1
HFS ~ HTTP File Server / Re: Spammed "Requested HEAD /"
« on: October 27, 2011, 08:29:26 PM »
I am using Visual IP trace pro
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
2
HFS ~ HTTP File Server / Re: Spammed "Requested HEAD /"
« on: October 24, 2011, 12:21:22 PM »
well.. I have been prompted by this issue to enough to stick my head out of my cave.... this activity has been going on for hte past 7 days and its being used abusively given the number of attempts. the one address I just trace scanned back appears to be an HFS login in Isreal.. so I wouldnt dismiss this out of hand.. I think someone is port scanning for open HFS access..
the login prompt I got looks like its from an old HFS template... that is the main reason I am posting here. If this was google, then a port scan block "should" kill the notifications except that it doesnt. The absolute frequency of the requests makes me suspicious.
this IP: 212.143.170.116 was traced back to that site.. it uses a login prompt that as I said appears to be from an old HFS template and the site is using a self signed certificates for HTTPS.
this is NOT legitimate behavior...
10/21/2011 10:48:04 PM 123.125.17.15:15408 Requested HEAD /
10/21/2011 11:03:09 PM Check update: no new version
10/22/2011 12:53:08 AM 66.151.235.55:36162 Requested HEAD /
10/22/2011 1:03:03 AM 50.16.36.129:47587 Requested HEAD /
10/22/2011 1:07:09 AM 91.194.137.16:28913 Requested HEAD /
10/22/2011 3:56:46 AM 123.100.2.157:40735 Requested HEAD /
10/22/2011 4:03:10 AM 125.88.125.166:64372 Requested HEAD /
10/22/2011 4:24:30 AM 61.130.247.168:5827 Requested HEAD /
10/22/2011 6:15:26 AM 212.143.170.116:33717 Requested HEAD /
10/22/2011 6:57:43 AM 200.183.87.169:41449 Requested HEAD /
10/22/2011 7:03:23 AM Check update: no new version
10/22/2011 2:27:35 PM 200.242.91.152:57665 Requested HEAD /
10/22/2011 2:34:24 PM 112.213.94.49:43739 Requested HEAD /
10/22/2011 3:03:34 PM Check update: no new version
10/22/2011 3:09:35 PM 67.23.17.252:50216 Requested HEAD /
10/22/2011 3:15:08 PM 82.117.42.166:46571 Requested HEAD /
10/22/2011 4:25:05 PM 121.28.161.165:25362 Requested HEAD /
10/22/2011 5:44:02 PM 211.147.212.2:41974 Requested HEAD /
10/22/2011 6:20:55 PM 202.111.137.4:47356 Requested HEAD /
10/22/2011 6:22:19 PM 83.170.89.56:18236 Requested HEAD /
10/22/2011 11:03:44 PM Check update: no new version
10/23/2011 1:05:51 AM 80.241.32.39:59454 Requested HEAD /
10/23/2011 2:05:20 AM 180.92.170.78:39551 Requested HEAD /
10/23/2011 2:36:26 AM 218.208.102.15:56161 Requested HEAD /
10/23/2011 5:07:17 AM 59.160.229.123:48763 Requested HEAD
10/23/2011 6:10:37 PM 124.160.91.15:23427 Requested HEAD /
10/23/2011 8:18:24 PM 50.17.33.19:18526 Requested HEAD /
10/23/2011 9:13:17 PM 38.101.132.104:32099 Requested HEAD /
10/23/2011 9:48:40 PM 206.16.163.38:37504 Requested HEAD /
10/23/2011 11:04:24 PM Check update: no new version
10/23/2011 11:56:02 PM 212.192.128.23:47991 Requested HEAD /
10/24/2011 4:05:42 AM 212.143.170.116:29787 Requested HEAD /
none of these IP addresses trace back to any legitimate service.
******
update: one of these traces back to a university in Russia.. the interesting thing is that Universities should not be port scanning private computers.
the login prompt I got looks like its from an old HFS template... that is the main reason I am posting here. If this was google, then a port scan block "should" kill the notifications except that it doesnt. The absolute frequency of the requests makes me suspicious.
this IP: 212.143.170.116 was traced back to that site.. it uses a login prompt that as I said appears to be from an old HFS template and the site is using a self signed certificates for HTTPS.
this is NOT legitimate behavior...
