I am curious to find out entries in my router log (Linksys) which have LAN IP of 0.0.0.0 and destination URL/IP of �. Does nayone know what it means? Is this any hacker activity?
![]() |
0 |
![]() |
Samwrote: > I am curious to find out entries in my router log (Linksys) which > have LAN IP of 0.0.0.0 and destination URL/IP of �. Does nayone know > what it means? Is this any hacker activity? http://www.geocities.com/merijn_bellekom/new/netstatan.html -- Robert GRC newsgroup tips - http://www.imilly.com/noregrets.htm List of Lists - http://lists.gpick.com/ Privacy and Security - https://netfiles.uiuc.edu/ehowes/www/main-nf.htm
![]() |
0 |
![]() |
On Sun, 24 Oct 2004 14:50:04 -0500, "Robert Wycoff"wrote: >http://www.geocities.com/merijn_bellekom/new/netstatan.html Good page but recommends using a virus scanner to clear a sub7 trojan. Other than that it's very nice. "So it's like herding cats." Richard Smalley. Professor of Chemistry and Physics Rice University, Nobel Prize for Chemistry, 1986
![]() |
0 |
![]() |
Re: understanding netstat cmd > >http://www.geocities.com/merijn_bellekom/new/netstatan.html Good page but recommends using a virus scanner to clear a sub7 trojan. Other than that it's very nice. EGG: It is impt to remember that the netstat cmd shows info w/o considering the affects on a firewall. So, if netstat shows TCP 139 as Listening, and you have a firewall, the port may be open/closed/stealth per the firewall settings.
![]() |
0 |
![]() |
On Mon, 1 Nov 2004 07:15:20 -0800, "CZ"wrote: >It is impt to remember that the netstat cmd shows info w/o considering the >affects on a firewall. >So, if netstat shows TCP 139 as Listening, and you have a firewall, the port >may be open/closed/stealth per the firewall settings. Not argumentative but are you saying that netstat shows one thing (port xyz listening) but an installed software firewall may be blocking connection on that port without netstat reporting that? "So it's like herding cats." Richard Smalley. Professor of Chemistry and Physics Rice University, Nobel Prize for Chemistry, 1986
![]() |
0 |
![]() |
El Gato Grande wrote: > On Mon, 1 Nov 2004 07:15:20 -0800, "CZ"wrote: > > >>It is impt to remember that the netstat cmd shows info w/o considering the >>affects on a firewall. >>So, if netstat shows TCP 139 as Listening, and you have a firewall, the port >>may be open/closed/stealth per the firewall settings. > > > Not argumentative but are you saying that netstat shows one thing > (port xyz listening) but an installed software firewall may be > blocking connection on that port without netstat reporting that? > CZ is quite correct; a software firewall interposes itself between the network connection and the ports. It grabs the packets before the port sees them and then inspects them, discarding unsolicited packets and any other kind of packet that should be dropped by the rule set in the firewall. The other packets are then released to the ports. A port can be open but if you define a rule in the software to stop packets going to that port then the port remains open as reported by Netstat or TCPview, but the port will appear closed / stealthed to an outsider like GRC ShieldsUp. Netstat and TCPview do not interact with a software firewall; they examine and report the port settings in the internal stack of the OS. Or so I believe ;) -- Le Flake from deepest, darkest Qu�bec
![]() |
0 |
![]() |
In article <[email protected]>, El Gato Grande says... > On Mon, 1 Nov 2004 07:15:20 -0800, "CZ"wrote: > > >It is impt to remember that the netstat cmd shows info w/o considering the > >affects on a firewall. > >So, if netstat shows TCP 139 as Listening, and you have a firewall, the port > >may be open/closed/stealth per the firewall settings. > Not argumentative but are you saying that netstat shows one thing > (port xyz listening) but an installed software firewall may be > blocking connection on that port without netstat reporting that? Actually, yes. Consider, first, a dialup connection: Windows IP Configuration Ethernet adapter : Description . . . . . . . . : PPP Adapter. IP Address. . . . . . . . . : 4.246.87.58 Now consider the following TCPView output (think of it as "netstat in a GUI"): > TCP 4.246.87.58:139 0.0.0.0:0 LISTENING > UDP 4.246.87.58:137 *:* > UDP 4.246.87.58:138 *:* Finally, the Shields Up! test: > 4.246.87.58 Please Stand By. . . Attempting connection to your computer. . . > Your Internet port 139 does not appear to exist! > Unable to connect with NetBIOS to your computer. All attempts to get any information from your computer have FAILED. ---------------------------------------------------------------------- GRC Port Authority Report created on UTC: 2004-11-03 at 09:22:07 Results from scan of ports: 0-1055 0 Ports Open 0 Ports Closed 1056 Ports Stealth --------------------- 1056 Ports Tested ---------------------------------------------------------------------- I did add a specific, in Kerio Personal Firewall, rule to block ports 137- 139; though I believe the "Is running on Internet gateway" setting would also block this. I am normally connected to the Internet through a Netgear FR114P, and don't usually need such a rule. So, yes, a block rule will keep the WAN out without affecting the netstat report. Actually, I count on that to keep certain ports open on the LAN but inaccessible from the WAN. My Netgear doesn't forward ports so much as use an SPI filter to allow packets to pass from the WAN to the LAN. As a firewall, the Netgear is blocking access to all ports except those I specify to allow access. -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint
![]() |
0 |
![]() |
"Robert Wycoff"wrote in message news:[email protected]... > > http://www.geocities.com/merijn_bellekom/new/netstatan.html That page seems to be gone, now, but The Wayback Machine still has it: http://web.archive.org/web/*/http://www.geocities.com/merijn_bellekom/new/netstatan.html -Dave
![]() |
0 |
![]() |
Did you know you were replying to an old message from 11 months agoDave_Burton wrote: > "Robert Wycoff" wrote in message > news:[email protected]... >> >> http://www.geocities.com/merijn_bellekom/new/netstatan.html > > That page seems to be gone, now, but The Wayback Machine still has it: > http://web.archive.org/web/*/http://www.geocities.com/merijn_bellekom/new/netstatan.html > > -Dave
![]() |
0 |
![]() |
Yep."Rick Chauvin" wrote in message news:[email protected]... > Did you know you were replying to an old message from 11 months ago > > > Dave_Burton wrote: > > "Robert Wycoff" wrote in message > > news:[email protected]... > >> > >> http://www.geocities.com/merijn_bellekom/new/netstatan.html > > > > That page seems to be gone, now, but The Wayback Machine still has it: > > > http://web.archive.org/web/*/http://www.geocities.com/merijn_bellekom/new/netstatan.html > > > > -Dave
![]() |
0 |
![]() |