Security Incidents mailing list archives
RE: Reverse http traffic
From: "Jim Butterworth" <my.dsl () verizon net>
Date: Tue, 30 Dec 2003 16:14:48 -0800
If this just all of a sudden started happening, then I would tend to lean towards: #1 - a recent config change (ie, software or patches) #2 - renew DHCP/MAC seats on router #3 - look at inbound traffic for questionable activity I believe Daniel has indeed stated he was looking at a questionable inbound connection. Once you establish this, try running fscan and fport (freeware) to see which ports are open and which applications or processes are mapped to them. Do this while connected so that you will see the activity while it is occurring. I've purchased nameless firewall/spyware/av software only to learn that they all would negotiate their own connections without permission. When I contacted them about it, they claim it is for "update checking". Isn't that irony? Buy a firewall only to have the firewall break your rules! You can also try and run a program called "Hijack This", which will tell you all of the things that are currently running, including registry calls... Or, plug the computer back in, and from the cmd line, run netstat -an and see who/what/when is established/waiting/listening. Happy hunting! Jim -----Original Message----- From: Jarrod Frates [mailto:fusion () illuminus com] Sent: Tuesday, December 30, 2003 1:57 PM To: incidents () securityfocus com Subject: RE: Reverse http traffic I've run into something similar to this on systems where Norton Anti-Virus and a Sygate firewall were installed simultaneously. If this is the case, try disabling the Sygate firewall service from the Services MMC and see if you can access HTTP and mail services. Sometimes you can get normal service back by re-enabling the firewall after about five minutes. So far as I have seen, there is no way to permanently get around it other than by removing one of the two products. Jarrod -----Original Message----- From: Daniel H. Renner [mailto:dan () losangelescomputerhelp com] Sent: Tuesday, December 30, 2003 12:33 PM To: incidents () securityfocus com Subject: Reverse http traffic Hello, I had a case recently wherein one of a client's systems (Win2k) could not access http, or mail traffic. At the same time, 2 other systems (Win95 and Xandros) could, and yet he could access all of the other network shares via TCP. He brought it to my shop, it was patched up, already had the latest anti-virus defs, and it got on the 'net fine here. He returned with it and set it up - and could not get any http or email. I went to his office to see what was up, hooked in my little 'kneetop' (Sony Picturebook) and browsed just fine. I then installed a Linux firewall on a spare computer, replaced the Linksys router with it and instantly his Win2k was able to browse and get email. I checked the firewall logs and saw quite a few attempts from a Google IP address (whois-ed, but I'm not ignoring that it was possibly spoofed) that was sending IN traffic with a source port of 80 and a destination port in the temporary range (33xx) - eh??? I can speculate (otherwise known as 'assume' :) that this site was trying to spoof my client's system into accepting some traffic by using a reverse-flow, but... Can anyone tell me what actually could cause this? -- Thank you, Dan Renner President Los Angeles Computerhelp http://losangelescomputerhelp.com 818.352.8700 ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Reverse http traffic Daniel H. Renner (Dec 30)
- RE: Reverse http traffic Jarrod Frates (Dec 30)
- RE: Reverse http traffic Jim Butterworth (Dec 30)
- <Possible follow-ups>
- Re: Reverse http traffic James C. Slora Jr. (Dec 31)
- RE: Reverse http traffic Jarrod Frates (Dec 30)