Hi a problem has come to my attention in my logs
It says access denied to destination 127.0.0.1::12080 TCP out
I will post the image for people to look at, as when it auto blocks this destination my internet displays page cannot be displayed
Help would be greatly appreciated
I traced the ip in the first image and this is what I found http://ws.arin.net/cgi-bin/whois.pl?queryinput=O%20!%20IANA
[attachment deleted by admin]
This looks like local loopback action… port 12080 (avast! web shield and/or Firefox?). Have you installed/updated anything recently…? Also any chance of seeing the whole alert from CFPs Log?
Edit: Sorry, I meant an Exported HTML Log version entry… it sometimes gives more details. Thanks.
A problem with my logs prevents me from posting the block and to make things worse I now have found a connection to lithium technologies ltd
Posting CFP Log examples (not the whole Log) is a solvable problem… so, let’s nail this first. Otherwise, we cannot see what you are seeing…
CFPs Log can be Exported to an HTML file by right-clicking on the Log (Activity tab) & selecting Export to HTML. This will export the entire Log to an HTML file. Open the HTML file with your default browser (the one you’re using now) and use a simple click-drag-select Copy ‘n’ Paste to post quoted example Log entries here. Like this (from an old Log of mine)…
Date/Time :2006-08-13 20:33:09 Severity :Medium Reporter :Network Monitor Description: Inbound Policy Violation (Access Denied, IP = 10.35.235.233, Port = MS-ds(445)) Protocol: TCP Incoming Source: 213.205.240.249:3713 Remote: 10.35.235.233:MS-ds(445) TCP Flags: SYN Reason: Network Control Rule ID = 3
Does this help?
While I find the log entry here is Microsoft messenger communicating with RIPE even though I closed messenger. Its scaring me now as my computer is being reported as clean from rootkits, viruses and spyware
[attachment deleted by admin]
I think you’ve misread the whois of 91.109.59.22. RIPE is the overall net block owner (91.0.0.0 - 91.255.255.255). In short 91.109.59.22 is not RIPE. In is in fact a Wanadoo user (now owned by Orange) probably based in Liverpool.
% Information related to '91.109.0.0 - 91.109.63.255'inetnum: 91.109.0.0 - 91.109.63.255
netname: OUK-LLU21-18
descr: Range2 Liverpool /18
country: GB
admin-c: KK2085-RIPE
tech-c: KK2085-RIPE
status: Assigned PA
mnt-by: Wanadoo-UK-MNT
source: RIPE # Filteredperson: Khalid Kamran
address: Senior Designer
address: Orange UK
address: Verulam Point, Station way
address: St Albans AL1 5HE
phone: +44-172-720-7388
nic-hdl: KK2085-RIPE
abuse-mailbox: abuseorange.co.uk
remarks: * * ABUSE MANAGEMENT * *
All abuse reports MUST be sent to "abuseorange.co.uk". Complaints to any other address will be discarded.
source: RIPE # Filtered
But why is my computer communicating with it and what about the Lithium industries ltd connection?
Surely these connections are wasting Bandwidth or something?
I’m just a little confused as these connections seem to be only recent yet I haven’t changed anything
I’m sorry, I cannot answer your question unless I’m provided with more information. For instance… you have not told me the IP of “Lithium Industries Ltd” or the circumstances surrounding the detection of the IP.
My logs keep reducing to 5Mb so I’m finding it hard to show you (yet another problem), but the IP address I got was 208.74.204.112:80
5MB? OK, that’s the default Log size. Have you tried increasing it to… say… 25MB.
Also a Reverse DNS Lookup of 208.74.204.112 revealed the name as nintendo.lithium.com. Wii? It seems that Lithium has several major companies as clients… Nintendo, Creative, LinkSys, DoubleClick, Sprint & AT&T… any of these ring a bell in terms of software/hardware that you have?
PS Was the IP you posted a Source or Destination?
It was a destination IP.
The log problem I have brought up on the forum as well and contacted support over it but no one as any idea why it keeps resetting the log size (and yes I have tried changing it). Everything was fine then bang loads of problems from no where. The only thing I change on the computer is Avast updates.
Log: OK… well 5MB is still fairly large & would be enough space for hundreds of Log entries. So, you should still be able to capture whatever it is.
Destination IP: Since the destination port was port 80… then that is a web site access (unless its an automatic update of some sort). See my above questions.
Avast: You finally answer my first question! ;D The 127.0.0.1 was Avast’s WebShield (proxy) after it had been updated. Did you block this (remembered) or something?
Are you getting block messages in CFPs Log now?
Now my log is full of inbound policy violations and I’m starting to worry. I allowed all of Avasts features to use the internet
In the connections log I have loads of ashWebSv.exe entries that are not disappearing like they do after a while
Firstly… do not worry. Based on what I have seen this is nothing to worry about.
..I allowed all of Avasts features to use the internetIn the connections log I have loads of ashWebSv.exe entries that are not disappearing like they do after a while
Here is some log entries
plus about the Iana and Ripe thing my ISP forum is currently having problems http://www.tiscali.co.uk/forums/showthread.php?p=1745910#post1745910
could that have affected the earlier ip violations?
OK, these are nothing to do with anything that we’ve talked about previously. It looks like Windows File Sharing/LAN stuff. What is your Local Network set-up?
BTW Please post the Log text (rather than a screen shot) as previous discussed. I can’t select stuff from images & its actually more difficult for you to post.
Date/Time :2007-08-13 22:17:42Severity :MediumReporter :Network MonitorDescription: Inbound Policy Violation (Access Denied, IP = 79.72.243.204, Port = nbsess(139))Protocol: TCP IncomingSource: 79.72.243.204:4775 Destination: 79.72.70.147:nbsess(139) TCP Flags: SYN Reason: Network Control Rule ID = 5
Date/Time :2007-08-13 22:17:37Severity :MediumReporter :Network MonitorDescription: Inbound Policy Violation (Access Denied, IP = 79.72.243.204, Port = nbsess(139))Protocol: TCP IncomingSource: 79.72.243.204:4775 Destination: 79.72.70.147:nbsess(139) TCP Flags: SYN Reason: Network Control Rule ID = 5
Date/Time :2007-08-13 22:17:37Severity :MediumReporter :Network MonitorDescription: Inbound Policy Violation (Access Denied, IP = 79.72.243.204, Port = nbsess(139))Protocol: TCP IncomingSource: 79.72.243.204:4921 Destination: 79.72.70.147:nbsess(139) TCP Flags: SYN Reason: Network Control Rule ID = 5
Thanks… nasty formatting (see my example, did you select from within your browser?)… but, much easier to use (cutting wise).
Ah… OK. These are other Tiscali users & you have a Dynamic IP (which is good, as it changes). These could be hopeful wannabe hackers (looking for vulnerable systems), worm infected systems searching for a new host or just users who have file-sharing turned on (which are seeking other hosts). Do you run any P2P (file-sharing) applications… if so, which ones? Also does the Source IP change… or is it always 79.72.243.204?
I’m not sure how to tell if it changes but I have Limewire but I have it so everytime I load it it asks to be allowed a connection
btw am I at risk of being hacked or is it blocking them (could this be why I have recently been getting lots of Inbound policy violations)
Does Comodos logs max log file reduce itself if disk space is low?
My virus scanner is saying my system is clean