10/21/2011 10:48:04 PM 123.125.17.15:15408 Requested HEAD /
10/21/2011 11:03:09 PM Check update: no new version
10/22/2011 12:53:08 AM 66.151.235.55:36162 Requested HEAD /
10/22/2011 1:03:03 AM 50.16.36.129:47587 Requested HEAD /
10/22/2011 1:07:09 AM 91.194.137.16:28913 Requested HEAD /
10/22/2011 3:56:46 AM 123.100.2.157:40735 Requested HEAD /
10/22/2011 4:03:10 AM 125.88.125.166:64372 Requested HEAD /
10/22/2011 4:24:30 AM 61.130.247.168:5827 Requested HEAD /
10/22/2011 6:15:26 AM 212.143.170.116:33717 Requested HEAD /
10/22/2011 6:57:43 AM 200.183.87.169:41449 Requested HEAD /
10/22/2011 7:03:23 AM Check update: no new version
10/22/2011 2:27:35 PM 200.242.91.152:57665 Requested HEAD /
10/22/2011 2:34:24 PM 112.213.94.49:43739 Requested HEAD /
10/22/2011 3:03:34 PM Check update: no new version
10/22/2011 3:09:35 PM 67.23.17.252:50216 Requested HEAD /
10/22/2011 3:15:08 PM 82.117.42.166:46571 Requested HEAD /
10/22/2011 4:25:05 PM 121.28.161.165:25362 Requested HEAD /
10/22/2011 5:44:02 PM 211.147.212.2:41974 Requested HEAD /
10/22/2011 6:20:55 PM 202.111.137.4:47356 Requested HEAD /
10/22/2011 6:22:19 PM 83.170.89.56:18236 Requested HEAD /
10/22/2011 11:03:44 PM Check update: no new version
10/23/2011 1:05:51 AM 80.241.32.39:59454 Requested HEAD /
10/23/2011 2:05:20 AM 180.92.170.78:39551 Requested HEAD /
10/23/2011 2:36:26 AM 218.208.102.15:56161 Requested HEAD /
10/23/2011 5:07:17 AM 59.160.229.123:48763 Requested HEAD
10/23/2011 6:10:37 PM 124.160.91.15:23427 Requested HEAD /
10/23/2011 8:18:24 PM 50.17.33.19:18526 Requested HEAD /
10/23/2011 9:13:17 PM 38.101.132.104:32099 Requested HEAD /
10/23/2011 9:48:40 PM 206.16.163.38:37504 Requested HEAD /
10/23/2011 11:04:24 PM Check update: no new version
10/23/2011 11:56:02 PM 212.192.128.23:47991 Requested HEAD /
10/24/2011 4:05:42 AM 212.143.170.116:29787 Requested HEAD /
none of these IP addresses trace back to any legitimate service.
******
update: one of these traces back to a university in Russia.. the interesting thing is that Universities should not be port scanning private computers.
3
Beta / Re: Testing build #269
« on: November 01, 2010, 06:42:54 PM »
oh it was def working! because I was using it and it was faster than copying and pasting the URL. then a few versions back.. I started to get the barred circle icon when I tried to drag and drop to trillian. that's when I first reported that it wasn't working...
I am guessing the others are saying it couldn't be done because they never actually tried to do it
and the first time I found out it could be done was on accident... I was curious as to whether or not it could be done.. so I tried it and it most certainly worked.
I am guessing the others are saying it couldn't be done because they never actually tried to do it
and the first time I found out it could be done was on accident... I was curious as to whether or not it could be done.. so I tried it and it most certainly worked.
4
Beta / Re: Testing build #269
« on: November 01, 2010, 02:36:12 PM »
paperport and picasa allow me to drag and drop to trillian
picasa is free and easier to test
picasa is free and easier to test
5
Beta / Re: Testing build #269
« on: October 29, 2010, 04:38:11 PM »
OMG! sorry for the delay .. I missed this email!
I am up to build 271 and the feature still doesn't work. so I am guessing that either the trillian current update broke it or one of the recent Microsoft "fixes" broke it. my money is on microsoft!
I am saying that because I can drag and drop from any other program and it works... so it's definitely an oddity.
I am up to build 271 and the feature still doesn't work. so I am guessing that either the trillian current update broke it or one of the recent Microsoft "fixes" broke it. my money is on microsoft!
