G'day Everyone... I've been having trouble for some time with an open http proxy on port 80, which causes me to get k-lined on DAlnet. I installed Tiny Personal Firewall 3.0 today and since it's been running it regularly tells me it's "preventing" an "incoming packet on unopened TCP port" to "system" from the address "157.238.124.80:80" (port 80) and it shows up on a series of local ports in the 1000-1500 range and often makes 5 or more attempts in each flurry. I've tried to find out what or who that address is from a DNS server and using WHOIS - but I can't work it out. Can anyone tell what's going on, please and what the best way to deal with this is? Is there a trojan in my computer? If so how can I get it out? What is at the address: 157.238.124.80. (There have also been a couple of probes from 216.235.147.35 - also on port 80) Thanks and regards Laurie

First one only traces back to a block of network addresses. (using NeoTrace Express) * * * * * * * * * * * * * * * * * * * * Verio, Inc. (NET-VRIO-157-238) 8005 South Chester Street Englewood,, CO 80112 US Netname: VRIO-157-238 Netblock: 157.238.0.0 - 157.238.255.255 Maintainer: VRIO Coordinator: Verio, Inc. (VIA4-ORG-ARIN) vipar@verio.net 303.645.1900 Domain System inverse mapping provided by: NS0.VERIO.NET 129.250.15.61 NS1.VERIO.NET 204.91.99.140 NS2.VERIO.NET 129.250.31.190 ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE ******************************************** Reassignment information for this block is available at rwhois.verio.net port 4321 ******************************************** Record last updated on 26-Sep-2001. Database last updated on 6-Jul-2002 19:59:31 EDT. The ARIN Registration Services Host contains ONLY Internet Network Information: Networks, ASN's, and related POC's. Please use the whois server at rs.internic.net for DOMAIN related Information and whois.nic.mil for NIPRNET Information. * * * * * * * * * * * * * * * * * * * * * * Second one, 216.235.147.35 , would be replies from this message board site. www.computing.net IP = 216.235.147.35 PS: TCP send port is 80.

Thanks for the info Regards Laurie

hi laurie, here's some info on port 80: port name port number protocol alias note type URL 80 tcp AckCmd trojan 80 tcp CGI Backdoor trojan 80 tcp Hooker trojan 80 tcp RingZero trojan 80 tcp Code Red worm worm 80 tcp Nimda worm [ www.sarc.com ] 80 tcp Terminal Server ActiveX Client (TSAC) - [ support.microsoft.com ] 80 tcp Back End trojan 80 tcp Executor v1 trojan 80 tcp Executor v2 trojan http 80 tcp World Wide Web HTTP IANA http 80 udp World Wide Web HTTP IANA www 80 tcp World Wide Web HTTP IANA www 80 udp World Wide Web HTTP IANA www-http 80 tcp World Wide Web HTTP IANA www-http 80 udp World Wide Web HTTP IANA here's what you can do: go to www.thepublicworks.com and click on links, Simovits Consulting, to find out what trojans are associated with ports 80, then go to Tantalo ports and enter port 80 in the port search to confirm what trojans are in effect attached to that particular port, then click on PCFlank and get a free port and trojan scan to see if any of your ports are open and if you have any trojans in your machine, then click on Widers.org and download Trojan Hunter free 30 day trial and scan your computer if it finds any trojan delete it. you may alos want to download free copy of RegProt, and then go to Sysinternals and download free port monitor TDImon, and process monitor Procmon. you may have a trojan server already installed on your machine that is calling out and that is why your firewall is blocking incoming attacks from those ip addresses. all the best and cheers, murve

murve: thanks for all your info... unfortunately PCFlank can't get my correct IP address, so I can't run the tests... Regards Laurie

hi laurie, go to shields up: www.grc.com for a port scan cheers, murve

ok first of all if your running a proxy server then it needs to connect to the proxy that you have chosen in order to relate the info through that proxy. nice info buy the way isn't that against there agreement to post the companies info on a post like that. i think so. watch out next time