mountaintree16

Hulu?

20 posts in this topic

I got an IP block for the first time today while I was watching a show on Hulu.com

I have to temporarily disable my Hosts file so that the content will play properly and display the advertisements (just adding this in case it is relevant at all).

I have never had a problem with Hulu.com throwing up flags at my security software before and I've been disabling my hosts file temporarily in order to watch shows for a while too. Also I dunno if this is related but normally I watch it in Full Screen but the video would not show in full screen, only in normal screen :/

Exact URL:

http://www.hulu.com/watch/250713/pretty-little-liars-the-goodbye-look

IP Address:

12:26:16 IP-BLOCK 208.73.210.29 (Type: outgoing)

12:26:18 IP-BLOCK 208.73.210.29 (Type: outgoing)

12:26:24 IP-BLOCK 208.73.210.29 (Type: outgoing)

Just wondering if this is an error or if it is really a threat of some sort.

Thank you :)

Share this post


Link to post
Share on other sites

There's no site on this IP, it's an Oversee IP.

Share this post


Link to post
Share on other sites

No, there's no site as it seems, on the other hand, there are several threads in the HijackThis subforum which show a blocking of this same IP on infected machines.

And here is what I've found additionally among others:

hxxp://amada.abuse.ch/palevotracker.php?host=ns.paidmailer-list.com

hxxp://www.threatexpert.com/report.aspx?md5=ef6a596cb3136872080356f577ba87eb

Therefore this IP number seems suspicious to me.

Share this post


Link to post
Share on other sites

Not quite - it's being flagged on infected machines because domains are now resolving to it, that resolved to other IPs previously (normally happens when a domain gets retired by the bad guys, or temporarily disabled (in order to get it flagged as no longer existing, and removed from blacklists - then the cycle begins again (domain gets "re-activated" so to speak)).

That's not to say the IP itself is safe, on the contrary. Alot of parking sites, aren't picky about where the links lead to - they're all mostly "sponsored", and aslong as the "advertisers" are paying, the parking server owners are happy.

Share this post


Link to post
Share on other sites

There's no site on this IP, it's an Oversee IP.

Could you please clarify a little bit to me what this means?

Am I to worry if I get this IP blocked?

Share this post


Link to post
Share on other sites

There's two occasions where an IP may be blocked;

1. Internal to external traffic

2. External to internal traffic

If the traffic is [2] then no, you need not worry.

However, if the traffic is internal to external, then whilst not worrying unnecessarily, it is recommended to check the machine for the presence of infection. The quickest method of doing this, from a traffic standpoint, is with Wireshark, as this will allow you to identify what data is attempted to be sent. You can combine this with a process monitor, to identify the actual process sending the traffic (netstat* will also allow you to identify the process <> IP/hostname relationships).

* The following was written for XP, but works for Vista/7 too;

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/netstat.mspx?mfr=true

You can use these commands and the data output, to cross reference with the task manager or process explorer/process monitor, to identify the offending process itself.

Share this post


Link to post
Share on other sites

Thank you for the information Steven :)

I am pretty sure that it was #2 because I only saw it when on Hulu when I was trying to watch that episode and I have not seen that IP or any IP blocked since.

There's no site on this IP, it's an Oversee IP.

Is what you just told me what the above means?

Share this post


Link to post
Share on other sites

Ah my apologies, forgot to expand on that part.

Oversee is a company that runs (among many other things), parking servers. Domains are effectively "parked" when either newly created, suspended, or the owner decides to do such. All that's typically needed to park a domain, is a change of either A records, or name servers (i.e. ns1.oversee.net). A record changes speak for themselves (the domain points directly to the parking server IP, or uses a frame, redirect header, meta refresh etc, to redirect the visitor to the parking server, instead of the site that used to be there), this can also be done (though is not typically) using CNAME records.

Name server changes, where the name server is a parking server/registrar, are done in cases where a domain has just been created, or has expired/been suspended (in the case of the latter, the domain owner is typically also no longer able to change DNS records).

Share this post


Link to post
Share on other sites

That's alright, no worries :)

Thank you for clarifying for me, that makes sense. Hopefully Hulu resolves this soon and will change their advertisements so that this does not happen... do you happen to have any contact(s) with them?

I use the site quite a bit and this is my first time having an issue brought to my attention from my security software.

Share this post


Link to post
Share on other sites

ID: 11   Posted (edited)

I'll see if I can find a way to contact them about this, also I have another show I watch on Hulu so I'll see if it happens during that show to and if so then I should definitely contact them.

I am not sure if I got the IP block from an advertisement or from the streaming of the show itself. But before/during/right after the IP block, the show just kinda froze and/or wouldn't really play very well and I could not watch it in fullscreen.

I ended up just watching it on the ABC Family website which is the company that produces the show.

http://www.hulu.com/support/support_form << That's about the best I can find in terms of how to contact them.

Edited by mountaintree16

Share this post


Link to post
Share on other sites

If possible, please run Wireshark the next time you use Hulu, as this will allow you to determine the traffic and domain(s) involved, aswell as whether or not its advertisements to blame for it.

Share this post


Link to post
Share on other sites

Sure, I'll do that :)

Would you mind linking me again? I am not sure if I still have the Wireshark link.

Share this post


Link to post
Share on other sites

Sure, I'll do that :)

Would you mind linking me again? I am not sure if I still have the Wireshark link.

Here ya go. :)http://www.wireshark.org

Also need to install the packet capture library WinPcap. It is included, but often outdated. http://www.winpcap.org

Share this post


Link to post
Share on other sites

Thank you very much Steven :)

Share this post


Link to post
Share on other sites

:)

Probably a silly question, but once installed is it pretty self-explanatory how to use it? I can't really seem to find any how-tos on the website.

Share this post


Link to post
Share on other sites

Awesome :)

I'll report back to you once I have done this, most likely via PM.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.