I am saying that because I can drag and drop from any other program and it works... so it's definitely an oddity.
6
F.A.Q.s / Re: Portable sHFS : HFS via Stunnel with configuration GUI [english]
« on: October 29, 2010, 04:30:11 PM »
I did all that before you suggested it.. it still reacted the same way.. but it did not have an issue with build 267+
8
F.A.Q.s / Re: Virus Alert about HFS
« on: October 08, 2010, 09:21:38 AM »
umm why do I keep getting notified of the last message on this thread? I have gotten 4 of them so far?
9
F.A.Q.s / Re: Portable sHFS : HFS via Stunnel with configuration GUI [english]
« on: September 26, 2010, 11:23:38 PM »
yes same source as my original copy... but was the compression level the same? I am guessing it's because the file name might have been altered.. any single tiny change from the original signature would set off that kind of an alert.
the french version file set off no alerts at all. that is why I posted the results of the english version... because something was not right.
************************
on another note, I like your configurator. very useful!
however , I use custom port settings in my router. and the HFS and the stunnel have 2 separate ports. One is the incoming port for connections and the Second port is the 'private' port the program is set for.
I would like to make a suggestion for the port settings in your program;
have an option for [default] values: port 80 for HFS and 443/80 for sTunnel
then an option for custom router values: incoming port/private-forwarded port (the one the software actually listens on behind the firewall); example: HFS 80/?? or vice versa and sTunnel is ??/?? with the default port of 443 forwarding to the private ACCEPT port of sTunnel which then links to the private CONNECT port that the HFS is actually using.
if you have a dynamic dns service... you can change the default port for regular web but you cant change it for web SSL which is 443
there is also a more effective certificate generation string for openSSL... the one used for your configurator shows the SSL traffic in sTunnel. but the web broswer doesnt recognize the certificate/site as SSL enabled, even though the address is changed to https://??.??
the french version file set off no alerts at all. that is why I posted the results of the english version... because something was not right.
************************
on another note, I like your configurator. very useful!
however
, I use custom port settings in my router. and the HFS and the stunnel have 2 separate ports. One is the incoming port for connections and the Second port is the 'private' port the program is set for.I would like to make a suggestion for the port settings in your program;
have an option for [default] values: port 80 for HFS and 443/80 for sTunnel
then an option for custom router values: incoming port/private-forwarded port (the one the software actually listens on behind the firewall); example: HFS 80/?? or vice versa and sTunnel is ??/?? with the default port of 443 forwarding to the private ACCEPT port of sTunnel which then links to the private CONNECT port that the HFS is actually using.
if you have a dynamic dns service... you can change the default port for regular web but you cant change it for web SSL which is 443
there is also a more effective certificate generation string for openSSL... the one used for your configurator shows the SSL traffic in sTunnel. but the web broswer doesnt recognize the certificate/site as SSL enabled, even though the address is changed to https://??.??
10
F.A.Q.s / Re: Portable sHFS : HFS via Stunnel with configuration GUI [english]
« on: September 26, 2010, 10:31:29 PM »
I wasnt making an accusation, I was just alerting you of the "ODD" result.
this was the first time that Comodo ever gave that result on HFS.
this might mean there was a code string that resembled the trojan result I posted before.
this has been known to happen with other AV packages
this was the first time that Comodo ever gave that result on HFS.
this might mean there was a code string that resembled the trojan result I posted before.
this has been known to happen with other AV packages
11
F.A.Q.s / Re: Virus Alert about HFS
« on: September 23, 2010, 05:28:55 PM »
I do that regularly. Comodo is really good about recognizing version differences (attention: this file has changed... etc) and always asks you to re-validate if you do an update.
there are two signing programs that can be useful: XCA which is free and Simple Authority which has a limited free version and a full access version for about $50 the last I checked... the full version will let you do a trusted CA signing etc.
Adobe Acrobat pro also allows you to create a signature file for document signing and MS has a feature that lets you create those as well.
I liked Simple Authority because it offered the most features and it was very easy to use.
there are two signing programs that can be useful: XCA which is free and Simple Authority which has a limited free version and a full access version for about $50 the last I checked... the full version will let you do a trusted CA signing etc.
