Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

All programs accessing 127.0.0.1:12080


  • Please log in to reply
2 replies to this topic

#1 phonoguy

phonoguy

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:31 AM

Posted 08 November 2011 - 11:08 PM

I had a problem running Malwarebytes yesterday and have begun to suspect that my computer is infected. I've posted for help at the malwarebytes website already, but recently I've begun noticing a behavior that seems strange to me and was wondering if anybody could help.

I am running Avast and ZoneAlarm. For about the last week I've been noticing an unusual (to me) number of programs trying to access 127.0.0.1 through Zonealarm. Now I'm seeing almost everything accessing 127.0.0.1:12080 instead of an external IP address. For example, when I try to update Malwarebytes, ZA says it's trying to access 127.0.0.1:12080; if I press "allow" on the popup, MB begins downloading update files.

In other words, I can't see the actual IP address MB is downloading the updates from. This is also happening with OpenOffice, SpyBot, Spyware Blaster, CCleaner, Glary Utilities, etc..

Is this unusual? How can a program download files from an external server through 127.0.0.1?

I have run several scans with MB and Avast and nothing has shown up, but I no longer trust what they say because I have no clue where the updated definitions are coming from.

BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:31 AM

Posted 09 November 2011 - 04:47 AM

Avast Web Shield listens on port 12080 on the loopback adapter (127.0.0.1) and acts as a local proxy.
https://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=21&nav=0,66

If you really want to be sure that it is Avast Web Shield that does this on your machine, you can check with netstat or TcpView if it is indeed Avast Web Shield (ashWebSv.exe or aswWebSv.exe) that is listening on port 12080.

If you're not familiar with netstat or TcpView, let me know and I'll tell you how to use it.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 tos226

tos226

    BleepIN--BleepOUT


  • Members
  • 1,577 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:03:31 AM

Posted 09 November 2011 - 09:36 PM

Here's where you can get TCPview.
http://technet.microsoft.com/en-us/sysinternals/bb897437
After unzipping just run the .exe file. You may want to make a shortcut on the desktop. It's very useful to get in a hurry as connections are happening.

In ZA, people normally add localhost/loopback address 127.0.0.1 to the list of IPs in the Trusted Zone (and there is no way to limit the use of the proxy port to the applications you want without using expert rules).
But ZA watches the localhost connections very well and will likely see something illegal trying out.

Just FYI, in case you change AV someday. Avira uses proxy port 44080. Eset NOD (ekrn.exe) uses 30606 to scan outbound TCP traffic to http ports.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users