Week of 1st March, 2004

Last Week

Next Week

Monday, 1st March                      St David's Day

The national day of the patron saint of Wales. I am agnostic in observance of this, although as time passes, it looms a little bigger.

But meanwhile, I have more urgent concerns. Reading Daynoter John Dominik's travails with an apparent Trojan that establishes connections to www.oem-builder.biz (a domain not found in the global DNS) I instituted regular checks here (run netstat -a 5 in an MS-DOS box on your WIN32 machine) - and Antbear has got it, too. More later.

Back to Daynotes


Tuesday, 2nd March

Work these two days - on earlies (the 6 am start) has been manic. The in shelves are absolutely full, and a lot of material needs completed by a couple of days time, either for export or transmission. This is ridiculous - it's easily forseeable that, one day quite soon, we'll be unable to prepare a programme in time. And I know who won't get blamed...

No, it won't be the bean-counters, whose parsimony has had us supporting upwards of 10 channels with fewer video recorders than we had in the analogue days for 5 channels. Admittedly, a considerable part of the analogue workload was commercials, which don't count any more as far as this rant is concerned, but there's still at least twice the airtime to support with less than half the machine hours. And there are many more line feeds these days, as well.

Back to Daynotes


Wednesday, 3rd March

The activity displayed by that netstat command (see Monday) had me worried, because all the machines (Celery, Armadillo and Antbear) were opening at least 5 connections visible in that display. Connections to ports 137, 138 and "nbsession" were obviously related to Windows Netbeui networking, but why did a connection to local port 0 open every time I fired up a browser? Deponent sayeth not, and I was worried. Then oem-builder showed up in Antgear's netstat display. I shut down immediately, and decided that drastic measures were needed.

Despite vociferous protests, I banned Internet usage until I'd finished investigating. I decided Katy's laptop, Armadillo, would be the experimental subject, and proceeded. Installing Win98 over itself had no effect on the netstat display - note, Armadillo has never shown a connection to oem-builder. So I did a full reinstall, including full patching up-to-date, something I've resisted until now, but since I was re-installing, I thought I'd try it.

Net change - zero, zip, nada. netstat was still showing the same behaviour. Hmmm... maybe I've been borrowing trouble. So I re-installed all the applications, took a Ghost image, and allowed Katy back online. I'll look at Antbear next. Meanwhile, Jenny is still banned (she uses Celery, and while I think Celery is OK, I don't know)

Back to Daynotes


Thursday, 4th March

This Trojan, virus, call it what you will, is a nasty little thing. No-one knows anything about it - or at least Google has no knowledge (except for John Dominik's rant, as of today) and I can't see what it's doing. All I've ever seen, and that only on Antbear, is a number of connections, on various TCP ports, to "www.oem-builder.biz", a named site that has no DNS entry. John D. has found that attempts to access the site, while connections are active, leaves you looking at your local machine. It evidently hooks into MicroSoft's IP stack at a very low level - unless this whole thing is a mare's nest, the which, by the way, I suggest only as a very far-fetched possibility. There's something un-kosher going on. What that something is, I have not the faintest idea, but Something Needs To Be Done.

By the way, John D.'s comments about port 4444 being open are attributable to InterMute, or it's successor AdSubtract. They both work as a proxy server, and cause your browser to connect to localhost:4444 when browsing. This I knew, but netstat reveals a connection on port 11523. Whassat? I didn't order it. It goes away when you close Intermute, so it's related, but why? Paranoia suggests InterMute "'phones home" and onpasses some data or other. But what? Again, paranoia suggests privacy related data, even if it's only click tracks.

That said, port 11523 is open and listening on Antbear, but the Netgear router hides it - so unless InterMute actually sends data, I'm still invisible.

The router is almost totally stealthy - only ports 20 and 21 are visible - but closed. This is probably related to passive FTP, so that I can do FTP transfers from inside, but no-one can initiate an FTP inwards to me. At least, Steve Gibson's "Shields Up!" tester gives this report. And ports that show up in the netstat display aren't visible from outside - again reassuring.

Back to Daynotes


Friday, 5th March

Back to Daynotes


Saturday, 6th March

Back to Daynotes


Sunday, 7th March

Three more days of continuous work - and no end in sight. The shelves are still just as full, and I see no prospect of the rush tapering off any time soon. We've too many channels for the available VTR machine time - and that won't change, unless the bean-counters see the light. I'm not asking for much - one, or if I had my druthers two, DigiBeta recorders - not the analogue-replay-capable ones (DVW-A500) No, the vanilla DVW-500 (ideally x2) would serve. We have all the necessary wiring, and nearly all the hardware, to support them, we just need the recorders. or else, despite our best efforts, things are going to go tits-up very soon.

Apropos which, now that we've gained another two movie channels (and those, I understand, went live a week ago yesterday, despite statements that we would be going live early last Monday morning) caching programmes to that server from backing store takes about 16 hours for all material for the 5 channels that run from it.

And the archive tape server is nearly full. I always knew this was going to happen. After all the videotape archive was running at about 11,000 hours 3 years ago, for 5 channels. The archive tape server has about 5,000 hours total. And now we're up to 14 channels. You do the math.

23:00 - As far as oem-builder is concerned, I've just tried an in-place reinstall of Win98 on Antbear - which failed with an error SU991010. Nicrosoft's Knowledge Base suggested that this is due to anti-virus software. So I turned off AVG, and tried again - with identical results. Booting to a bare DOS prompt loses me CD-ROM capability. So I'll need a startup disk - which I have, albeit it's for Armadillo. But Armadillo is identical except for RAM and disk size, so I think I'll be safe. I'll just post this, and try it. Wish me luck.

Last Week

Back to Daynotes

Next Week