Comodo freeware reports TCP listening on two (seemingly random) ports

Is it normal for Firefox to listen on two random TCP ports every time?

Here's what happens ...

Bringing Firefox 3.6.2 freeware up (set by default to a blank page for this test) on WinXP SP3 with Comodo Internet Security 3.14 firewall freeware reporting Firefox begins "listening" on TCP port 1570 and 1572.

Closing & opening Firefox again (on a blank page by default), now Firefox is listening on TCP ports 1577 and 1579.

Closing & reopening, Comodo reports Firefox begins listening on TCP ports

1599 and 1601. Repeating, it's listening on ports 1643 and 1645. Then 1647 and 1649. Then 1651 and 1653. Then 1680 & 1682. Then 1689 & 1691.

Debugging, I bring up IE 8.0 on a blank page, yet I don't see any ports opened for listening; so it's just Firefox related.

The Firefox Tools->Add-Ons are all set to disable for this test (Adblock Plus 1.1.3 freeware, Flash Video Resources Downloader 1.0.3 freeware, Flashblock 1.5.11.2 freeware, Java Console 6.0.18 freeware, Java Quick Starter 1.0 freeware, Microsoft .NET Framework Assistant 0.0.0 freeware).

Two questions: Does Firefox open two random ports for listening when you start it on a blank page?

If not, do you have any suggestions for debugging what these ports are doing?

Reply to
Kat Rabun
Loading thread data ...

Rebooting, and opening Firefox to a blank page by default, it starts at

1025 and 1027. Restart Firefox and it goes to 1030 & 1032. Then 1036 & 1038. Then 1040 & 1042. Then 1044 & 1046. And so on.

Netstat reports which process is opening the suspect ports: C:\Documents and Settings\kathleen> netstat -o

Active Connections

Proto Local Address Foreign Address State PID TCP Kat:1044 localhost:1045 ESTABLISHED 2972 TCP Kat:1045 localhost:1044 ESTABLISHED 2972 TCP Kat:1046 localhost:1047 ESTABLISHED 2972 TCP Kat:1047 localhost:1046 ESTABLISHED 2972

Process explorer freeware reports process 2972 is Firefox.exe.

Googling, I see Firefox sometimes does a loopback to 127.0.0.1

formatting link
but I don't see any indication in the netstat that this problem is the same as that known Firefox bug.

Do you get two ports opened for listening when you open Firefox on Winxp?

Reply to
Kat Rabun

As a sanity check, Firefox Tools->Options->Advanced->Update is completely turned off (none of the three options are checked, Firefox, Add-Ons, & Search Engines).

Also "Live Bookmarks" & RSS feeds were long ago disabled using "about:config" and then right clicking reset on "browser.feeds.handler" which is set to "ask".

Also, for this test, the Firefox Anti-phishing and Anti-malware list updating was turned off. (Tools->Options->Security->Block reported web forgeries and Tools->Options->Security->Block reported attack sites).

And, for this test, Firefox link prefetching was also turned off in "about:config" by setting "network.prefetch-next" to "false".

Still, Firefox opens two ports each time it opens.

Does your firefox open two ports for listening when it opens up?

Reply to
Kat Rabun

Searching for all the things that Firefox could be doing, for this test, I disabled "Extension blocklist updating" in "about:config" by setting "extensions.blocklist.enabled" to "false".

Also, for this test, I disabled "Live title updating" in "about:config" by setting "browser.microsummary.enabled" to "false".

As a sanity check, I have no downloads that could be restarting ... so, I wonder ... am I infected with malware?

Yet, Firefox still opens two outbound TCP port connections for listening.

Do you have any suggestions to help me debug why Firefox opens up two ports for listening every time it opens up?

Reply to
Kat Rabun

After disabling everything I could think of which might make Firefox open a port connection, I even started Firefox 3.6.2 in safe mode using:

Start->Run->firefox -safe-mode

With nothing checked in the resulting form, I then pressed "Continue in safe mode".

Comodo and netstat still reported Firefox (process ID 3120 in this case), opened up two ports for listening:

C:\Documents and Settings\kathleen>netstat -o

Active Connections

Proto Local Address Foreign Address State PID TCP Kat:1386 localhost:1387 ESTABLISHED 3120 TCP Kat:1387 localhost:1386 ESTABLISHED 3120 TCP Kat:1388 localhost:1389 ESTABLISHED 3120 TCP Kat:1389 localhost:1388 ESTABLISHED 3120

Likewise, Comodo reported Firefox opened TCP ports 1386 and 1388 for listening in this test.

Why is Firefox 3.6.2 always opening two ports for listening every time it opens up?

Reply to
Kat Rabun

You have not mentioned the remote address at the other end of those established connections.

Try using Prcess Hacker and opening the network tab to get better information on the processes. A Whois may give you a better idea, plus you can then close the process down at the same time. Make a note of he remote IP address for future reference/investigation.

A most useful little application available at Sourceforge and elsewhere.

I'm rather prejudiced against 'software fire walls' such as you are using, so my bet is on Commodo. Other prime candidates Google, built into Firefox of course, and Micrsoft. Thus all the usual suspects. You realise that Google behaves in some rather sneaky ways once you start tracking it.

