View Full Version : FIREWALL picking up false alarms?
As most of you know when you start you comp and start vising websites the ports used start out small and then go up.
They usually start around 1000 and then go up by one 1001 and 1002 and so on.
Why windows does this is beyond me i guess its just simple to use a new port for every new connection? or something like that
ANYWAY
As we also know trojans use ports to connect to your comp.
now lets say that your firewall has a list of all the trojans and what ports they use.
For example Lets say trojan a uses port 1450 to connect your comp
If you go to a website and it just so happens that the connection you made is using port 1450 you get a warning from your firewall of a possible intrusion even though nothing is wrong and that connection just so happens on a port that a known trojan uses
I just wanted to clarify if this is normal?
Adragontattoo
12-17-06, 11:16 AM
uh wait what..
no you dont use more ports when visiting sites.
80/81 is all you should be using for Normal Http comnnections.
uh wait what..
no you dont use more ports when visiting sites.
80/81 is all you should be using for Normal Http comnnections.
It's 80/81/443 on the server. The local port may be different.
Adragontattoo
12-17-06, 11:55 AM
you can do a check on what is using what ports with Netstat/a and Netstat/b
The firewall wont be catching outgoing connections
C:\Documents and Settings\Adragontattoo>netstat/a
Active Connections
Proto Local Address Foreign Address State
TCP thralldesktop:epmap thralldesktop:0 LISTENING
TCP thralldesktop:microsoft-ds thralldesktop:0 LISTENING
TCP thralldesktop:1025 thralldesktop:0 LISTENING
TCP thralldesktop:3800 localhost:3801 ESTABLISHED
TCP thralldesktop:3801 localhost:3800 ESTABLISHED
TCP thralldesktop:3802 localhost:3803 ESTABLISHED
TCP thralldesktop:3803 localhost:3802 ESTABLISHED
TCP thralldesktop:4143 localhost:4144 ESTABLISHED
TCP thralldesktop:4144 localhost:4143 ESTABLISHED
TCP thralldesktop:10110 thralldesktop:0 LISTENING
TCP thralldesktop:10110 localhost:3810 CLOSE_WAIT
TCP thralldesktop:10110 localhost:3811 CLOSE_WAIT
TCP thralldesktop:10110 localhost:3812 CLOSE_WAIT
TCP thralldesktop:netbios-ssn thralldesktop:0 LISTENING
TCP thralldesktop:1396 64.12.29.76:5190 ESTABLISHED
TCP thralldesktop:1426 69.20.37.110:http TIME_WAIT
TCP thralldesktop:3701 cs11.msg.dcn.yahoo.com:5050 ESTABLISHED
TCP thralldesktop:3702 205.188.12.133:5190 ESTABLISHED
TCP thralldesktop:3712 oam-m10b.blue.aol.com:5190 ESTABLISHED
UDP thralldesktop:microsoft-ds *:*
UDP thralldesktop:isakmp *:*
UDP thralldesktop:1893 *:*
UDP thralldesktop:2206 *:*
UDP thralldesktop:2207 *:*
UDP thralldesktop:2208 *:*
UDP thralldesktop:3342 *:*
UDP thralldesktop:3448 *:*
UDP thralldesktop:3991 *:*
UDP thralldesktop:4500 *:*
UDP thralldesktop:4553 *:*
UDP thralldesktop:4562 *:*
UDP thralldesktop:ntp *:*
UDP thralldesktop:1399 *:*
UDP thralldesktop:1400 *:*
UDP thralldesktop:1900 *:*
UDP thralldesktop:3704 *:*
UDP thralldesktop:3705 *:*
UDP thralldesktop:3707 *:*
UDP thralldesktop:3708 *:*
UDP thralldesktop:3718 *:*
UDP thralldesktop:3719 *:*
UDP thralldesktop:ntp *:*
UDP thralldesktop:netbios-ns *:*
UDP thralldesktop:netbios-dgm *:*
UDP thralldesktop:1900 *:*
C:\Documents and Settings\Adragontattoo>
yea so you have a ton of different ports too. just like i do.
So i guess its pretty normal then.
klingens
12-17-06, 01:01 PM
I just wanted to clarify if this is normal?
It's not. You simply have a useless firewall. Basically what happens is (in the best case), the firewall wants to assure you it's doing something and is a good product helping you to stay safe, so it constantly tells you from what dangerous, dangerous things it protects you.
Or the firewall maker is just an idiot programmer.
?
But it does block access when it happens
when a new program installs it asks for access to the internet
and when a program connects to the internet if its not the first time or if a program changes it asks.
Layback Bear
12-31-06, 10:42 AM
Some body help us poor folks on O/C. I though that port 80 was the online port if you have a firewall.
If this is not true or is partialy ture I would like to know and why.
Thanks for any help!
Port 80 is used for http, ie websites. But that is on the server end. So then you send a request out to go to http://www.ocforums.com it arrives on the server at port 80. If you want to be able to see the website that port must be open. If the server is behind a firewall, a very very good idea, then the firewall needs some rule to allow traffic on that port to go to that server.
The local port used on your PC is some random high numbered port. This is how the firewall knows which traffic to allow and which to block. It will see the outgoing request to a server on port 80, and which local port is being used. So when something comes from that server to your PC on that port it is allowed. When some random traffic comes from a different IP and port it blocks it.
The actual ports that get used have nothing to do with firewalls or anything, they are all standardized by TCP/IP governing bodies.
Layback Bear
12-31-06, 01:07 PM
THANK YOU for the inforfation
vBulletin® v3.8.7, Copyright ©2000-2012, vBulletin Solutions, Inc.