Web Server?

jtc970 · June 7, 2006, 4:27pm

How should I set up a web server?
I am using a non-standard port (85)
The only way I got it to work is going into Network Monitor and adding a rule
tcp/udp In/Out
source [any]
remote [any]
where source port is [any]
and remote port is 85

that seems backwards…

Also Im getting alot of these types of alerts…

Firefox is trying to act as a server. What would you like to do Details: application: firefox Remote IP:Listen Port:1574-UDP security Considerations C:\WINDOWS\system32\rundll32.exe has modified the User interface of firefox.exe by sending special Window messages. Any program trying to modify another program using this method may be a sign of trojan activity.

This can be between any prgrams… even things that have nothing to do with each other, is this normal? Am I being paranoid or do I have a trojan? I have scanned with everything I could possibly find online and offline and all come up clean, but that doesnt make me feel safe.

panic · June 7, 2006, 6:31pm

I would change the “remote [any]” setting to “remote [specific ip of our web server]”.

Rules should be flexible enough to allow you to work the way you want, but tight enough that they restrict external access to only those resources you need.

Hope this helps,
ewen

jtc970 · June 8, 2006, 5:45am

Thank you.

can anyone help me with the second problem?
what does modified the User interface mean? and why would things like Firefox be modifying the user interface of Thunderbird?

panic · June 8, 2006, 6:12am

jtc970 post:1:

Also Im getting alot of these types of alerts…

Firefox is trying to act as a server. What would you like to do
Details:
application: firefox
Remote IP:Listen Port:1574-UDP
security Considerations
C:\WINDOWS\system32\rundll32.exe has modified the User interface of firefox.exe by sending special Window messages. Any program trying to modify another program using this method may be a sign of trojan activity.

This can be between any prgrams… even things that have nothing to do with each other, is this normal? Am I being paranoid or do I have a trojan? I have scanned with everything I could possibly find online and offline and all come up clean, but that doesnt make me feel safe.

Hmmm …
I’ve had this type of alert pop up once with teh same report - rundll32 had modified firefox and there were a few malformed characters at the end of the alert. It has only popped up once, and there are no traces of malware, viruses that I can find.

If I were you, and if these errors are still occuring, I’d grab a screen dump of the alert window and email it to support@comodo.com.

Hope this helps,
Ewen

jtc970 · June 8, 2006, 8:59am

I sent them screenshots…
heres another I just got in the logs

[attachment deleted by admin]

panic · June 8, 2006, 6:18pm

G’day,

The
WGA.EXE that is attempting to go on the internet is Microsoft’s Windows Genuine Advantage tools phoning home. Extract from betanews.com below;

************************************************************************8

Microsoft acknowledged reports Wednesday that its latest update to Windows Genuine Advantage (WGA), an anti-piracy program implemented to detect counterfeit copies of Windows XP, phones home to the Redmond company on a daily basis.

News of the occurrence surfaced this week after privacy advocate Lauren Weinstein confirmed Internet murmuring that a connection was being made to Microsoft’s servers even after WGA had validated a Windows system as legit. Microsoft quickly responded to the issue, saying the feature was a “safety switch.”

How they can have “Microsoft” and “safety switch” in the same language, let alone the same sentence, is beyond me!!

Ewen

jtc970 · June 8, 2006, 7:08pm

agreed.

I am more worried about photoshop.exe trying to use btvlibraryservice.exe through OLE automation whatever that means…
this is just an example of an unrelated peice of software trying to use another… It is happening all the time… and yet no worms, viruses or anything else are found on my system

egemen · June 8, 2006, 8:56pm

CPF reports this activity as suspicious behavior but this does not have to be a hijack attempt at all. This alert means, photoshop.exe has tried to use a COM interface being hosted by your btvlibraryservice.exe. IF you have tried to copy/paste some screenshots from your TV program to photoshop or tried to capture video etc., this may be the reason for this alert.

You can select “Remember…” checkbox in the popup not to see this alert again.

I would not worry about this alert and select the remember option.
Egemen

jtc970 · June 8, 2006, 9:04pm

All I was doing was loading up photoshop. btv was just running in the background. Im worried because BTV has allowed internet access to get remote listings and what not, photoshop does not and should not have access.
If it was a worm wouldnt this be the same action it would take to try to get access, using an allowed program?

egemen · June 8, 2006, 9:20pm

Yes a trojan would employ such a technique but since you have scanned your computer with latest anti virus scanners, this seems like a false alert to me. I dont think photoshop will use such a technique to connect to the internet.

But if you are really worried about some files, you can always submit them to Comodo Research Lab for further analysis. Just zip the files and send them to malwaresubmit@comodo.com.

Egemen