when Localhost is the Local and Remote address

Discussion in 'other firewalls' started by HandsOff, Feb 6, 2005.

Thread Status:
Not open for further replies.
  1. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    I don't know if this is correct, and if it is, I am sure I'm not the first one to realize it, but...if you look at your firewall log and you observe that for a connection both the local and the remote address are "localhost" would that mean that that your something from your host file was attempting to connect with Internet Explorer.

    If true, then can't you sort of use it as sort of a website scumminess detector? I mean if these things are being blocked at the same time you are perusing a particular site, it is suggestive isn't it?

    Anyway, in these case, I had about a hundred hits from localhost with a couple of minutes, all clustered around a visit to a particular site. Not a porn site, not a gambling site...a news site. I guess so many hits because they must just keep right on trying to send what ever it is they are sending.

    I've never been good about reading logs and deducing anything from their contents, but I have always been annoyed from the fact that I don't often know what sites are responsible for what. I am the sort who basically won't do any interaction with a site if I know them to cross the line of their visitors privacy, and security, so it would be nice to know if I am interpreting the log correctly. Unfortunately, I have no way of knowing what particular item in the host file was blocking anyway. I'm sure some of the things in it aren't outrageouly bad.

    -HandsOff
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    We really can't advise you too much without a sample of the specific events from the log, otherwise we'd only be able to make broad guesses as to what might be happening.
     
  3. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Any half-decent firewall log should include the URLs of web sites your browser accesses. If yours does not, you may find a proxy filter like Privoxy worth checking out - it can filter HTML (being based on JunkBuster) but also keeps a log of the websites your browser tries to connect to.

    Going back to your original point - it is perfectly possible to have network connections from localhost to localhost for legitimate reasons (notably if you were chaining local proxies - like having your browser connect to Proxomitron, Proxomitron connect to Privoxy and Privoxy connect to Tor which is my setup) so such connections cannot be a guarantee of suspicious behaviour for everyone.
     
  4. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    Yes, P2000, I see what you mean. My suspicions were aroused about something so I jumped to a conclusion. I just thought wouldn't it be nice if you could assess a bad site that easily.

    I do have a very satisfactory firewall. It may not be a big favorite around here, but I think NPF2003 does an outstanding job. So good, infact, that I have had very little reason to look at the logs in the first place. I certainly have not suffered the indignity of having my firewall shut down by some malware programs, as I have seen with brand-x firewall.

    To Low H20,
    Actually, I took a screenshot of the activity but in the end decided it would seem like an accusation towards a site based on evidence that I was not sure of.

    SITWs, now my couriosity is aroused, i will have to take a look!

    My idea was wide of the target, but I am happy to have gained a couple more grains of knowledge.
     
Thread Status:
Not open for further replies.