xtent

OA allows outgoing UDP access to suspicious website-how to find why this is happening?

Recommended Posts

I am using the freeware version of OA - it gave me 2 pop ups earlier today with

"C:\Windows\system32\prevhost.exe"

Outgoing UDP access allowed to: tdp.tracker.. 127.0.0.1: 61702"

and

"C\Program Files\Google\Update\GoogleUpdate.exe:

Outgoing UDP access allowed to: tdp.tracker.. 127.0.0.1: 58610"

The tracker is identical in both and the tracker address suggests an untrustworthy website, but I have scanned the system and also uploaded both prevhost.exe and GoogleUpdate.exe to various multiscan websites, which all suggest the files are clean.

Is there a way I can find out through OA exactly why these files are allowing this outgoing UDP access to happen? This system is used by many users, Im thinking that the programs suggested above may be just a random choice (lies), if it is an infection on the system... but if all my antivirus programs suggest the system is clean, what can I do? thanks for any help

Share this post


Link to post
Share on other sites

Hello,

OA allowed access to 127.0.0.1 which is "localhost".

This happens because some dns replies returned this as IP for mentioned addresses. OA just shows a list of domains found to have IP address in question.

Share this post


Link to post
Share on other sites

Im not very technical and dont understand what is meant by 'udp' or a 'dns reply', so im not 100% clear on your reply-but thanks anyway :) I used to think that 127.0.0.1 was always a reference to any current computer that I use. I didnt think that 127.0.0.1 could be a reference to any other. So are the addresses or trackers listed in brackets, in-between "Outgoing UDP access allowed to:" and "127.0.0.1" ...are simply addresses that use the same 127.0.0.1... that my computer has connected to in the past? Slightly confused :blink: I still dont understand the relation between the prevhost.exe and googleupdate.exe applications. Sorry for the confusion :blush: LOL. From the OA message in my first post, I thought that the exe programs were actually connecting to the addresses in brackets, or allowing the connection. My other guess was that the system (inc OA) was infected, and the exe programs listed in the OA pop up window was just cover up to not tell me where the original 'bad' exe was, that may have been connecting to the addresses listed. I hope some of that makes sense!

I thought some of these tdp.tracker addresses sounded questionable-I think the family may like to browse anywhere they want, so I may need some kind of safe monitoring software to make sure they are using the internet appropriately, but thats another story :P thanks

Share this post


Link to post
Share on other sites

127.0.0.1 is your computer's "loopback" address.

Some DNS servers are "blocking" bad addresses by returning the 127.0.0.1 when your computer tries to resolve such a bad domain name, so when a computer tries to connect to such a host it'll try to connect to itself.

Share this post


Link to post
Share on other sites

So my computer trying to connect to itself.. is a result of this pc trying to connect to bad addresses?

..and the websites listed in brackets in the OA pop up (below) are just a history, and not necessarily linked to the exe files themselves in the same OA window?

Im not sure what a dns server is needed for, if its referring to my internet provider or the server hosting the 'bad' website my system has connected to.. but.. :D thanks.

I havent received any more odd messages as of yet, in full they were odd, along the lines of

Created 05/02/2012 16:26:01

Summary Firewall: Automatic decision

Description C:\Windows\system32\prevhost.exe, Outgoing UDP access allowed to:

(tpb.tracker.microsoftarecrazy.net;www.applemad.org) 127.0.0.1:61702

Event type Firewall: Automatic decision(17)

Event action Allowed(2)

Share this post


Link to post
Share on other sites

i have a similar problem. On several applications that have internet access i get the alert:

www.zeevex-online.com has been allwoed internet access by automatic decsion on 127.0.0.1 (plus some random port)

now i have tried blocking the domain in online armor but it doesnt stop these alerts. My question is how to stop the domain being allowed access from my pc ( i know its the loopback but does that matter if i the domain is meant to be blocked?). How to stop this automatic deciaion being made?

Share this post


Link to post
Share on other sites

II have cleared my online armor history.. but after a few hrs Im still getting the same odd messages in history,

sometimes with the same random websites in brackets-its still 127.0.0.1:xxxx, but not the same googleupdate.exe and prevhost.exe files anymore. The rest of the time OA seems to be allowing temporary files to access the internet, for example:

AppData/Local/Temp/TRPg9F9sA.exe.part was trusted automatically

C:/Windows/Temp/Runboot-temp .5accd8tc-7b7evt7-22db7d8 Outgoing TCP access allowed to: (tpb.tracker.microsoftarecrazy.net;www.applemad.org) 127.0.0.1:12080

perhaps im worrying over nothing, but I might reinstall my firewall or change it completely to see if that makes a difference

Share this post


Link to post
Share on other sites

Like Andrey already said, 127.0.0.1 is the standard address of the loopback interface. It's not connecting to anywhere but your own computer because connections to 127.0.0.1 are looped back to your own machine.

