Plausible reasons for http access?

When I booted up, Kerio warns me that "Generic Host Process for Win32
Services" from my computer wants to connect to 198.18.1.1:80. The
application is c:\winnt\system32\svchost.exe. According to
DNSstuff.com, this is Internet Assigned Numbers Authority (IANA) in
Marina del Rey, CA. If I use my browser to visit
http://198.18.1.1:80, the page says "Directory Listing Denied. This
Virtual Directory does not allow contents to be listed." What are
some reasons why this access is attempted?

Re: Plausible reasons for http access?

Post removed (X-No-Archive: yes)

Re: Plausible reasons for http access?

Sebastian Gottschalk wrote:
> At any rate, it seems like you're trying to run a host-based packet filter
> without even knowing a jack-shit about networking or your host operating
> system.
Well at least he had some sense to run it, unlike what you would advise
to not run anything (see other thread), so he noticed this and can
investigate the potentially malicious access ;-)

Re: Plausible reasons for http access?

On Sat, 09 Dec 2006, in the Usenet newsgroup comp.security.misc, in article
, Dubious Dude wrote:

>When I booted up, Kerio warns me that "Generic Host Process for Win32
>Services" from my computer wants to connect to 198.18.1.1:80. The
>application is c:\winnt\system32\svchost.exe. According to
>DNSstuff.com, this is Internet Assigned Numbers Authority (IANA) in
>Marina del Rey, CA.

Sigh... mis-leading information from DNSstuff.com. Read RFC2544 and
RFC3330. Use a packet sniffer to find which of your LOCAL computers is
using 198.18.1.1. That address is not routable over the Internet.
The address "belongs" to IANA as much as 127.0.0.1 does.

Old guy

Re: Plausible reasons for http access?

Post removed (X-No-Archive: yes)

Re: Plausible reasons for http access?

Sebastian Gottschalk wrote:
>> unlike what you would advise to not run anything (see other thread),
>
> "unlike"? You seem to be implying that something would be wrong with not
> running bullshit software.

Yes... unlike.. you stated very clearly that you advise people to not
run anything at all, which is still a bad idea.

>> so he noticed this
> One doesn't need any packet filter to do so.
Not running anything surely doesn't have anyone notice ANY access that
might be unwanted. But since you prefer to have every end user system
completely exposed to the Internet, contrary the advise from just about
anyone in the business of providing Internet Services, I guess I'm
talking to a wall here ;-)

>> and can investigate the potentially malicious access ;-)
> There's nothing to investigate.
I don't know about Kerio, I discarded it myself since it took too much
cpu for nothing, but I doubt a piece of software makes up random access
warnings, especally if they intend to remain in business for a while.

BTW: I don't think the IANA is running hosts for Akamai

Re: Plausible reasons for http access?

Post removed (X-No-Archive: yes)

Re: Plausible reasons for http access?

MC wrote:
> Sebastian Gottschalk wrote:
>>> unlike what you would advise to not run anything (see other thread),
>> "unlike"? You seem to be implying that something would be wrong with not
>> running bullshit software.
>
> Yes... unlike.. you stated very clearly that you advise people to not
> run anything at all, which is still a bad idea.
>
>>> so he noticed this
>> One doesn't need any packet filter to do so.
> Not running anything surely doesn't have anyone notice ANY access that
> might be unwanted. But since you prefer to have every end user system
> completely exposed to the Internet, contrary the advise from just about
> anyone in the business of providing Internet Services, I guess I'm
> talking to a wall here ;-)
>
>>> and can investigate the potentially malicious access ;-)
>> There's nothing to investigate.
> I don't know about Kerio, I discarded it myself since it took too much
> cpu for nothing, but I doubt a piece of software makes up random access
> warnings, especally if they intend to remain in business for a while.
>
> BTW: I don't think the IANA is running hosts for Akamai


Thanks, MC, for some balanced feedback.

Re: Plausible reasons for http access?

