HTF Attempts Access To My Computer?

Discussion in 'Computers' started by SteveCop, Nov 16, 2003.

  1. SteveCop

    SteveCop Agent

    Joined:
    Feb 25, 2000
    Messages:
    32
    Likes Received:
    0
    I noticed that my firewall has blocked 195 access attempts to multiple ports from HTF (216.66.21.97) in the last two days. Anyone know what's going on??
    Thanks
     
  2. Kevin P

    Kevin P Screenwriter

    Joined:
    Jan 18, 1999
    Messages:
    1,444
    Likes Received:
    0
    Was this while you were surfing HTF? Can you post the logs, as there will be more info (port #s, etc.) than just the IP address.

    It could be responses from the site that were timed out. Were you having troubles accessing HTF at the time?

    KJP
     
  3. SteveCop

    SteveCop Agent

    Joined:
    Feb 25, 2000
    Messages:
    32
    Likes Received:
    0
    Kevin,
    Here's some, but not all of the log, with my IP removed. The sending port was 80 for all the events, with the destination ports all in the 28** range.
    I don't recall if I was on the site when they occurred, but I haven't had any trouble accessing HTF.

    2003/11/16 06:18:59 216.66.21.97: 80 2816 LBC Watchdog
    2003/11/16 06:18:57 216.66.21.97: 80 2807 cspmulti
    2003/11/16 06:18:56 216.66.21.97: 80 2825 Port 2825 (TCP)
    2003/11/16 06:18:56 216.66.21.97: 80 2816 slc systemlog
    2003/11/16 06:18:52 216.66.21.97: 80 2808 J-LAN-P
    2003/11/16 06:18:48 216.66.21.97: 80 2827 slc ctrlrloops
    2003/11/16 06:18:48 216.66.21.97: 80 2817 NMSig Port
    2003/11/16 06:18:42 216.66.21.97: 80 2804 Telexis VTU
    2003/11/16 06:18:42 216.66.21.97: 80 2819 FC Fault Notification
    2003/11/16 06:18:37 216.66.21.97: 80 2828 ITM License Manager
    2003/11/16 06:18:37 216.66.21.97: 80 2818 rmlnk
    2003/11/16 06:18:37 216.66.21.97: 80 2820 UniVision
    2003/11/16 06:18:36 216.66.21.97: 80 2809 CORBA LOC
    2003/11/16 06:18:35 216.66.21.97: 80 2805 WTA WSP-S
    2003/11/16 06:18:33 216.66.21.97: 80 2821 vml_dms
    2003/11/16 06:18:29 216.66.21.97: 80 2803 btprjctrl
    2003/11/16 06:18:28 216.66.21.97: 80 2812 atmtcp
    2003/11/16 06:18:28 216.66.21.97: 80 2806 cspuni
    2003/11/16 06:18:26 216.66.21.97: 80 2810 Active Net Steward
    2003/11/16 06:18:26 216.66.21.97: 80 2813 llm-pass
    2003/11/16 06:18:06 216.66.21.97: 80 2823 CQG Net/LAN
    2003/11/16 06:18:04 216.66.21.97: 80 2814 llm-csv
    2003/11/16 06:18:04 216.66.21.97: 80 2815 LBC Measurement
    2003/11/16 06:18:02 216.66.21.97: 80 2824 Port 2824 (TCP)
    2003/11/16 06:17:58 216.66.21.97: 80 2826 slc systemlog

    Thanks
     
  4. Gregory Maier

    Gregory Maier Auditioning

    Joined:
    Oct 18, 2003
    Messages:
    8
    Likes Received:
    0
    Could be just junkies out there pinging your IP looking for vulnerbilities to hack at most people don't even know when it's being done unless they have a software based Firewall that logs them. they're usually harmless as long as either a hardware/software firewall is in place. Nothing to get riled up about.

    Gregory Maier
     
  5. JamesHl

    JamesHl Supporting Actor

    Joined:
    May 8, 2003
    Messages:
    813
    Likes Received:
    0
    The interest in this case, Greg, is that the ip address appears to be the main address for HTF.
     
  6. Kevin P

    Kevin P Screenwriter

    Joined:
    Jan 18, 1999
    Messages:
    1,444
    Likes Received:
    0
    Lookos like your firewall isn't configured properly. Those are return packets from HTF, in other words, the forum pages you're reading. In short, when you browse HTF, what happens is:
    1. Your computer contacts the HTF server, with an ephemeral source port (over 1024) and a destination port of 80.
    2. HTF replies back, with the source port as 80 and the destination port being whatever ephemeral port your PC contacted HTF with.
    3. This exchange repeats as needed until the entire transaction is complete (the page displays in your browser).
    In your example the ephemeral ports for each connection to HTF are in the 2800s. For whatever reason your firewall is logging these as if they're connection attempts on those ports (really they aren't, but are parts of an existing outbound connection to HTF).

    What firewall are you using, and did you fiddle with the rules at all, such as the logging rules?

    KJP
     
  7. SteveCop

    SteveCop Agent

    Joined:
    Feb 25, 2000
    Messages:
    32
    Likes Received:
    0
    Kevin,
    I'm using the McAfee firewall that came free with the Comcast HSI service. Been using it since July. Haven't changed any configurations and haven't had any problems, nor have I seen any more hits from HTF since the 16th. I'm not too worried about it, just curious since the hits came from HTF. Anyway, I'm going to be getting a router soon. Thanks for the info you provided.

    Steve
     

Share This Page