RE: Reverse http traffic

From: Jim Butterworth (my.dsl_at_verizon.net)
Date: 12/31/03

  • Next message: James C. Slora Jr.: "Re: Reverse http traffic"
    To: "'Jarrod Frates'" <fusion@illuminus.com>, <incidents@securityfocus.com>
    Date: Tue, 30 Dec 2003 16:14:48 -0800
    
    

    If this just all of a sudden started happening, then I would tend to
    lean towards:

    #1 - a recent config change (ie, software or patches)
    #2 - renew DHCP/MAC seats on router
    #3 - look at inbound traffic for questionable activity

    I believe Daniel has indeed stated he was looking at a questionable
    inbound connection.

    Once you establish this, try running fscan and fport (freeware) to see
    which ports are open and which applications or processes are mapped to
    them. Do this while connected so that you will see the activity while
    it is occurring.

    I've purchased nameless firewall/spyware/av software only to learn that
    they all would negotiate their own connections without permission. When
    I contacted them about it, they claim it is for "update checking".
    Isn't that irony? Buy a firewall only to have the firewall break your
    rules!

    You can also try and run a program called "Hijack This", which will tell
    you all of the things that are currently running, including registry
    calls...

    Or, plug the computer back in, and from the cmd line, run netstat -an
    and see who/what/when is established/waiting/listening.

    Happy hunting!
    Jim

    -----Original Message-----
    From: Jarrod Frates [mailto:fusion@illuminus.com]
    Sent: Tuesday, December 30, 2003 1:57 PM
    To: incidents@securityfocus.com
    Subject: RE: Reverse http traffic

    I've run into something similar to this on systems where Norton
    Anti-Virus
    and a Sygate firewall were installed simultaneously. If this is the
    case,
    try disabling the Sygate firewall service from the Services MMC and see
    if
    you can access HTTP and mail services. Sometimes you can get normal
    service
    back by re-enabling the firewall after about five minutes. So far as I
    have
    seen, there is no way to permanently get around it other than by
    removing
    one of the two products.

    Jarrod

    -----Original Message-----
    From: Daniel H. Renner [mailto:dan@losangelescomputerhelp.com]
    Sent: Tuesday, December 30, 2003 12:33 PM
    To: incidents@securityfocus.com
    Subject: Reverse http traffic

    Hello,

    I had a case recently wherein one of a client's systems (Win2k) could
    not
    access http, or mail traffic. At the same time, 2 other systems
    (Win95 and Xandros) could, and yet he could access all of the other
    network
    shares via TCP.

    He brought it to my shop, it was patched up, already had the latest
    anti-virus defs, and it got on the 'net fine here. He returned with it
    and
    set it up - and could not get any http or email.

    I went to his office to see what was up, hooked in my little 'kneetop'
    (Sony Picturebook) and browsed just fine.

    I then installed a Linux firewall on a spare computer, replaced the
    Linksys
    router with it and instantly his Win2k was able to browse and get email.

    I checked the firewall logs and saw quite a few attempts from a Google
    IP
    address (whois-ed, but I'm not ignoring that it was possibly spoofed)
    that
    was sending IN traffic with a source port of 80 and a destination port
    in
    the temporary range (33xx) - eh???

    I can speculate (otherwise known as 'assume' :) that this site was
    trying to
    spoof my client's system into accepting some traffic by using a
    reverse-flow, but...

    Can anyone tell me what actually could cause this?

    -- 
    Thank you,
    Dan Renner
    President
    Los Angeles Computerhelp
    http://losangelescomputerhelp.com
    818.352.8700
    ------------------------------------------------------------------------
    ---
    ------------------------------------------------------------------------
    ----
    ------------------------------------------------------------------------
    ---
    ------------------------------------------------------------------------
    ----
    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------
    

  • Next message: James C. Slora Jr.: "Re: Reverse http traffic"

    Relevant Pages

    • Re: Port 135
      ... With the RPC/DCOM patches applies, with the Microsoft test utility ... There are times were I don't have the firewall up because it gets in the way ... we don't have control over PORT 135? ...
      (microsoft.public.security)
    • Re: WindowsXP slower after reinstall.
      ... > Did you get on the Internet unprotected by a firewall or antivirus? ... > Also - did you test your hardware before reinstalling - it could be a bad ... > will have to do whatever you did before to get them installed or download ... > You can see the critical patches released for a given ...
      (microsoft.public.windowsxp.basics)
    • Re: WindowsXP slower after reinstall.
      ... > Did you get on the Internet unprotected by a firewall or antivirus? ... > Also - did you test your hardware before reinstalling - it could be a bad ... > will have to do whatever you did before to get them installed or download ... > You can see the critical patches released for a given ...
      (microsoft.public.windowsxp.basics)
    • Re: AdAware, SpyBot S &D, etc. + leave PC connected to Internet
      ... >It will be a while I get the router and do that. ... >> labelling on the box to be sure it has firewall features. ... name, like Disconnect from Internet, and click Finish. ... generally talking only about "critical patches" that affect security. ...
      (comp.security.firewalls)
    • Port 135
      ... I have a firewall. ... latest security patches (except the one just announced, ... What I still see at times, not all the time, is a port 135 session either ... how can I effectively block port 135 on my machine without having a ...
      (microsoft.public.security)