HTTP server alert?

Discussion in 'other firewalls' started by sir_carew, Dec 25, 2003.

Thread Status:
Not open for further replies.
  1. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Hi,
    I'm using ZAPRO 4.5 and I'm getting all the time the same alert: It's a alert caused by a HTTP Server, Zonelabs said that it can be produced by a bad shutdown with the server and my computer, however I shutdown my pc correctly and I'm getting this alert in many ocassions.
    There are alert: (The directon many times are Inbound and Routed o_O)
    FWIN,2003/12/24,22:30:38 -3:00 GMT,127.0.0.1:80,200.74.4.20:1452,TCP (flags:AR)
    FWROUTE,2003/12/24,22:30:58 -3:00 GMT,127.0.0.1:80,200.74.4.126:1324,TCP (flags:AR)
    All the time, the IP address is the same: 127.0.0.1
    What those alerts means?
    Thanks.
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,873
    Location:
    New England
    At the end of your thread named "Routed traffic?", jv morris pointed out that there was a thread at DSLR - Security forum about spoofed traffic coming in from "127.0.0.1" addresses. That thread is here (or there ;) ): Incomming hits from 127.0.0.1. It probably is worth referring to.

    The key is probably going to be getting more information from Zone Labs first. What did they say exactly about an "HTTP Server"? Did they say these alerts were because they thought you were running an HTTP Server on your system? (Do you run a local webserver? Most people don't which is why I'm asking.) Or, did ZL mean that some external HTTP Server (webserver) is causing this problem for you?

    In any case, this could be a few different things. It could be spoofed traffic, deliberately being sent out by someone. It could be somehow related to the new ZAP 4.5 and how it is interpreting network traffic (could be a bug). It could be a configuration problem in your network setup, between your system, your ISP access point and the ISP's LAN of which your system is a part.

    This may take a lot of figuring. :doubt:
     
  3. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Hi :)
    >What did they say exactly about an "HTTP Server"?
    Zonelabs said that is very probably that this alert was caused for a incorrect shut down between my computer and a web server.
    >Do you run a local webserver?
    No, I'm not running any proxi or local webserver and nothing something like that.
    >Did ZL mean that some external HTTP Server (webserver) is causing this problem for you?
    Yes, it's a external http server.

    Note: If I put the ip 127.0.0.1 in the blocked zone, Internet Explorer can't access internet, however Opera work perfect.
    Any idea on what's happening?
     
  4. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    Yep, don't do that; it will screw up MSIE which relies on a loopback (for UDP) from 127.0.0.1.

    Really need LowWaterMark back on this one, because my experience is with NIS/NPF, KPF, and SPF. The rule (if you need to specify one at all) is very different in ZAP and NIS/NPF and then you've got to put it in the right place (and I'm not at all sure how that is accomplished in ZAP, since I think it remains an application-based firewall rather than a rules-based firewll in which rules sequence is everything).


    Since I installed a hardware router on or about 12 Dec, I've had well over 400 of these things go 'splat' against the router itself. I'm pretty sure I saw them earlier, but as I was running this box also as an ICS gateway (and you see weird things all the time in NIS/NPF on an ICS gateway box), I didn't understand their significance (but they were apparently being caught and blocked).
     
  5. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    Here's the kind of stuff I'm seeing:

    Code:
    12-25-2003   18:07:15   **IP Spoofing** 127.0.0.1, 80->> 66.44.xx.yy, 1175 (from Modem Inbound)
    12-25-2003   16:50:01   **IP Spoofing** 127.0.0.1, 80->> 66.44.xx.yy, 1960 (from Modem Inbound)
    12-25-2003   16:47:39   **IP Spoofing** 127.0.0.1, 80->> 66.44.xx.yy, 1008 (from Modem Inbound)
    12-25-2003   16:12:14   **IP Spoofing** 127.0.0.1, 80->> 66.44.xx.yy, 1421 (from Modem Inbound)
    12-25-2003   16:08:48   **IP Spoofing** 127.0.0.1, 80->> 66.44.xx.yy, 1301 (from Modem Inbound)
    Does this look familiar? (Again, these are router logs; not PSF logs. I have an external router and an external modem -- as noted in the logs events).
     
  6. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Hi,
    Here more information about this extrange alert:
    The data packet that ZoneAlarm Pro blocked was sent from port 80 on a web server whose IP address is 127.0.0.1. This alert usually means that a previous connection between your computer and the web server was not completely or correctly shut down.
    Days ago, I test other firewall, Kerio and this alert me: Dangerous Loopback traffic blocked, and indicate the same IP of all the time.
    Now ZAPRO still alert me about this ip and the traffic direction: inbound and routed.
    Any help is apreciatted.
    Thanks.
       
          
             
       
       
    Should I be concerned?      
       
       
       
          
       

    This event is nothing to be concerned about. ZoneAlarm Pro has protected you against the unlikely possibility of someone trying to take advantage of an existing, unused connection to your computer.
       
          
             
       
       
    What should I do?      
       
       
       
          
       

    You do not need to take any action. The web server will eventually drop the connection
     
  7. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,873
    Location:
    New England
    At this point, all I can recommend is to ignore the 127.0.0.1 entries. They are most likely bogus in one regard or the other, i.e. these are either spoofed packets (as noted in the threads linked above) or perhaps (less likely) they are somehow related to misconfigurations in your cable ISP's network.

    The only way to go any further in researching this would be to sniff the network line to capture specific packets then have someone knowledgeable in network packet analysis analyze them and let us know if they can determine anything from the capture... It's probably not worth the effort.

    Your firewalls (ZAP currently and Kerio which you tested days ago) both saw the traffic in the same way and blocked it all.
     
Loading...
Thread Status:
Not open for further replies.