Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Port 80

Status
Not open for further replies.
dpellegrini

dpellegrini

MIS
May 15, 2000
245
US
Ok, running antivirus(yes updated) and Black Ice IDS. But somehow someone was able to breach my system and shut port 80 off. I can access the internet, but some sites, are all being redirected to 127.0.0.1. I ran a portscanner on my pc and noticed that port 80 was not listed, as it usually is. no other odd ports open. I'm running Windows 2000 Pro SP2. This is affecting both netscape and IE. Any recommendations? I'm guess that the registry was modified, but I haven't been able to find where.
Thanks for the assistance.
Dom

Domenick Pellegrini
 
Sort by date Sort by votes
it seems the fix for the nimda worm has been used against u... u run Linux, and the fix for denying access to nimda known file names, such as readme.exe, default.eml and the like, is creating a redirect-match list in the httpd config file.. and the redirection is to the local host address, 127.0.0.1, on the sender's machine...

what happens is that when a browser request header includes the file in the redirect-match list, the server sends the request to the localhost address.. which in the sender's case, is his own machine..

now, what has happenned to u is that i think your server has been compromised, and a redirect-match list has been entered, and i am 100% sure it says, redirect-match and whatever to IP 127.0.0.1 ... this may also be done by a trojan..

if not, what is more likely is that they might have used a proxy or a web server running in proxy mode to trap all your http requests, since the redirect-match list works for incoming requests.. are u running a proxy server such as squid, or MS-Proxy...?..

u may have to take the machine off line and check your configs.. and scan for nimda and code-red II...

good luck..
 
Upvote 0 Downvote
Boot your machine to DOS and run the current DOS based scanner.. none of the virus's can function in DOS so you can hunt them down and kill them.

You DO have the emergency disk that you made when you installed the virus scanning software???

Dont feel bad.. this nasty virus can be had by just viewing an infected page and having either Javascipt or Java run automaticly. I've caught it twice now trying to run from HTML code.. both case since I have Java set to ask first before running anything, I was able to catch it. I also have ALL activeX stopped at the firewall.

Somewhere around here I have the notes on the reg setting that needs to be rebuilt.. if you need it.. post and I will try and find it.

MikeS Find me at
"Diplomacy; the art of saying 'nice doggie' till you can find a rock" Wynn Catlin
 
Upvote 0 Downvote
Have done this. I've checked 6 ways to sunday for a virus, with updated virus defs from Norton, Command, McAfee, Trend. I've run the online scans (from another pc). I've run them from DOS, I've run them locally with the window interface. Not a single one of these finds any virus. I've looked for all the files associated with the most recent viruses. None to be found (Specifically Code Red(I & II), nimda, Magistr, SirCam). I've check all the config files for Win2k, I've check services. I am able to get onto Trends Australian site but not the US site. If there is a virus on this PC, then the 4 listed antivirus makers do not recognize it. I never received a notification that I was ever infected. My defs are up to date. I use Novell Groupwise Mail, not Outlook, my MS patches are all up to date. If there is, or was a virus, then there must be something it changed or currupted while attempting to infect. But I would think that I would at least have gotten a notification that a virus hit my PC. I'm baffled.

Domenick Pellegrini
 
Upvote 0 Downvote
Check your LMHOST or HOST file... one way I kill ads is to place a entry in my HOST file that takes something like that BS camera site and dumps it to 127.0.0.1 which is the local loopback.. something *may* have rewritten one of these two files.

MikeS
Find me at
"Diplomacy; the art of saying 'nice doggie' till you can find a rock" Wynn Catlin
 
Upvote 0 Downvote
Checked both and they are clean. I checked the Event Viewer and there was nothing abmormal in there either. The mystery continues.

Domenick Pellegrini
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Caps007
  • Locked
  • Question
Port Mirroring
Replies
1
Views
600
ADB100
ADB100
Tony D
  • Locked
  • Question
NAT Port Forwarding
Replies
0
Views
495
Tony D
Tony D
SBwrx5
  • Locked
  • Question
Disable Port 8083 on Kyocera TA5501i MFP
Replies
1
Views
256
SBwrx5
SBwrx5
DaveBarribeau
  • Locked
  • Question
Duplicate source port after reboot, host won't SYN,ACK
Replies
0
Views
179
DaveBarribeau
DaveBarribeau
Comeragh
  • Locked
  • Question
SNMP and Port Forwarding
Replies
0
Views
110
Comeragh
Comeragh

Part and Inventory Search

Sponsor

Back
Top