RE: Reverse http traffic
From: Jarrod Frates (fusion_at_illuminus.com)
Date: 12/30/03
- Previous message: Daniel H. Renner: "Reverse http traffic"
- In reply to: Daniel H. Renner: "Reverse http traffic"
- Next in thread: Jim Butterworth: "RE: Reverse http traffic"
- Reply: Jim Butterworth: "RE: Reverse http traffic"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <incidents@securityfocus.com> Date: Tue, 30 Dec 2003 13:56:47 -0800
I've run into something similar to this on systems where Norton Anti-Virus
and a Sygate firewall were installed simultaneously. If this is the case,
try disabling the Sygate firewall service from the Services MMC and see if
you can access HTTP and mail services. Sometimes you can get normal service
back by re-enabling the firewall after about five minutes. So far as I have
seen, there is no way to permanently get around it other than by removing
one of the two products.
Jarrod
-----Original Message-----
From: Daniel H. Renner [mailto:dan@losangelescomputerhelp.com]
Sent: Tuesday, December 30, 2003 12:33 PM
To: incidents@securityfocus.com
Subject: Reverse http traffic
Hello,
I had a case recently wherein one of a client's systems (Win2k) could not
access http, or mail traffic. At the same time, 2 other systems
(Win95 and Xandros) could, and yet he could access all of the other network
shares via TCP.
He brought it to my shop, it was patched up, already had the latest
anti-virus defs, and it got on the 'net fine here. He returned with it and
set it up - and could not get any http or email.
I went to his office to see what was up, hooked in my little 'kneetop'
(Sony Picturebook) and browsed just fine.
I then installed a Linux firewall on a spare computer, replaced the Linksys
router with it and instantly his Win2k was able to browse and get email.
I checked the firewall logs and saw quite a few attempts from a Google IP
address (whois-ed, but I'm not ignoring that it was possibly spoofed) that
was sending IN traffic with a source port of 80 and a destination port in
the temporary range (33xx) - eh???
I can speculate (otherwise known as 'assume' :) that this site was trying to
spoof my client's system into accepting some traffic by using a
reverse-flow, but...
Can anyone tell me what actually could cause this?
-- Thank you, Dan Renner President Los Angeles Computerhelp http://losangelescomputerhelp.com 818.352.8700 --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
- Previous message: Daniel H. Renner: "Reverse http traffic"
- In reply to: Daniel H. Renner: "Reverse http traffic"
- Next in thread: Jim Butterworth: "RE: Reverse http traffic"
- Reply: Jim Butterworth: "RE: Reverse http traffic"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