Adobe Acrobat pro also allows you to create a signature file for document signing and MS has a feature that lets you create those as well.
I liked Simple Authority because it offered the most features and it was very easy to use.
12
F.A.Q.s / Re: Portable sHFS : HFS via Stunnel with configuration GUI [english]
« on: September 23, 2010, 05:13:46 PM »
yes. comodo has an auto submit feature.
when I got my original 266 from rejetto, comodo "did not" give a virus alert.
the alert went off when I was extracting the files from your current SHFS package. the hfs266en.exe was the only file that gave an alert...
I have have submitted every beta build of hfs to comodo. the security package does that on prompt and you can always set it for auto submit. so I know comodo has the latest file versions.
comodo has a particular way of marking false alert files and virus files. it's not hard to determine which is which once you get used to it. it also has an option to notify them separately of false alerts and actual virus files.
when I got my original 266 from rejetto, comodo "did not" give a virus alert.
the alert went off when I was extracting the files from your current SHFS package. the hfs266en.exe was the only file that gave an alert...
I have have submitted every beta build of hfs to comodo. the security package does that on prompt and you can always set it for auto submit. so I know comodo has the latest file versions.
comodo has a particular way of marking false alert files and virus files. it's not hard to determine which is which once you get used to it. it also has an option to notify them separately of false alerts and actual virus files.
13
F.A.Q.s / Re: Portable sHFS : HFS via Stunnel with configuration GUI [english]
« on: September 22, 2010, 05:09:27 PM »
upon extraction: Comodo Internet Security fired off an alert stating the hfs266EN.exe file contains a trojan.
trojware.win32.trojan.agent.~kyc@124249897
the french version of the file didn't have any problems.
this "might" have to do with rejetto's previous posting about hfs being listed as a virus... and my software is just reacting to the file black list.
I manually replaced it with the 270 file and modified the version in the config files
AvvA, I am not not sure what is going on with "your" version of 266, but the one I had installed originally from rejetto didn't set off this alert.
I am making this post to let you know that it did happen.
rejetto: I have that file quarantined. I can zip it with the extension changed and send it to you, so that you can take a look yourself. Just let me know?
trojware.win32.trojan.agent.~kyc@124249897
the french version of the file didn't have any problems.
this "might" have to do with rejetto's previous posting about hfs being listed as a virus... and my software is just reacting to the file black list.
I manually replaced it with the 270 file and modified the version in the config files
AvvA, I am not not sure what is going on with "your" version of 266, but the one I had installed originally from rejetto didn't set off this alert.
I am making this post to let you know that it did happen.
rejetto: I have that file quarantined. I can zip it with the extension changed and send it to you, so that you can take a look yourself. Just let me know?
14
F.A.Q.s / Re: Virus Alert about HFS
« on: September 21, 2010, 08:37:05 PM »Good security programs should alert:
"User touching input devices keyboard and mouse in front of the screen detected. Danger that some clicks opens the door to viruses and other malware, may even erase important data on disks!
Please remove user for security reasons."
HAHAHAHAHAHAHA!
I am not panicking, but I am concerned about rejetto's previous posting about some fools who reported HFS as a trojan etc..
This happened to another clean program that I use regularly but despite the good record al it took was one bad report to have the download blocked.
15
F.A.Q.s / Virus Alert about HFS
« on: September 21, 2010, 04:18:51 PM »
WHOA!!! HI TSG
@Mars
I know the reasons why HFS "should" have that sort of access.. but the common user more than likely won't know why.
Comodo Internet Security actually scans for that kind of activity, but it doesn't explain the reason WHY ... it just gives an alert, says the activity isn't considered safe in general and then tells you that's it's OK to approve the program if it's something you use daily.
This can be confusing to an average user and they think it really is a virus or keylogger etc. There should be a simple disclaimer pointing out what type of firewall/system access HFS needs in order to function correctly.
@Mars
I know the reasons why HFS "should" have that sort of access.. but the common user more than likely won't know why.
Comodo Internet Security actually scans for that kind of activity, but it doesn't explain the reason WHY ... it just gives an alert, says the activity isn't considered safe in general and then tells you that's it's OK to approve the program if it's something you use daily.
This can be confusing to an average user and they think it really is a virus or keylogger etc. There should be a simple disclaimer pointing out what type of firewall/system access HFS needs in order to function correctly.