Re: weird network activity
From: Tony (none_at_none.com)
Date: Sat, 23 Aug 2003 20:47:17 GMT
On Sun, 17 Aug 2003 14:18:57 -0400, Colonel Flagg
>In article <email@example.com>, firstname.lastname@example.org
>> I'm using Win XP Pro and have Service Pack 2 and the latest critical
>> updates installed.
>> I'm using Zone Alarm Pro and AVG antivirus with the latest sig file
>> and a
>> hardware router to a cable modem to the internet
>> After rebooting, explorer.exe (Version 6.00.2800.1221 (xpsp2)
>> wants to connect to the local ip 127.0.0.1 Port 1060
>> It also wants to connect to ip 126.96.36.199 Port 1900
>> And sometimes also to ip 192.168.1.1 Port 5678
>> Any ideas why it wants to do that?
>What's the IP of the local machine? 192.168.1.1?
>127.0.0.1 is localhost, meaning, it's fine for it to connect to this
>address for whatever reason. I would however seek to find out why it's
>doing this and if this service is really needed. As for 188.8.131.52,
>I have no idea right off the bat, looks like a subnet mask, not an IP.
>You can get a port monitor for XP to find out what services/applications
>are connecting to particular ports. It's probably not a security
>concern, but you may regain some system resources if the services aren't
>needed and you can shut them down.
Zone Alarm has the following info for 184.108.40.206
220.127.116.11 is a multicast address
The remote IP address associated with this alert is a multicast
address. This is a special type of IP address used to identify a group
of computers to which information is being sent.
The standards for assigning multicast addresses are still being
developed. The basic idea is that one multicast IP address, in the
range 224.x.x.x - 239.x.x.x, can be used to designate a set of
computers. The computers in the multicast could be on the same or
different networks or subnets.
A multicast address can only be used as a destination address. If a
multicast address appears in an alert as a source address, it was
probably forged in order to hide the identity of the sender.
This started at the same time the 127.0.0.1 attempts started.
I just went through all the services and disabled all not needed and
previously checked the date of my explorer.exe file and it was not
changed any time recently...
I can block the attempts, but I don't like things happening on my PC
that I don't know the reason for..
I also ran the Microsoft Baseline Security Analyzer, and all appears