IP address 0.0.0.0

I am curious to find out entries in my router log (Linksys) which have LAN
IP of 0.0.0.0 and destination URL/IP of �. Does nayone know what it means?
Is this any hacker activity?
0
Sam
10/24/2004 5:38:36 PM
📁 grc.techtalk.packetsniffing
📃 559 articles.
⭐ 0 followers.

💬 9 Replies
👁️‍🗨️ 940 Views

Sam  wrote:
> I am curious to find out entries in my router log (Linksys) which
> have LAN IP of 0.0.0.0 and destination URL/IP of �. Does nayone know
> what it means? Is this any hacker activity?

http://www.geocities.com/merijn_bellekom/new/netstatan.html

-- 
Robert
GRC newsgroup tips - http://www.imilly.com/noregrets.htm
List of Lists - http://lists.gpick.com/
Privacy and Security - https://netfiles.uiuc.edu/ehowes/www/main-nf.htm
0
Robert
10/24/2004 7:50:04 PM
On Sun, 24 Oct 2004 14:50:04 -0500, "Robert Wycoff"
 wrote:


>http://www.geocities.com/merijn_bellekom/new/netstatan.html

Good page but recommends using a virus scanner to clear a sub7
trojan.  Other than that it's very nice.

"So it's like herding cats."
Richard Smalley. Professor of Chemistry and Physics
Rice University, Nobel Prize for Chemistry, 1986
0
El
11/1/2004 2:08:29 AM
Re: understanding netstat cmd

> >http://www.geocities.com/merijn_bellekom/new/netstatan.html

Good page but recommends using a virus scanner to clear a sub7
trojan.  Other than that it's very nice.


EGG:

It is impt to remember that the netstat cmd shows info w/o considering the 
affects on a firewall.
So, if netstat shows TCP 139 as Listening, and you have a firewall, the port 
may be open/closed/stealth per the firewall settings. 
0
CZ
11/1/2004 3:15:20 PM
On Mon, 1 Nov 2004 07:15:20 -0800, "CZ"  wrote:



>It is impt to remember that the netstat cmd shows info w/o considering the 
>affects on a firewall.
>So, if netstat shows TCP 139 as Listening, and you have a firewall, the port 
>may be open/closed/stealth per the firewall settings. 

Not argumentative but are you saying that netstat shows one thing
(port xyz listening) but an installed software firewall may be
blocking connection on that port without netstat reporting that?


"So it's like herding cats."
Richard Smalley. Professor of Chemistry and Physics
Rice University, Nobel Prize for Chemistry, 1986
0
El
11/3/2004 1:26:26 AM
El Gato Grande wrote:
> On Mon, 1 Nov 2004 07:15:20 -0800, "CZ"  wrote:
> 

> 
>>It is impt to remember that the netstat cmd shows info w/o considering the 
>>affects on a firewall.
>>So, if netstat shows TCP 139 as Listening, and you have a firewall, the port 
>>may be open/closed/stealth per the firewall settings. 
> 
> 
> Not argumentative but are you saying that netstat shows one thing
> (port xyz listening) but an installed software firewall may be
> blocking connection on that port without netstat reporting that?
> 

CZ is quite correct; a software firewall interposes itself between the 
network connection and the ports. It grabs the packets before the port 
sees them and then inspects them, discarding unsolicited packets and any 
other kind of packet that should be dropped by the rule set in the 
firewall. The other packets are then released to the ports.

A port can be open but if you define a rule in the software to stop 
packets going to that port then the port remains open as reported by 
Netstat or TCPview, but the port will appear closed / stealthed to an 
outsider like GRC ShieldsUp.

Netstat and TCPview do not interact with a software firewall; they 
examine and report the port settings in the internal stack of the OS.

Or so I believe   ;)

-- 
Le Flake
from deepest, darkest Qu�bec
0
Le
11/3/2004 3:11:56 AM
In article <[email protected]>, El Gato Grande 
says...

