TTL=51
Reply from 195.137.236.101: bytes=32 time=155ms TTL=51
Snip…
Here is the other IP address which is Google. You definitely have something interesting going on on your system.
Why is it odd? Firefox uses Google search by default.
Snip…
The connection is browser based not via the Alcohol client. If you have your browser set to use HTTP, which I’m guessing you do if you’re browsing the Internet, you’ll probably never see the connection.
Here’s a section of a log after installing Alcohol 120:
1/28/2013 10:22:01 AM Added 2972 iexplore.exe TCP 192.168.1.11 195.137.236.101 Atlas\GCB
1/28/2013 10:22:01 AM Added 2972 iexplore.exe TCP 192.168.1.11 195.137.236.101 Atlas\GCB
1/28/2013 10:22:01 AM Added 2972 iexplore.exe TCP 192.168.1.11 195.137.236.101 Atlas\GCB
1/28/2013 10:22:01 AM Added 2972 iexplore.exe TCP 192.168.1.11 195.137.236.101 Atlas\GCB
1/28/2013 10:22:01 AM Added 2972 iexplore.exe TCP 192.168.1.11 195.137.236.101 Atlas\GCB
1/28/2013 10:22:01 AM Added 2972 iexplore.exe TCP 192.168.1.11 195.137.236.101 Atlas\GCB