Re: 127.0.0.1 and current follow-on; clearly spyware of some type?

From: willbill (trek_at_worldwide.net)
Date: 03/12/04

• Next message: Eirik Seim: "Re: Linux most hacked, study says."
• Previous message: Andrew Rossmann: "Re: LAN-side of D-Link DI-604"
• In reply to: Ed Gibbs: "Re: 127.0.0.1 and current follow-on; clearly spyware of some type?"
• Next in thread: Duane Arnold: "Re: 127.0.0.1 and current follow-on; clearly spyware of some type?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Fri, 12 Mar 2004 08:38:40 -0600

Ed Gibbs wrote:
> willbill <trek@worldwide.net> wrote in message
>
>>what i now see is much greater activity from
>>several IP addresses (one at a time, *every*
>>time that i dial in to my isp!):
>>
>>209.247.5.19 (most recently)
>>209.247.5.14 (3rd time)
>>209.247.5.14 (2nd time)
>>209.247.5.29
>>209.247.5.21
>>209.247.5.14
>>290.244.187.74 (3rd time)
>>290.244.187.84
>>290.244.187.74 (2nd time)
>>290.244.187.74
>>209.247.5.15
>>209.247.5.19
>>
>>any clues as to what is going on would be appreciated
>>
>>bill
>>
>
> A couple more possibilities.
>
> First - open a DOS window while you are online and type ipconfig.
> This will tell you the dynamic IP address you have been assigned for
> the current session.
>
> If the IP you are assigned matches the one that is being reported as
> attacking you, then it is most likely that your firewall is
> misconfigured. Probably something you set up under the old ISP is
> conflicting with the new ISP. You can ignore it, or reinstall the
> firewall choosing not to save and re-import the existing rules.
>
> Second possibility - many ISPs conduct routine scans of their subnets
^^^^^^^^^^^^^^^^^^^^^^^^
> looking for unauthorized servers. Some people either intentionally or
> unintentionally have their home PCs set up with mail servers, open
> relays, web servers, ftp servers, etc. The ISP has an interest in
> finding these for two reasons - because they can consume lots of
> bandwidth, and because they are attractive targets for crackers,
> worms, spammers looking for open relays, the RIAA looking for more 7
> year kids to sue, etc. So the ISP pro-actively scans their network,
> and when they find unauthorized servers they inform the owners that
> they are violating their Terms of Service and demand that they take
> the server down. Usually the owner has no clue they were even running
> a server and is happy to comply once they figure out what to do.

ahhhh... i think you've nailed it!

>
> Most firewall software will report these scans as an attack, since it
> is basically a port scan. If your new ISP is in this category write
> them a nice letter thanking them for keeping a clean house and ignore
> the scans.

no, McAfee's firewall 4.02.6000.0
has only shown the activity and NOT
labeled it as an attack, so i think
i've got it set up properly

anyhow, i look over the log it keeps of
the activity, and when i see strange stuff
going on i want to know what the heck it is

i still don't understand the 127.0.0.1 activity,
and fwiw, there does appear to be a "loopback"
site with the address of 127.0.0.1

i've seen two periods this past 3 months
when the 127.0.0.1 activity has disappeared,
and this past week is the 2nd of these periods
(and no, i don't think this has anything to do
with my new dialup isp vs. my old one)

btw, blocking all activity from 127.0.0.1 (which
i did a good 6-to 8 months ago) has clearly
not hurt any of my web connectivity

(and yes, i took Big Will's suggestion
   (<" ...run command.com and type ping 127.0.0.1
     in the command prompt, while disconnected. If you
     try this with other IPs, you'll end up with different
     results most of the time."> and also looked at
     the site given by Duane
     (http://compnetworking.about.com/library/weekly/aa042400c.htm))

thank you again, bill

---

• Next message: Eirik Seim: "Re: Linux most hacked, study says."
• Previous message: Andrew Rossmann: "Re: LAN-side of D-Link DI-604"
• In reply to: Ed Gibbs: "Re: 127.0.0.1 and current follow-on; clearly spyware of some type?"
• Next in thread: Duane Arnold: "Re: 127.0.0.1 and current follow-on; clearly spyware of some type?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Web site being attacked! ... My advice is to contact the ISP that owns the IP address of the attacker ... block the attacks, until the attack patterns change again. ... Yes, you want "IISlockdown" which contains URLscan, install all microsoft ... The Netscreen 5XP is a real commercial grade firewall with the same features ... (microsoft.public.win2000.security) Re: What to do about attacks? ... "Port Scan" is very generic term. ... Neither one is an "attack". ... Since your firewall seems to be doing ... my ISP ought to warn ... (comp.security.firewalls) RE: Router Packet Filtering and Firewalls ... I wouldn't expect the ISP to provide this service for nothing... ... two-brain rule (where at least two people are involved in a firewall change ... attack signatures (e.g. if you see a concerted attack from a particular IP ... Router Packet Filtering and Firewalls ... (Security-Basics) Re: firewall protection HELP ... I have a block of IP from my ISP, and I would like to setup a few ... servers at my house. ... my house have a few ... NICs to firewall the servers and routing 192.168.*.* network? ... (comp.os.linux.networking) Re: Ads will not go away!!! ... > Any updated antivirus and patched system will not be vulnerable to ... > attack. ... > blockupor someother firewall which offers this ... > using the HOSTS file with black listed servers and white listed ... (microsoft.public.windowsxp.general)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(11)