Cheers,

Roy

Reply to
Slarty

Important is what interface is used for connections and listening. All connections above are local. Firefox uses TCP local inter modele communication as many other programs. I also guess it is listening on loopback localhost interface 127.0.0.1

Reply to
Poutnik

Thanks! That was so easy.

Jesus am I a stupid wanker!!

Reply to
Kat Rabun

I use FF and have had to block its phoning home at regular intervals. I consider the version I am using to be spyware, but I believe I have blocked it.

Don't see any manual, is there one? Why is it any better than process manager?

Reply to
bitte

That was a forgery!

X-Authenticated-User: $$n3417yjc_wi1utyikkrb5b1k NNTP-Posting-Host: $$5lonjgdxpj7l67.news.x-privat.org Date: Sun, 28 Mar 2010 15:23:51 -0400

Reply to
Kat Rabun

I installed Process Hacker 1.11 freeware from:

formatting link
It's scary that Process Hacker modifies the antivirus freeware (I sure hope it's not malware in disguise) before it can start working.

Once it starts, the Process Hacker "Processes" tab looks similar to that of Process Explorer v11.21 freeware; but there are two other tabs in Process Hacker (Services, & Network).

In the Network tab of Process Hacker, the only thing I have before I start Firefox (with anti-virus turned off) is:

Process: LocalAddress: LocalPort: RemoteAddress: RemotePort: Protocol: State: System (4) 0.0.0.0 445 0.0.0.0 24708 TCP Listening System (4) Kat (192.168.1.200) 139 0.0.0.0 24708 TCP Listening System (4) Kat (192.168.1.200) 137 - - UDP - System (4) 0.0.0.0 445 - - UDP - System (4) 0.0.0.0 138 - - UDP -

When I start Firefox to a blank page, 4 more entries arise: firefox.exe(3868) Kat(127.0.0.1) 2522 Kat(127.0.0.1) 2521 TCP Established firefox.exe(3868) Kat(127.0.0.1) 2523 Kat(127.0.0.1) 2524 TCP Established firefox.exe(3868) Kat(127.0.0.1) 2521 Kat(127.0.0.1) 2522 TCP Established firefox.exe(3868) Kat(127.0.0.1) 2524 Kat(127.0.0.1) 2523 TCP Established

At the same time, Comodo tells me only about ports 2523 & 2521: TCP Listening:2523 TCP Listening:2521

Does this help to figure out what is going on with those two ports opened up by Firefox?

Reply to
Kat Rabun

Since this all focuses on Firefox, wouldn't asking in a newsgroup with a community focused on that product produce better responses? If your NNTP server doesn't carry the mozilla.* newsgroups, you can connect your NNTP client to news.mozilla.org. There are Firefox groups there. If the users there don't know, someone might know how to contact the Mozilla development group to inquire about these ghost connects.

Reply to
VanguardLH

did not I explain it before ?

FF created loopback TCP connection No 1 from port 2522 to port 2521 of listening FF. FF created loopback TCP connection No 2 from port 2524 to port 2523 of listening FF. FF is still loopback listening on portes 2521, 2523.

Said by other words, FF is connecting to itself.

Reply to
Poutnik

I agree with this interpretation.

This form of inter process communication will be portable across all platforms and would be a good design choice for Firefox.

I guess that in this case it's inter-thread communications. Thread being a 'lightweight process'.

Nothing spooky anyway.

Reply to
bod43

Sure it would but John Stubbings aka Kat Rabun needs his Usenet fix here. Luv and freindhshit, you know.

We support Bear Bottoms.

Reply to
za kAT

You're no help.

*SHADDUP*

Respectfully,

John Stubbings

Reply to
Kat Rabun

I can't see the need for one, so I've not looked. If you don't understand what you see, perhaps you'd better call in a friend or whatever who can help you understand.

I like the ability this little application gives you to trace both ends of the connection to the sources, in real time, and then terminate the connection if required. Try highlighting the suspect process and then right clicking to see what I mean. There's nothing wrong at all with Process Explorer which I have set up in place of Windows own Task Manager, take a look in the Process Explorer Help file. It's just a case of using the best tool for a particular job.

If you take a note of the remote IP and if you are using a router which enables you to set up rules based on IPs to prevent outgoing as well as incoming connection requests, you should be better able to see what is happening. Especially if something stops working! Blocking via a Router, if that is what you want, is far more reliable than using any software personal 'firewall' - that includes Comodo.

Cheers,

Roy

Reply to
Slarty

No, more likely just Comodo.

Cheers,

Roy

Reply to
Slarty
[Massive snippage]

I see nothing like this on any copy or version of Firefox that I've used on any of several PCs. As has been suggested, ask on a Mozilla forum.

I'd be more inclined to remove all traces of the curent version of Firefox, perhaps using Revo Uninstaller to get rid of everything, and then staring with a fresh installation using a known clean installer from Mozilla. A bloody nuisance as you'll lose everything, but if you're that unhappy with the situation....

Cheers,

Roy

Reply to
Slarty

Granted that I don't know much about all this, but isn't it possible FF needs a couple of open ports for information about updates to extensions, browser, etc? Just a thought...

Ron Moore

Reply to
Ron

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.