Moe Trin wrote:
> On Sat, 09 Dec 2006, in the Usenet newsgroup comp.security.misc, in
article
> , Dubious Dude wrote:
>
>> When I booted up, Kerio warns me that "Generic Host Process for Win32
>> Services" from my computer wants to connect to 198.18.1.1:80. The
>> application is c:\winnt\system32\svchost.exe. According to
>> DNSstuff.com, this is Internet Assigned Numbers Authority (IANA) in
>> Marina del Rey, CA.
>
> Sigh... mis-leading information from DNSstuff.com. Read RFC2544 and
> RFC3330. Use a packet sniffer to find which of your LOCAL computers is
> using 198.18.1.1. That address is not routable over the Internet.
> The address "belongs" to IANA as much as 127.0.0.1 does.

Moe,

Thank you for the pointer. I looked up the following:

1. RFC3330: http://www.rfc-zone.org/rfc3330.html

2. Classless Inter-Domain Routing:
http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing

3. RFC2544: http://www.rfc-zone.org/rfc2544.html

In case someone in my position (ie. not in IT) grouples this topic, #1
indicates that 198.18.0.0/15 is a block of addresses for benchmark
tests of network interconnect devices, documented in RFC2544.

The format of 198.18.0.0/15 needed some googling. #2 indicates that
each of the 4 decimal numbers 198.18.0.0 is a byte, and a 32-bit word
is formed by abutting the bytes as shown. Each byte starts with the
most significant bit on the left. The /15 indicates that the bits in
the 32-bit word beyond the leftmost 15 are variable, thus defining a
range of addresses.

#3 seems to show the relevance of the address in my original post:

C.2.2 Protocol Addresses

Two sets of addresses must be defined: first the addresses assigned
to the router ports, and second the address that are to be used in
the frames themselves and in the routing updates.

The network addresses 192.18.0.0 through 198.19.255.255 are have been
assigned to the BMWG by the IANA for this purpose. This assignment
was made to minimize the chance of conflict in case a testing device
were to be accidentally connected to part of the Internet. The
specific use of the addresses is detailed below.

C.2.2.1 Router port protocol addresses

Half of the ports on a multi-port router are referred to as "input"
ports and the other half as "output" ports even though some of the
tests use all ports both as input and output. A contiguous series of
IP Class C network addresses from 198.18.1.0 to 198.18.64.0 have been
assigned for use on the "input" ports. A second series from
198.19.1.0 to 198.19.64.0 have been assigned for use on the "output"
ports. In all cases the router port is node 1 on the appropriate
network. For example, a two port DUT would have an IP address of
198.18.1.1 on one port and 198.19.1.1 on the other port.

Some of the tests described in the methodology memo make use of an
SNMP management connection to the DUT. The management access address
for the DUT is assumed to be the first of the "input" ports
(198.18.1.1).

I assume that the ports being referred to are those of the
router/modem.

Re: Plausible reasons for http access?

On Wed, 13 Dec 2006, in the Usenet newsgroup comp.security.misc, in article
, Dubious Dude wrote:

>Thank you for the pointer. I looked up the following:
>
> 1. RFC3330: http://www.rfc-zone.org/rfc3330.html

RFCs can be found in hundreds of mirror sites on the Internet. I no
longer bother to point to specific sources for that reason. Any search
engine will find them.

Web Results 1 - 10 of about 15,300 for RFC3330. (0.14 seconds)

Web Results 1 - 10 of about 73,700 for RFC 3330. (0.13 seconds

> 2. Classless Inter-Domain Routing:
> http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing

While the wikipedia is often a very good source of information, please
remember that it is not authoritative and _may_ contain incomplete or
misleading information. Again, the source would be

1519 Classless Inter-Domain Routing (CIDR): an Address Assignment and
Aggregation Strategy. V. Fuller, T. Li, J. Yu, K. Varadhan. September
1993. (Format: TXT=59998 bytes) (Obsoletes RFC1338) (Obsoleted by
RFC4632) (Status: PROPOSED STANDARD)

4632 Classless Inter-domain Routing (CIDR): The Internet Address
Assignment and Aggregation Plan. V. Fuller, T. Li. August 2006.
(Format: TXT=66944 bytes) (Obsoletes RFC1519) (Also BCP0122) (Status:
BEST CURRENT PRACTICE)

>The format of 198.18.0.0/15 needed some googling. #2 indicates that
>each of the 4 decimal numbers 198.18.0.0 is a byte, and a 32-bit word
>is formed by abutting the bytes as shown. Each byte starts with the
>most significant bit on the left. The /15 indicates that the bits in
>the 32-bit word beyond the leftmost 15 are variable, thus defining a
>range of addresses.

