Re: Plausible reasons for http access?

On Thu, 14 Dec 2006, in the Usenet newsgroup comp.security.misc, in article
<LFggh.67620$rv4.14961@edtnps90>, warf wrote:

Moe Trin wrote:

RE providers, mine in particluar: Just today I noticed a FireWall rule
had been created on my behalf [thanks, I think?] ....it passed a UDP
packet to Level-3...which WHOIS->wiki says is the premier i-net backbone
carrier in...the world.

"it passed a UDP packet to Level-3"... what _kind_ of UDP packet?
What ports? What address? As for "the premier i-net backbone carrier",
that's a rather poorly framed description. They are _one_ of the major
carriers, but there is no single backbone.

For XP, try 'netstat /ano' and see what's open

Actually, ZA, Spybot S&D and Adaware provide me with those functions

Actually they don't. They are providing different information, and
different (rather limited) views.

that is how I became aware of LSPs and the convoluted path from
executable to DLL to [fill in the blanks] to internet packet can
be....and I wept volumously! [How can i learn fast enough to even keep
up with the changes in protocol, never mind the tactics? hence my
intrusion on this group....and maybe so others can learn and thereby
thwart hijacking and cloaking]

The fundamental concepts haven't changed in 25 years or more. Where you
are running into problems is the confusion (intentional on the part of
mal-ware authors) about what your computer is doing. This is a multi-
layered process. Your web browser has no idea how packets enter or
leave the computer. It's not needed. All it cares about is telling
the O/S to send a message to "this" service on "that" computer. Your
application translates that URL into a standard format request to
the O/S to establish "a" connection to remote.host.name (which the
O/S knows has to be transparently translated to an IP address) and
send a packet containing the correct syntax of a "GET" command to
the default port number (unless you specified otherwise). To do this,
the O/S has to determine what hose on your computer (perhaps dialin,
perhaps Ethernet, perhaps something else) to use, and send this
message to a piece of software that arranges bits in an appropriate
manner and sends them to a chunk of hardware in the computer somewhere.
Where it goes from there is a function of the hardware, and not the
concern of the O/S (never mind the application). Where does that
mal-ware fit in? It's both "another" application running, and it _may_
alter the internal path normally used between the application level
and the O/S. Your software firewall for example is altering the
path, telling the other applications that the place where you stick
information going to the network (which includes the Internet) is
"right here" (and perhaps passing that information that it feels is
allowed to go "out" to the real location in the O/S where it will
be sent out), while telling the O/S that all network traffic is really
from and to "me". Wait a minute... did I call the software firewall
a piece of mal-ware? No, but it's acting in the same manner.

SCVHOST is running 6 instances of itself, each instance has about 20
different open modules. Many instances have different open 'ports'
numbered anything but 80,110,25.

Remember, I don't do windoze, but my understanding of SCVHOST is that
it's not some web, POP3 or SMTP server, so there is no conceivable reason
for it to have ports 80, 110 or 25 open. As to what ports it should have
open, you'll have to ask a windoze expert - that's not my turf.

Most all are 'listening' meaning awaiting incoming requests to connect
right?

Correct - but note where they are listening, and to what addresses. If
it's 127.0.0.1, it's listening to itself - which could be one application
trying to talk to another, or even one part of an application trying to
talk to another part of the same application.

My ports are supposed to be masked by the firewall. I wonder though if
Spybots utility has failed to differentiate a proxy port and an actual
open ethernet-internet port and is telling me I have "open ports" but no
tcp/ip packets are acknowledged unless specificaly allowed? {Easy
now...I said I am a pleab..}

This is windoze stuff, and not my area of expertise. However your
Spybot S&D and Adaware are specialized firewalls - and where are they
in that line between your user level applications (like your browser)
and that section of the O/S that connects to the hardware? They can't
all be first in line. Who is?

do I wonder why PCanywhere is trying to connect to me from RU?

Are people still using that?

My FW log says they are...kids or oldfarts I s'pose.

No, your firewall log says someone is attempting to connect to a port that
is normally used by PCanywhere. That doesn't mean that the connection
"must be" for that application. A client wanting to connect to a server
goes to where it expects the server to be hiding. The server doesn't have
to be there - it could be elsewhere, or not even installed. If you
need a cop right now, you dial '911', right? Are you aware that that
number is not standardized around the world, and flat out won't work in
many places? Just as there is no international law stating that 911
must be the emergency services number, there is no law or requirement that
only service $FOO can listen to port $BAR and all traffic to port $BAR
must be for $FOO.

If I am not offering a service there is no connection to be had? BUT, the
'service' may be offered by a trojan and you may be saying...find out what
answers when i call?? Can I call myself on my own line, so to speak?

Did you tell your router to forward ALL traffic to your computer? I can't
because I have more that one computer, and I have to forward stuff to
a specific computer. If I didn't set up forwarding for "this" port, it
doesn't go anywhere. Now your router may be being helpful, and
auto-forwarding everything to one address on your LAN - I can't say.

Can you call your own line? That depends. There are servers you can
use on the network that will scan your address from outside. Most of
them have some agenda, and others I can't use because I'm not allowed
to have a salt intake measured in kilograms. You could try accessing
your home from a friends place - but scanning 130K ports might take
some time, and may be viewed as a violation of acceptable use policy
by the various ISPs. I can disconnect my firewall box, and connect
a lap top configured to look like the next hop on the way to the Internet,
and run some rather abusive scanning applications from their, seeing
what shows up. It says here, you can also run a scanning program on
your system and have it scan itself, but this may give quite misleading
results.

I do in fact have a Dlink router using hardwire to the cable modem and
cable to the e-net adapter on my laptop....do those open ports mean they
are simply forwarded to the router in no IP is associated with the open
port number?

No, you are scanning your system from your system. You are seeing what
your system is allowing you to see (which could be less than complete
depending on what is hiding things), and you are looking at them from
inside the hardware, which could show up differently. Example: I can
ping "this" computer by pinging the loopback address (127.0.0.1) but
I get the same result if I ping it's Ethernet IP addresses. That's
because the operating system knows I'm trying to talk to myself, and
uses the loopback rather than clutter up the wires with useless chatter
that is needed nowhere else.

Old guy
.

Relevant Pages

  • Re: How to Maintain an IIS Server?
    ... > server running on a Windows 2000 server. ... before a firewall and antivirus have been installed]. ... open ports; however, this will not identify which program is using the port. ...
    (microsoft.public.inetserver.iis.security)
  • Re: CEICW fails at firewall config
    ... ISA Server prevents connection to a remote desktop when you connect through ... Remote Web Workplace on a Windows Small Business Server 2003-based computer ... Acceleration Server as a firewall. ... connection uses TCP port 4125. ...
    (microsoft.public.windows.server.sbs)
  • Re: How to Maintain an IIS Server?
    ... >> server running on a Windows 2000 server. ... > before a firewall and antivirus have been installed]. ... > program or executable using that port. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Activesync / Airsync - Alternative Ports
    ... Setup a reverse HTTP proxy. ... Another idea is to use the PPTP capabilities of a Windows Server to allow ... Satellite - Cisco Firewall - Exchange Server ... So on the server side you would configure the port 80 to redirect to ...
    (microsoft.public.pocketpc.activesync)
  • Re: Activesync / Airsync - Alternative Ports
    ... "Chris De Herrera" wrote: ... Another idea is to use the PPTP capabilities of a Windows Server to allow ... Satellite - Cisco Firewall - Exchange Server ... So on the server side you would configure the port 80 to redirect to 8888 ...
    (microsoft.public.pocketpc.activesync)