Some ad-blocking and security related software (not OA) add entries to the Hosts file to prevent your computer from connecting to potentially dangerous or advertising related websites by simply connecting back to your own computer (127.0.0.1) when a connection is attempted to one of the listed websites. Andrey also mentioned some DNS servers will redirect you to 127.0.0.1 when a connection to a website on their "bad" list is attempted. In such cases, you may see 127.0.0.1 associated with strange domains such as a torrent tracker but if the IP listed is 127.0.0.1, it's being looped back to your own computer instead. It's absolutely nothing to be concerned about. If you see a public IP (ie, not 127.0.0.1 localhost) trying to connect to some nasty domain that you did not try to go to yourself, then that would be something to worry about. This isn't what is happening in either of your cases though.

Share this post


Link to post
Share on other sites

thanks, thats a bit clearer :) I have malwarebytes,spywareblaster and avast antivirus installed, along with windows own (defender+UAC). Perhaps one of those added the website to the host file, but how can I find out what software on the system is attempting to connect to these websites or trackers? I have just received another similar message in the OA history, yet all the system is doing is browsing this website.

Share this post


Link to post
Share on other sites

thanks, thats a bit clearer :) I have malwarebytes,spywareblaster and avast antivirus installed, along with windows own (defender+UAC). Perhaps one of those added the website to the host file, but how can I find out what software on the system is attempting to connect to these websites or trackers? I have just received another similar message in the OA history, yet all the system is doing is browsing this website.

I don't think you mentioned what version of OA you are running but I do recall a few people mentioning with an older version of OA that an initial domain name information was remembered and displayed every time a local host connection was made. I haven't seen any recent mention of this though.

Share this post


Link to post
Share on other sites

I am using the latest free version of online armor. I have noticed that with certain known files that I believe are usually safe,

such as C:/Program Files/Common Files/Java/Javaupdate/jusched.exe, I am getting the same website information next to it yet again:

C:/Program Files/Common Files/Java/Javaupdate/jusched.exe

Outgoing TCP access allowed to: (tpb.tracker.microsoftarecrazy.net;www.applemad.org) 127.0.0.1:12080

so I have some short questions, just a yes or no :)

1-is the 'tpb.tracker' website shown in brackets above, simply history, and only related to 'jusched.exe' or whatever exe is next to it... simply because they have both used 127.0.01:1280 in the past?

2-is the 'tpb.tracker' or website information shown only gathered from prevhost.exe?

3-is there a prevhost viewer? I have now been told that any tracker or web info in the OA pop ups, suspicious or not, may be related to installed software, but I cant find anything

thanks

Share this post


Link to post
Share on other sites

so I have some short questions, just a yes or no :)

1-is the 'tpb.tracker' website shown in brackets above, simply history, and only related to 'jusched.exe' or whatever exe is next to it... simply because they have both used 127.0.01:1280 in the past?

Pretty much. OA displays any domain names it associates with 127.0.0.1 (in other words, domains that a DNS query by some program has at some time resolved to 127.0.0.1).

2-is the 'tpb.tracker' or website information shown only gathered from prevhost.exe?

Not necessarily. It may or may not be, depending on whether other domains have also resolved to 127.0.0.1 previously, in which case they may be displayed. OA remembers all domain names that have resolved to 127.0.0.1 for a certain amount of time.

3-is there a prevhost viewer? I have now been told that any tracker or web info in the OA pop ups, suspicious or not, may be related to installed software, but I cant find anything

Sorry, I don't understand this question.

Share this post


Link to post
Share on other sites

Some ad-blocking and security related software (not OA) add entries to the Hosts file

sorry, my fault-I may have been confusing "hosts file" above with 'prevhost.exe' in my first post. I also thought there might have been a way to read information from the 'prevhost.exe' service, that might indicate how/what/when communications to these websites might have taken place, but I think from your reply that is not how 'prevhost.exe' works, and probably isnt readable to a general viewer, unless they understand binary or whatever language is used, haha. I think I have more understanding of it now, and feel better in the knowledge that websites shown in brackets also show what websites or location the 127.0.0.1+exact port was used with beforehand, and not always at the current time. I thought the executables at first were ALWAYS connecting to these sites (or some other exe was, hidden, and pretending these exe's were starting the connection as some sort of cover up-without OA or my antivirus knowing). I thought the system was infected! :ph34r: paranoia, haha :D thanks

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.