1878 Variable Length Subnet Table For IPv4. T. Pummill, B. Manning.
December 1995. (Format: TXT=19414 bytes) (Obsoletes RFC1860) (Status:
HISTORIC)

>#3 seems to show the relevance of the address in my original post:

Yes

> C.2.2.1 Router port protocol addresses
>
> Half of the ports on a multi-port router are referred to as "input"
> ports and the other half as "output" ports even though some of the
> tests use all ports both as input and output.

>I assume that the ports being referred to are those of the
>router/modem.

Yes - port (in this context) means 'interface', or connection point that
allows access to/from "a" network. We also call them "hoses" or "pipes",
as in "data comes in the 'comezinta' hose and goes out the 'gozouta' hose".
Your router/modem is connecting your computer/network on one port to
the ISP (and thence to the world) on a second port. Note that a port
may or may not _physically_ exist. An example of an imaginary port is the
loopback address (127.0.0.1) used by a computer when it is talking to
itself.

Old guy

Re: Plausible reasons for http access?

Moe Trin wrote:

> On Wed, 13 Dec 2006, in the Usenet newsgroup comp.security.misc, in article
> , Dubious Dude wrote:
>
>
>>Thank you for the pointer. I looked up the following:
>>
>>1. RFC3330: http://www.rfc-zone.org/rfc3330.html
>
>
> RFCs can be found in hundreds of mirror sites on the Internet. I no
snip the good stuff.....
ISP (and thence to the world) on a second port. Note that a port
> may or may not _physically_ exist. An example of an imaginary port is the
> loopback address (127.0.0.1) used by a computer when it is talking to
> itself.
>
> Old guy

Hi O'G.
I take back my humorous post to the guy wanting to foil his
teenager...maybe only feet not lightyears ahead.
Seriously though, This thread elucidates the futility of the average
[over 20] enduser in trying to 'protect' themselves by having access to
port traffic information. I to am too plagued 2...by the deception of
firewall vendors deluging us with logs of the attacks they thwarted on
our behalf s. I have never ever ever had a single abuse admin reply to
my "why is a netbios attack[scan] originating from your network...?"
query. It is probably because his killfile is set to gobble every email
of that type and send me to email obscurity for even suggesting it is a
real threat....as he watches the soaps.

I have read that most logged requests are simply misdirected or
background internet packets....true?

NOW the MEAT of this thread for all us pleabs trying to get a leg
over..."how do we sort out the malicious from the mundane?

Do I freak when I see so&so from China running thru all ports from
135-139 three times in a row? do I wonder why PCanywhere is trying to
connect to me from RU?
Or do I just watch blissfully the blinking lights on my Dlink wireless
router [hardwire connection] and trust my ZA2007intsuite to give me as
much protection as is humanly possible under $100 and still be able to
hassle guys like you on these NGs?.......with my unworthy requests????
and saggy underwear?
Oldguy 2...miffed again [at myself now]

Re: Plausible reasons for http access?

Post removed (X-No-Archive: yes)

Re: Plausible reasons for http access?

Post removed (X-No-Archive: yes)

Re: Plausible reasons for http access?

On Thu, 14 Dec 2006 in the Usenet newsgroup comp.security.misc, in article
, warf wrote:

>This thread elucidates the futility of the average [over 20] enduser in
>trying to 'protect' themselves by having access to port traffic
>information.

Watch the context. The word port has several meanings, which is why I
wrote:

]Yes - port (in this context) means 'interface', or connection point that
]allows access to/from "a" network. We also call them "hoses" or "pipes",

whereas 'port' in the context you are using (port numbers), more equates
to room numbers in a hotel or office building, or telephone extension
numbers. These are places to connect to where you will find something
specific - perhaps a web server, perhaps a file server, maybe even 'Room
Service' - I dunno.

