HTF Attempts Access To My Computer? (1 Viewer)

[SteveCop]

I noticed that my firewall has blocked 195 access attempts to multiple ports from HTF (216.66.21.97) in the last two days. Anyone know what's going on??
Thanks

 

[Kevin P]

Was this while you were surfing HTF? Can you post the logs, as there will be more info (port #s, etc.) than just the IP address.

It could be responses from the site that were timed out. Were you having troubles accessing HTF at the time?

KJP

 

[SteveCop]

Kevin,
Here's some, but not all of the log, with my IP removed. The sending port was 80 for all the events, with the destination ports all in the 28** range.
I don't recall if I was on the site when they occurred, but I haven't had any trouble accessing HTF.

2003/11/16 06:18:59 216.66.21.97: 80 2816 LBC Watchdog
2003/11/16 06:18:57 216.66.21.97: 80 2807 cspmulti
2003/11/16 06:18:56 216.66.21.97: 80 2825 Port 2825 (TCP)
2003/11/16 06:18:56 216.66.21.97: 80 2816 slc systemlog
2003/11/16 06:18:52 216.66.21.97: 80 2808 J-LAN-P
2003/11/16 06:18:48 216.66.21.97: 80 2827 slc ctrlrloops
2003/11/16 06:18:48 216.66.21.97: 80 2817 NMSig Port
2003/11/16 06:18:42 216.66.21.97: 80 2804 Telexis VTU
2003/11/16 06:18:42 216.66.21.97: 80 2819 FC Fault Notification
2003/11/16 06:18:37 216.66.21.97: 80 2828 ITM License Manager
2003/11/16 06:18:37 216.66.21.97: 80 2818 rmlnk
2003/11/16 06:18:37 216.66.21.97: 80 2820 UniVision
2003/11/16 06:18:36 216.66.21.97: 80 2809 CORBA LOC
2003/11/16 06:18:35 216.66.21.97: 80 2805 WTA WSP-S
2003/11/16 06:18:33 216.66.21.97: 80 2821 vml_dms
2003/11/16 06:18:29 216.66.21.97: 80 2803 btprjctrl
2003/11/16 06:18:28 216.66.21.97: 80 2812 atmtcp
2003/11/16 06:18:28 216.66.21.97: 80 2806 cspuni
2003/11/16 06:18:26 216.66.21.97: 80 2810 Active Net Steward
2003/11/16 06:18:26 216.66.21.97: 80 2813 llm-pass
2003/11/16 06:18:06 216.66.21.97: 80 2823 CQG Net/LAN
2003/11/16 06:18:04 216.66.21.97: 80 2814 llm-csv
2003/11/16 06:18:04 216.66.21.97: 80 2815 LBC Measurement
2003/11/16 06:18:02 216.66.21.97: 80 2824 Port 2824 (TCP)
2003/11/16 06:17:58 216.66.21.97: 80 2826 slc systemlog

Thanks

 

[Gregory Maier]

Could be just junkies out there pinging your IP looking for vulnerbilities to hack at most people don't even know when it's being done unless they have a software based Firewall that logs them. they're usually harmless as long as either a hardware/software firewall is in place. Nothing to get riled up about.

Gregory Maier

 

[JamesHl]

The interest in this case, Greg, is that the ip address appears to be the main address for HTF.

 

[Kevin P]

Lookos like your firewall isn't configured properly. Those are return packets from HTF, in other words, the forum pages you're reading. In short, when you browse HTF, what happens is:

1. Your computer contacts the HTF server, with an ephemeral source port (over 1024) and a destination port of 80.
2. HTF replies back, with the source port as 80 and the destination port being whatever ephemeral port your PC contacted HTF with.
3. This exchange repeats as needed until the entire transaction is complete (the page displays in your browser).

In your example the ephemeral ports for each connection to HTF are in the 2800s. For whatever reason your firewall is logging these as if they're connection attempts on those ports (really they aren't, but are parts of an existing outbound connection to HTF).

What firewall are you using, and did you fiddle with the rules at all, such as the logging rules?

KJP

 

[SteveCop]

Kevin,
I'm using the McAfee firewall that came free with the Comcast HSI service. Been using it since July. Haven't changed any configurations and haven't had any problems, nor have I seen any more hits from HTF since the 16th. I'm not too worried about it, just curious since the hits came from HTF. Anyway, I'm going to be getting a router soon. Thanks for the info you provided.

Steve