> On Mon, 1 Nov 2004 07:15:20 -0800, "CZ"  wrote:

> 

> >It is impt to remember that the netstat cmd shows info w/o considering the 
> >affects on a firewall.
> >So, if netstat shows TCP 139 as Listening, and you have a firewall, the port 
> >may be open/closed/stealth per the firewall settings. 

> Not argumentative but are you saying that netstat shows one thing
> (port xyz listening) but an installed software firewall may be
> blocking connection on that port without netstat reporting that?

Actually, yes. Consider, first, a dialup connection:

Windows IP Configuration

Ethernet adapter :

	Description . . . . . . . . : PPP Adapter.
	IP Address. . . . . . . . . : 4.246.87.58

Now consider the following TCPView output (think of it as "netstat in a 
GUI"):

> TCP	4.246.87.58:139	0.0.0.0:0	LISTENING		
> UDP	4.246.87.58:137	*:*			
> UDP	4.246.87.58:138	*:*			

Finally, the Shields Up! test:

> 4.246.87.58 


Please Stand By. . .

	Attempting connection to your computer. . .

> 	Your Internet port 139 does not appear to exist!

> 	Unable to connect with NetBIOS to your computer.

All attempts to get any information from your computer have FAILED.

----------------------------------------------------------------------

GRC Port Authority Report created on UTC: 2004-11-03 at 09:22:07

Results from scan of ports: 0-1055

    0 Ports Open
    0 Ports Closed
 1056 Ports Stealth
---------------------
 1056 Ports Tested

----------------------------------------------------------------------

I did add a specific, in Kerio Personal Firewall, rule to block ports 137-
139; though I believe the "Is running on Internet gateway" setting would 
also block this. I am normally connected to the Internet through a Netgear 
FR114P, and don't usually need such a rule. So, yes, a block rule will keep 
the WAN out without affecting the netstat report.

Actually, I count on that to keep certain ports open on the LAN but 
inaccessible from the WAN. My Netgear doesn't forward ports so much as use 
an SPI filter to allow packets to pass from the WAN to the LAN. As a 
firewall, the Netgear is blocking access to all ports except those I specify 
to allow access.

-- 
Norman
~Win dain a lotica, En vai tu ri, Si lo ta
~Fin dein a loluca, En dragu a sei lain
~Vi fa-ru les shutai am, En riga-lint
0
Norman
11/3/2004 10:00:43 AM
"Robert Wycoff"  wrote in message
news:[email protected]...
>
> http://www.geocities.com/merijn_bellekom/new/netstatan.html

That page seems to be gone, now, but The Wayback Machine still has it:
http://web.archive.org/web/*/http://www.geocities.com/merijn_bellekom/new/netstatan.html

-Dave


0
Dave_Burton
9/4/2005 8:34:16 AM
Did you know you were replying to an old  message from 11 months ago 


Dave_Burton wrote:
> "Robert Wycoff"  wrote in message
> news:[email protected]...
>>
>> http://www.geocities.com/merijn_bellekom/new/netstatan.html
>
> That page seems to be gone, now, but The Wayback Machine still has it:
>
http://web.archive.org/web/*/http://www.geocities.com/merijn_bellekom/new/netstatan.html
>
> -Dave


0
Rick
9/4/2005 1:54:13 PM
Yep.  

"Rick Chauvin"  wrote in message
news:[email protected]...
> Did you know you were replying to an old  message from 11 months ago 
>
>
> Dave_Burton wrote:
> > "Robert Wycoff"  wrote in message
> > news:[email protected]...
> >>
> >> http://www.geocities.com/merijn_bellekom/new/netstatan.html
> >
> > That page seems to be gone, now, but The Wayback Machine still has it:
> >
>
http://web.archive.org/web/*/http://www.geocities.com/merijn_bellekom/new/netstatan.html
> >
> > -Dave


0
Dave_Burton
9/5/2005 3:21:36 AM