>I to am too plagued 2...by the deception of firewall vendors deluging us
>with logs of the attacks they thwarted on our behalf s.

On my home firewall, I normally have _ALL_ logging off. I'm not using
windoze, so my firewall also does not mail self-congratulatory messages
to everyone on the LAN.

>I have never ever ever had a single abuse admin reply to my "why is a
>netbios attack[scan] originating from your network...?" query.

NetBIOS is a protocol meant for local use within a windoze workgroup.
As microsoft designed the protocol (actually, it's non-routable
predecessor NETBUI) for the 10-20 PC office, and not the Internet at
large, this stuff should be blocked at the perimeter. Two of my ISPs
(I have 4) block this at the dialin terminal server, while the other
doesn't (neither does my broadband provider). The problem is as I
eluded to in my reply in the "evesdropping a computer how is it possible,
how can it be prevented ?" thread. Windoze enables crap by default on
the off-chance that you'll find it useful. If you want to share your
hard drive, and your printer with the world - bingo, no extra work on
your part. This may not be the best idea that ever came down the pike,
but they feel that "ease of operation" is more important than security.

As for ignoring reports of a netbios scan, the majority will ignore
this. They feel that you have some responsibility to not be accepting
those connections in the first place. If you block the connection (or
better yet, don't run a server on that port) then the scan is futile.
Another problem is that the majority of such abuse reports don't have
the details needed to show that they need to document to do something
to the owner of the "attacking" computer. I'd suspect that most
"attacks" are coming from computers that have successfully been
attacked - perhaps a chain of A controls B which controls C, which
controls D which is "attacking E.

>It is probably because his killfile is set to gobble every email of that
>type and send me to email obscurity for even suggesting it is a real
>threat....as he watches the soaps.

Lessee, you're posting from an 'eastlink.ca' cable address. _Most_
residential broadband providers (especially in North America) like to
pretend to be "common carrier" which is a US term meaning someone who
provides transportation service - in this case, transporting packets.
They claim that's all they do, and they are not responsible for the
_content_ of those packets. Other providers around the world have
adopted a similar concept of "we're only delivering connectivity",
because it's less of a hassle than policing their turf, inspecting
the content of those packets, and so on. Yes, they're supposed to
pay attention to abuse complaints, but kicking off customers isn't
the way to make money. That's why we (in the business) use firewalls
to block access to our systems from large parts of the world.

>I have read that most logged requests are simply misdirected or
>background internet packets....true?

Depends. Those originating from (crude measure) your ISP - your network
neighborhood may well be. Those originating from halfway around the
world are probably worms, zombies, or the inevitable skript kiddiez.

>NOW the MEAT of this thread for all us pleabs trying to get a leg
>over..."how do we sort out the malicious from the mundane?

To a large extent - you don't. You mention using XP - windoze sorta
copied a UNIX command called 'netstat' which is used to see what stuff
is open/active on your network interface. For XP, try 'netstat /ano'
and see what's open. I'm not using windoze, but what I see using the
original command is

[compton ~]$ netstat -atun
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
[compton ~]$

there is exactly one service "open" on this box (SSH or "Secure Shell").
What happens if I try to connect to some other port?

[compton ~]$ telnet localhost 139
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused
[compton ~]$

Nothing there. Nothing running means nothing to exploit. If I wanted to
have this box directly on the Internet (it's one of six boxes on the
home LAN, behind a firewall that is also NATing), I wouldn't need a
firewall application, because there is nothing (except SSH which is
only accepting connections from seven specific computers) open. If
someone tries to connect, they get the same "Connection refused" as
shown above.

>Do I freak when I see so&so from China running thru all ports from
>135-139 three times in a row?

The three times in a row is the way IP works when there is no response.
If there were a "FOAD" response, a normal computer would give up upon
receiving that response. But this is just someone trying to see if
you'd like to share your hard drive.

>do I wonder why PCanywhere is trying to connect to me from RU?

Are people still using that?

