Why is sniffer reporting so much Out on port 80?

[jsteph]

Hi,
Ok, I've heard about all this spyware. So I got a port sniffer and I'm just wondering is using this sniffer and seeing all this unfamiliar outbound port 80 traffic is just scaring me when there's nothing to be worried about?

I'm not real well versed in tcp/ip or networking in general, but it's my understanding that if I'm on a web page, I should expect out packets via port 80--to *that* site only (or have I got this wrong?). But I'm seeing alot of other outbound stuff to odd looking sites that seem to have nothing to do with the page I'm on. Would a tool like ZoneAlarm allow me to tell my browser or whatever that it can only send port 80 packets out to the site I'm on, or would that render all sorts of other things unusable?

As a related question, if I'm on a web page, can the code executing in my browser access any file on my machine, or just cookies, or what?
--jsteph

 

[manarth]

To answer your second question first:
"As a related question, if I'm on a web page, can the code executing in my browser access any file on my machine, or just cookies, or what?"

It depends what o/s / browser combination you have - MS IE has security issues which can allow access to all of your HD - the answer is stay up to date with all security patches.


In response to the o/b traffic,

If a webpage uses adverts, they're often hosted on the advertiser's site, not the website you're looking at (which simply links to the ads). So although you might be looking at 130.25.45.21, the ads could be coming from 234.221.123.12 (entirely fictional IPs btw!)

If you have concerns about adware / spyware, this FAQ gives instructions on locating and removing:

faq608-3482: "How to beat your advertising popups & other browser nasties"

You may also find forum608 - "Browser issues for IT professionals" - interesting.


<marc> i wonder what will happen if i press this...[ul][li]please give feedback on what works / what doesn't[/li][li]need some help? how to get a better answer: faq581-3339[/li][/ul]

 

[jsteph]

manarth,
Thanks very much. I'm going to check out the faq,
--jsteph

 

[Accessdabbler]

By default, all web browsers look for a webpage at xxx.xxx.xxx.xxx:80, where the X's represent an IP address. Therefore, ALL requests for a webpage are made on Port 80 (except if it is a secure web page where the request is on Port 443).

 

[jsteph]

Access,
...but the traffic I saw was Out traffic...I can see a few hundred bytes Out if I'm doing a search--I send the query--but if I'm simply visiting a page, that page has no need to read 25K from my harddrive, which was what I was seeing from some of these sites on the sniffer.

I went to the faq manarth suggested, and it referenced spybot, a spyware search/destroy tool. I got it, ran it, and sure enough, BackWeb, c_Dilla, and several other spyware outfits had several dozen registry entries, .exe's, and misc. spy tools sprinkled about my system, with large .dat files in hidden directories. It's creepy.
--Jsteph

 

[allteltec]

How much did you out traffic on the sniffer change after useing spyware removeing software ??

 

[jsteph]

allteltec,
The out traffic to the 'unknown' sites stopped completely. Now the only out traffic I see that's not accounted for, ie, that I expect, such as submitting forms, etc, is some curious traffic to Microsoft every time I plug in my pocket pc in it's cradle. I'm not syncing anything but my calendar and notes, so I'm thinking that might be an upgrade check or something.

But the SpyBot was pretty impressive for freeware.
--Jsteph

 

[allteltec]

Tks. for the reply, I have seen Spyware so bad that it will made a slow 300-500mhz cpu unuseable.
I only use SpyBot now, use to use Adaware but it killed my son's XP laptop.
After he tryed to fix it, I had to reformat and reload XP, not fun, no floppy or CD for his laptop.