I've been doing a network security revamp and have newb issues. Hopefully I can solicit some insight from the guys who know hardware and networks really well I'm running 2 XP machines behind a newer linksys soho fw, and an ethernet drive. also mcafee software fw and virus and netscape (instead of IE) on everything. In the linksys log, any time I hit a website I see several outgoing connections to various ip's. Furthermore, it looks like the ports in the log occur sequentially which seems suspect to me (1564-1571 below etc). Is this normal? For example, below are the log entries from one hit to the elitetrader.com main page. It looks like outgoing traffic went to 5 different destinations. What could these be, things like Avenue A, etc, or is this normal? New NAPT Log 2006-06-21 22:38:22 [New TCP Outbound Flow] (TCP) LAN to WAN 192.168.1.100:1564->208.234.169.12:80 [Forward] 2006-06-21 22:38:23 [New TCP Outbound Flow] (TCP) LAN to WAN 192.168.1.100:1565->208.234.169.12:80 [Forward] 2006-06-21 22:38:23 [New TCP Outbound Flow] (TCP) LAN to WAN 192.168.1.100:1566->208.234.169.12:80 [Forward] 2006-06-21 22:38:23 [New TCP Outbound Flow] (TCP) LAN to WAN 192.168.1.100:1567->208.234.169.72:80 [Forward] 2006-06-21 22:38:23 [New TCP Outbound Flow] (TCP) LAN to WAN 192.168.1.100:1568->65.205.8.182:80 [Forward] 2006-06-21 22:38:23 [New TCP Outbound Flow] (TCP) LAN to WAN 192.168.1.100:1569->208.234.169.72:80 [Forward] 2006-06-21 22:38:23 [New TCP Outbound Flow] (TCP) LAN to WAN 192.168.1.100:1570->216.73.87.187:80 [Forward] 2006-06-21 22:38:24 [New TCP Outbound Flow] (TCP) LAN to WAN 192.168.1.100:1571->202.89.44.141:80 [Forward]
You have spyware reporting sites you visit to advertisers. http://www.spybot.info/ this is free and stops most spyware from entering. http://www.pctools.com/spyware-doctor/ pay for this and use it every end of day to find and eliminate spyware. It will all only get worse so you have to stay on top of it, it isn't that it is all malicious but is always running in the backround and consuming cpu/ memory. Avenue A is spyware
thanks vm for your reply. the thing is, i reinstalled windows offline on both machines in the last 24 hours, and did a full spybot and avg scan 20 mins before posting. is there a way to associate outgoing connections with running processes, or a browser option to trim all the way down to html only? Is it normal for the outgoing ports to resemble a port scan like that? i guess there's probably a way i could at least tell the firewall to only allow outgoing connections to destinations i specify the more i look into it, windows xp seems like no way to do business does anyone have a browsing network without mysterious outgoing connections?
Doesn't look like spyware and don't jump to conclusions without first considering how web pages are built and composited. The typical web page contains a whole variety of different types of content (not just the text on that page) that is sourced from different locations on the server (i.e., not actually embedded in the page) or from other servers elsewhere on the internet. This content consists of all the different graphic images, animations, Java libraries, ActiveX controls, etc. that are actually completely seperate files stored outside the current HTML page. Most browsers try to parallelize the download of these various page elements onto multiple TCP/IP streams for overall efficiency and throughput. As such, you will typically see many connections established to the various addresses of those page content sources. Also note that each connection will end up getting a different temporary port on your machine in order to segrate their independent communcation channel contexts. And yes, these would typically be assigned automatically in sequential order. It can NOT be a "port scan" because these are outgoing ports. This is all normal operation of TCP/IP and HTTP browsing mechanics.
thanks, that makes perfect sense and clarifies quite a lot. admittedly my knowledge is really limited. why would i see outgoing connections to those 5 destinations, if i'm receiving content, not transmitting per se? Is the original destination basically sending out for the additional content once i've downloaded the page?
K, Arch knows exponentially more about this stuff than I do. I assume everybody is an axe murderer unless my mother knows them.
lol man. thanks for your help too. i'm in paranoia-land here since that trojan last week. the other thing i'm wondering is how naked my ethernet drive is, not sitting behind a software firewall i want to stop working in an administrator account at all times. it seems like xp limits the permissioning options significantly in workgroups vs setting up a domain. but initially i had probs attempting to manage profiles is it safe to browse and chat on a secondary machine, if it's still on the same network? it seems like two networks are really called for
They are outgoing connections because YOUR machine is establishing the connection to those locations. The direction of the connection has nothing to do with whether you are transmitting, receiving, or both. It's solely based on which side originates the connection request to the other. In this case, your machine (actually your browser) is initiating the connection requests to those different locations in order to ask for and then receive the content elements specified by the various HTML tags (e.g., an image tag). In each of these cases, your machine sends a request for connection to each target (which involves assigning a new temporary local port upon which the connection will be processed), upon receiving an accept it will begin the message exchange appropriate for the specific object being sought. In interpreting the HTML for the currently displaying page, the browser sees these various tags, establishes connections to the specified sources, requests the specific content, receives the content that's returned, and ultiamtely reconstitutes the whole structure, appearance, and (if necessary) execution context of the web page.
Download this... http://www.sysinternals.com/Utilities/TcpView.html You'll be able to determine the what, who, where. You probably want to adjust your services too. http://smallvoid.com/tweak/winnt/services.html Osorico
thx again, very insightful. then i guess it really comes down to how much you trust a site, since any of the outsourced content, ads, etc, could potentially carry malicious wares now i see why i can't get rid of ave a for the life of me. if every site i visit is really hitting 5 places, chances are in the course of normal browsing a lot of crap will find its way onto the pc. thanks vm osorico, looking into those now. i shut off remote registry, but a lot of other services are greek to me