>Or do I just watch blissfully the blinking lights on my Dlink wireless
>router [hardwire connection]

OK - stop it right there. If someone tries to connect to port 80 on your
eastlink IP address, what "answers". (I haven't had a single system
setup in decades - if you connect to my broadband address, which of the
six computers should respond? Seeing as how I'm not offering services
to the world, the "new" connection isn't forwarded, but is blocked at
the router.)

>and trust my ZA2007intsuite to give me as much protection as is humanly
>possible under $100

---------------------
Their main use is telling the ones who use it that some host in Korea or
Kenya attempted to connect to a trojan that they don't have installed.
---------------------

Use 'netstat' and see what is open on your computer. Do you have some
need for that to be open? If not, disable that service (don't ask me
how, I got rid of windoze in 1992 before they discovered networking).
Did that "break" something you are using? No; then you didn't need it.
Yes; then re-enable it, and try blocking it at the router. Your
computer will run faster if it isn't running a service, and also running
a firewall of some sorts to block access to that service.

Then look at your router - and see that it isn't forwarding stuff you
don't need. If your router can't forward the request, it sends back
that same "Connection refused" message. No way in == no worries for you.

>and still be able to hassle guys like you on these NGs?.......with my
>unworthy requests???? and saggy underwear?

Can't do a thing for the saggy underwear. For the requests, I can answer
networking stuff, but not the windoze end of things.

>Oldguy 2...miffed again [at myself now]

One of the problems with computers connected to the Internet is that
many (most) people don't want to learn anything about them. They expect
to turn them on (hopefully they can find the power switch), and things
will just work - not to sure what they are, but they'll work. It doesn't
work that way. Someone else wrote:

-------------------
Congratulations. You've just figured out that they lied to you
when they told you even an untrained monkey on crack can use a
computer. Yes, there's a lot to learn
-------------------

Old guy

Re: Plausible reasons for http access?

Moe Trin wrote:

> On Thu, 14 Dec 2006 in the Usenet newsgroup comp.security.misc, in article
> , warf wrote:
..
> wrote:
snip some important but volumous and onorous content...to free up your
time while helping me..
> Lessee, you're posting from an 'eastlink.ca' cable address. _Most_
> residential broadband providers (especially in North America) like to
> pretend to be "common carrier" which is a US term meaning someone who
> provides transportation service - in this case, transporting packets.
> They claim that's all they do, and they are not responsible for the
> _content_ of those packets. Other providers around the world have
> adopted a similar concept of "we're only delivering connectivity",
> because it's less of a hassle than policing their turf, inspecting
> the content of those packets, and so on. Yes, they're supposed to
> pay attention to abuse complaints, but kicking off customers isn't
> the way to make money. That's why we (in the business) use firewalls
> to block access to our systems from large parts of the world.

You are very helpful and a valuable asset to persons like me trying to
gain some sense of awareness.
RE providers, mine in particluar: Just today I noticed a FireWall rule
had been created on my behalf [thanks, I think?] ....it passed a UDP
packet to Level-3...which WHOIS->wiki says is the premier i-net backbone
carrier in...the world.

you did say you area able to restrict your system from 'parts of the
world...but if i am compromised then you are as well....by redirection
so to speak.

.....snip some other useful text.
For XP, try 'netstat /ano'
> and see what's open....snip for brevity.. they get the same "Connection refused" as
> shown above.

Actually, ZA, Spybot S&D and Adaware provide me with those functions and
that is how I became aware of LSPs and the convoluted path from
executable to DLL to [fill in the blanks] to internet packet can
be....and I wept volumously! [How can i learn fast enough to even keep
up with the changes in protocol, never mind the tactics? hence my
intrusion on this group....and maybe so others can learn and thereby
thwart hijacking and cloaking]

F-EG:[vida supra] SCVHOST is running 6 instances of itself, each
instance has about 20 different open modules. Many instances have
different open 'ports' numbered anything but 80,110,25. Most all are
'listening' meaning awaiting incoming requests to connect right?
As you said [vida infra] if they are denied connection nothing happens.
My ports are supposed to be masked by the firewall. I wonder though if
Spybots utility has failed to differentiate a proxy port and an actual
open ethernet-internet port and is telling me I have "open ports" but no
tcp/ip packets are acknowledged unless specificaly allowed? {Easy
now...I said I am a pleab..}

snip...
>>do I wonder why PCanywhere is trying to connect to me from RU?

