Attack from forum.utorrent.com?

[Lucifer]

My Outpost firewall detects an attack from forum.utorrent.com (207.142.136.45) and tries to scan my ports.

I maybe wrong but checking cookies shouldn't scan more than one port, does it?

[Miffo]

Ive said it before, Outpost is paranoid. To say the least..

[Falcon4]

Cookies don't scan ports. o.O

...

That's like saying "my piece of paper tried to smash my xerox machine". Uhm, paper doesn't move... and cookies are not programs.

(Similarly, cookie "checking" doesn't "scan ports" at all, all the cookies for a site are sent to the server whenever you send a request, that's how you stay logged in... nothing needs to be "scanned" to find cookies)

Also, you're using a "firewall", PERIOD. That contributes to problems in and of itself. If you have a router, port scanning can't happen. Lose the damn firewall, unless you're paranoid about outgoing data protection (scoff)...

[Lucifer]

No, i don't have a router and it's a fact that utorrent.com is scanning my ports so the firewall isn't wrong. You don't scan people's ports for no reason, do you?

I learn that PHP uses base64 to check cookies on your pc by opening a port in order to identify them.

[DreadWingKnight]

I learn that PHP uses base64 to check cookies on your pc by opening a port in order to identify them.

Where and how?

cookies are sent by your browser. the site doesn't connect to you to check them. you connect to the site.

[Lucifer]

I have little knowledge on php but this was told by a friend of mine who's a senior programmer in php & sql so i maybe wrong.

Some php cookies containing your username & password are encoded in base64. For authentication, login servers need client computers to send them the base64 encoded request cookie and compares with the database. The server scans your ports and if any are found open, connection will be made using that port.

[Falcon4]

That's a crock of crap... I code PHP (haven't you seen my profile? Here's a sample) and I know how cookies work. Password is generally stored in a MD5 hash (one-way encryption) and username is stored as a user number. Both are sent to the server along with whatever other cookies, to keep track of your session on the server (as every single page view is a complete restart of the system, using only the data that you sent to the server). It's nearly impossible to do some kind of "port scanning" in PHP (okay, I'll say it: IM-FUCKING-POSSIBLE). Not to mention that it's completely pointless.

No connections are made other than the port 80 for HTTP.

Your firewall is wrong.

edit: (and you probably just misunderstood your friend)

[Lucifer]

haha, i guess i misunderstood his explanation.

Guess i'll just ignore the firewall message ^^

Thanks, Falcon4

[Falcon4]

No problem, hope I didn't sound too harsh - I just hate firewalls and "internet protection" products...

[splintax]

It's nearly impossible to do some kind of "port scanning" in PHP (okay, I'll say it: IM-FUCKING-POSSIBLE). Not to mention that it's completely pointless.

Sure about that? How about the µTorrent port checker, isn't that done in PHP?

But you're definitely right insofar as that Outpost is 99.99999% sure to be wrong. Unless forum.utorrent.com sending you HTML on port 80 is considered an attack nowadays...

[Falcon4]

As in a port checker within µTorrent itself? I can guarantee you that absolutely zero parts of µTorrent are written in PHP. PHP is a web scripting language.

[Firon]

the port checker is a PHP script on the site

[Falcon4]

I'm losing my patience with this site...

[Ultima]

I'm not sure if you're confused about what we're talking about, but if you are... this is the port checker being discussed:

http://www.utorrent.com/testport.php?port=INSERT_YOUR_PORT_NUMBER_HERE

=P

[Falcon4]

Oh, that's more understandable. Port scanning is impossible in PHP. Port checking is simply done by running an open-socket command on an IP and port number.

As I did it in my old sig script (source):

$fp = @fsockopen($host,$port,$errstr,$errno,3);

The "@" tells it, basically, not to corrupt the image data with an error message if it fails. I could handle failures better, I'm sure, but meh.

(To do port scanning on PHP, you'd have to do countless ones of these socket-open commands, and they'd take something like 10 seconds each to time out... that'd take FOREVER!)

[r00ted]

I've seen this kind of attacks in the past while using Outpost...don't know how it figures. I've had outpost report port scans from methlabs.org (yea....the last time I used Outpost).

Now my primary defense is a linksys hardware router, windows xp sp2 firewall.

[splintax]

Thanks for the link Ultima, I didn't have µT available at the time and was trying portchecker.php