Computer Security - Re: weird network activity

08-23-2003, 09:47 PM

On Sun, 17 Aug 2003 14:18:57 -0400, Colonel Flagg
<> wrote:

>In article <>,
>says...
>>
>>
>> I'm using Win XP Pro and have Service Pack 2 and the latest critical
>> updates installed.
>>
>> I'm using Zone Alarm Pro and AVG antivirus with the latest sig file
>> and a
>> hardware router to a cable modem to the internet
>>
>> After rebooting, explorer.exe (Version 6.00.2800.1221 (xpsp2)
>> wants to connect to the local ip 127.0.0.1 Port 1060
>>
>> It also wants to connect to ip 230.255.255.250 Port 1900
>>
>> And sometimes also to ip 192.168.1.1 Port 5678
>>
>> Any ideas why it wants to do that?
>>
>>
>> Tony
>>
>>
>>
>
>
>
>What's the IP of the local machine? 192.168.1.1?
>
>127.0.0.1 is localhost, meaning, it's fine for it to connect to this
>address for whatever reason. I would however seek to find out why it's
>doing this and if this service is really needed. As for 230.255.255.250,
>I have no idea right off the bat, looks like a subnet mask, not an IP.
>
>You can get a port monitor for XP to find out what services/applications
>are connecting to particular ports. It's probably not a security
>concern, but you may regain some system resources if the services aren't
>needed and you can shut them down.

Zone Alarm has the following info for 230.255.255.250

239.255.255.250 is a multicast address

The remote IP address associated with this alert is a multicast
address. This is a special type of IP address used to identify a group
of computers to which information is being sent.

The standards for assigning multicast addresses are still being
developed. The basic idea is that one multicast IP address, in the
range 224.x.x.x - 239.x.x.x, can be used to designate a set of
computers. The computers in the multicast could be on the same or
different networks or subnets.

A multicast address can only be used as a destination address. If a
multicast address appears in an alert as a source address, it was
probably forged in order to hide the identity of the sender.

----------------

This started at the same time the 127.0.0.1 attempts started.
I just went through all the services and disabled all not needed and
previously checked the date of my explorer.exe file and it was not
changed any time recently...

I can block the attempts, but I don't like things happening on my PC
that I don't know the reason for..

I also ran the Microsoft Baseline Security Analyzer, and all appears
well..

I'm befuddled.

Tony!

Tony

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search

08-23-2003, 09:47 PM	#1
	Re: weird network activity On Sun, 17 Aug 2003 14:18:57 -0400, Colonel Flagg <> wrote: >In article <>, >says... >> >> >> I'm using Win XP Pro and have Service Pack 2 and the latest critical >> updates installed. >> >> I'm using Zone Alarm Pro and AVG antivirus with the latest sig file >> and a >> hardware router to a cable modem to the internet >> >> After rebooting, explorer.exe (Version 6.00.2800.1221 (xpsp2) >> wants to connect to the local ip 127.0.0.1 Port 1060 >> >> It also wants to connect to ip 230.255.255.250 Port 1900 >> >> And sometimes also to ip 192.168.1.1 Port 5678 >> >> Any ideas why it wants to do that? >> >> >> Tony >> >> >> > > > >What's the IP of the local machine? 192.168.1.1? > >127.0.0.1 is localhost, meaning, it's fine for it to connect to this >address for whatever reason. I would however seek to find out why it's >doing this and if this service is really needed. As for 230.255.255.250, >I have no idea right off the bat, looks like a subnet mask, not an IP. > >You can get a port monitor for XP to find out what services/applications >are connecting to particular ports. It's probably not a security >concern, but you may regain some system resources if the services aren't >needed and you can shut them down. Zone Alarm has the following info for 230.255.255.250 239.255.255.250 is a multicast address The remote IP address associated with this alert is a multicast address. This is a special type of IP address used to identify a group of computers to which information is being sent. The standards for assigning multicast addresses are still being developed. The basic idea is that one multicast IP address, in the range 224.x.x.x - 239.x.x.x, can be used to designate a set of computers. The computers in the multicast could be on the same or different networks or subnets. A multicast address can only be used as a destination address. If a multicast address appears in an alert as a source address, it was probably forged in order to hide the identity of the sender. ---------------- This started at the same time the 127.0.0.1 attempts started. I just went through all the services and disabled all not needed and previously checked the date of my explorer.exe file and it was not changed any time recently... I can block the attempts, but I don't like things happening on my PC that I don't know the reason for.. I also ran the Microsoft Baseline Security Analyzer, and all appears well.. I'm befuddled. Tony! Tony