> Are people still using that?

My FW log says they are...kids or oldfarts I s'pose.

>Or do I just watch blissfully the blinking lights on my Dlink wireless
>>router [hardwire connection]
>
> OK - stop it right there.
>If someone tries to connect to port 80 on your
> eastlink IP address, what "answers". (I haven't had a single system
> setup in decades - if you connect to my broadband address, which of the
> six computers should respond? Seeing as how I'm not offering services
> to the world, the "new" connection isn't forwarded, but is blocked at
> the router.)

AHHH...ok??? Even though the 'watch the lights blinking was metaphoric
for "pick my nose in bliss and scratch my festering arse" I think I see
what you are saying. If I am not offering a service there is no
connection to be had? BUT, the 'service' may be offered by a trojan and
you may be saying...find out what answers when i call?? Can I call
myself on my own line, so to speak?

I do in fact have a Dlink router using hardwire to the cable modem and
cable to the e-net adapter on my laptop....do those open ports mean they
are simply forwarded to the router in no IP is associated with the open
port number? The modem, the card and the cable modem have an IP address
AND i have the internal 127.0.0.1 circuit to....no?

snip...
> One of the problems with computers connected to the Internet is that
> many (most) people don't want to learn anything about them. snip..
>
> Old guy

Thanks, I still reiterate...again and unabatedly, I feel that by the
time I get caught up It [I] will be outdated....I was a wiz at W95 [or
so I thought] about the time W2000SP3 was dessicated wannabe [g].
Defeated but optimistically....miffed.

Re: Plausible reasons for http access?

On Thu, 14 Dec 2006, in the Usenet newsgroup comp.security.misc, in article
, warf wrote:

>Moe Trin wrote:

>RE providers, mine in particluar: Just today I noticed a FireWall rule
>had been created on my behalf [thanks, I think?] ....it passed a UDP
>packet to Level-3...which WHOIS->wiki says is the premier i-net backbone
>carrier in...the world.

"it passed a UDP packet to Level-3"... what _kind_ of UDP packet?
What ports? What address? As for "the premier i-net backbone carrier",
that's a rather poorly framed description. They are _one_ of the major
carriers, but there is no single backbone.

>> For XP, try 'netstat /ano' and see what's open

>Actually, ZA, Spybot S&D and Adaware provide me with those functions

Actually they don't. They are providing different information, and
different (rather limited) views.

>that is how I became aware of LSPs and the convoluted path from
>executable to DLL to [fill in the blanks] to internet packet can
>be....and I wept volumously! [How can i learn fast enough to even keep
>up with the changes in protocol, never mind the tactics? hence my
>intrusion on this group....and maybe so others can learn and thereby
>thwart hijacking and cloaking]

The fundamental concepts haven't changed in 25 years or more. Where you
are running into problems is the confusion (intentional on the part of
mal-ware authors) about what your computer is doing. This is a multi-
layered process. Your web browser has no idea how packets enter or
leave the computer. It's not needed. All it cares about is telling
the O/S to send a message to "this" service on "that" computer. Your
application translates that URL into a standard format request to
the O/S to establish "a" connection to remote.host.name (which the
O/S knows has to be transparently translated to an IP address) and
send a packet containing the correct syntax of a "GET" command to
the default port number (unless you specified otherwise). To do this,
the O/S has to determine what hose on your computer (perhaps dialin,
perhaps Ethernet, perhaps something else) to use, and send this
message to a piece of software that arranges bits in an appropriate
manner and sends them to a chunk of hardware in the computer somewhere.
Where it goes from there is a function of the hardware, and not the
concern of the O/S (never mind the application). Where does that
mal-ware fit in? It's both "another" application running, and it _may_
alter the internal path normally used between the application level
and the O/S. Your software firewall for example is altering the
path, telling the other applications that the place where you stick
information going to the network (which includes the Internet) is
"right here" (and perhaps passing that information that it feels is
allowed to go "out" to the real location in the O/S where it will
be sent out), while telling the O/S that all network traffic is really
from and to "me". Wait a minute... did I call the software firewall
a piece of mal-ware? No, but it's acting in the same manner.

>SCVHOST is running 6 instances of itself, each instance has about 20
>different open modules. Many instances have different open 'ports'
>numbered anything but 80,110,25.

Remember, I don't do windoze, but my understanding of SCVHOST is that
it's not some web, POP3 or SMTP server, so there is no conceivable reason
for it to have ports 80, 110 or 25 open. As to what ports it should have
open, you'll have to ask a windoze expert - that's not my turf.

>Most all are 'listening' meaning awaiting incoming requests to connect
>right?

Correct - but note where they are listening, and to what addresses. If
it's 127.0.0.1, it's listening to itself - which could be one application
trying to talk to another, or even one part of an application trying to
talk to another part of the same application.

>My ports are supposed to be masked by the firewall. I wonder though if
>Spybots utility has failed to differentiate a proxy port and an actual
>open ethernet-internet port and is telling me I have "open ports" but no
>tcp/ip packets are acknowledged unless specificaly allowed? {Easy
>now...I said I am a pleab..}

This is windoze stuff, and not my area of expertise. However your
Spybot S&D and Adaware are specialized firewalls - and where are they
in that line between your user level applications (like your browser)
and that section of the O/S that connects to the hardware? They can't
all be first in line. Who is?

>>>do I wonder why PCanywhere is trying to connect to me from RU?
>
>> Are people still using that?
>
>My FW log says they are...kids or oldfarts I s'pose.

No, your firewall log says someone is attempting to connect to a port that
is normally used by PCanywhere. That doesn't mean that the connection
"must be" for that application. A client wanting to connect to a server
goes to where it expects the server to be hiding. The server doesn't have
to be there - it could be elsewhere, or not even installed. If you
need a cop right now, you dial '911', right? Are you aware that that
number is not standardized around the world, and flat out won't work in
many places? Just as there is no international law stating that 911
must be the emergency services number, there is no law or requirement that
only service $FOO can listen to port $BAR and all traffic to port $BAR
must be for $FOO.

>If I am not offering a service there is no connection to be had? BUT, the
>'service' may be offered by a trojan and you may be saying...find out what
>answers when i call?? Can I call myself on my own line, so to speak?

Did you tell your router to forward ALL traffic to your computer? I can't
because I have more that one computer, and I have to forward stuff to
a specific computer. If I didn't set up forwarding for "this" port, it
doesn't go anywhere. Now your router may be being helpful, and
auto-forwarding everything to one address on your LAN - I can't say.

Can you call your own line? That depends. There are servers you can
use on the network that will scan your address from outside. Most of
them have some agenda, and others I can't use because I'm not allowed
to have a salt intake measured in kilograms. You could try accessing
your home from a friends place - but scanning 130K ports might take
some time, and may be viewed as a violation of acceptable use policy
by the various ISPs. I can disconnect my firewall box, and connect
a lap top configured to look like the next hop on the way to the Internet,
and run some rather abusive scanning applications from their, seeing
what shows up. It says here, you can also run a scanning program on
your system and have it scan itself, but this may give quite misleading
results.

>I do in fact have a Dlink router using hardwire to the cable modem and
>cable to the e-net adapter on my laptop....do those open ports mean they
>are simply forwarded to the router in no IP is associated with the open
>port number?

No, you are scanning your system from your system. You are seeing what
your system is allowing you to see (which could be less than complete
depending on what is hiding things), and you are looking at them from
inside the hardware, which could show up differently. Example: I can
ping "this" computer by pinging the loopback address (127.0.0.1) but
I get the same result if I ping it's Ethernet IP addresses. That's
because the operating system knows I'm trying to talk to myself, and
uses the loopback rather than clutter up the wires with useless chatter
that is needed nowhere else.

Old guy

Re: Plausible reasons for http access?

Post removed (X-No-Archive: yes)