Help!

What Is 239.255.255.250 Port 1900?

 
Post new topic   General Reply to Topic (not reply to a specific post)    Forums Home -> Problem Solvers RSS
Next:  Slight Slowdown In Bringing Up Isp Login Screen  
Author Message
athome



Joined: Sep 26, 2003
Posts: 23



PostPosted: Wed May 05, 2004 6:36 am    Post subject:

On my WindowsXP computer I get the above warning from Zone Alarm Pro that RunDLL.exe is trying to access the Internet at that address. I've not allowed access every time so I think that's the correct action.

I tried to track the IP at an online tracking service, but a "host not found" message is all I got. Trying to search for info at Google only confused me.

In plain English, what is it, what program is initiating it, and should I continue to block its access to the 'net?
Back to top
Ehwaz001



Joined: Jan 10, 2004
Posts: 1236



PostPosted: Wed May 05, 2004 11:21 am    Post subject:

You can start reading a bit on this website.

I've also found a linux user who had the same problem.

Here is the question: http://www.linuxsa.org.au/mailing-list/2002-11/1105.html
Here is a reply: http://www.linuxsa.org.au/mailing-list/2002-11/1108.html
Here is another comment: http://www.linuxsa.org.au/mailing-list/2002-11/1110.html

Last but not least, here is someone who may have found a solution:
http://www.linuxsa.org.au/mailing-list/2002-11/1134.html

I hope you understand a bit what they are talking about, because you just can't avoid getting technical terms tossed at your head...

Greetings,
Ehwaz001
B)
Back to top
athome



Joined: Sep 26, 2003
Posts: 23



PostPosted: Wed May 05, 2004 5:15 pm    Post subject:

First, a correction: It's my Win98 computer not the XP.

Ehwaz001: Thanks for looking up the links. I saw the first one in my Google search, which is what had me scratching my head. Ditto for the rest of the results in my search.

But I think what they're writing about makes a little sense to me.

I have three computers on a wired home network, so my situation may stem from my router, as it seems that's what they're talking about.

Here's the full text of the ZoneAlarm message:

Do you want to allow Run a DLL as an App to access the internet?

Destination IP: 239.255.255.250: Port 1900
Application: RUNDLL32.exe
Version: 4.10.1998

Maybe I need to find out what is rundll32.exe and why it needs to access the internet. :unsure:
Back to top
usasma



Joined: May 06, 2003
Posts: 5006



PostPosted: Wed May 05, 2004 5:25 pm    Post subject:

RunDLL is a "generic" file that allows other programs to work through it. Since blocking it hasn't affected you - continue to block it!

Reading as many of the google results as you can before passing out Very Happy should give you an idea of what it's all about. Might also try googling some of the related terms that keep popping up in your reading!

Good Luck!
Back to top
Ehwaz001



Joined: Jan 10, 2004
Posts: 1236



PostPosted: Wed May 05, 2004 6:05 pm    Post subject:

usasma, if you search a little and apply some good keywords, you get a few results. Reading these is easy, on 1 condition: that you understand what each and everybody is saying in the search results.
Indeed, after reading 10 pages of uPnP, RST, DHCP, NAT, ACK, and other terms, you see the routers/firewalls flying in front of your eyes! Very Happy

athome,
usasma is right, rundll is a general "good for all" program to load and run dynamic link libraries. usasma also said:
Quote:
Since blocking it hasn't affected you - continue to block it

There you have it!

Just don't panic to much with Zone Alarm, it does tend to alert a bit much about each and every thing that could be very weird. It tends to panic a bit to much some times...
But when you want good security and therefore a decent firewall, well, that's the price you pay for security!

Greetings and good luck,
Ehwaz001
B)
Back to top
athome



Joined: Sep 26, 2003
Posts: 23



PostPosted: Wed May 05, 2004 6:27 pm    Post subject:

Thanks to both of you, Ehwaz001 and usasma.

Yeah, my head's spinning with all those abbreviations and terms tossed about. My comprehension ceases to exist then. Very Happy

I think what's happened is I turned ZA Pro on to "high" in all categories recently. I'd never seen the message before I did that. As far as I know rundll32.exe may have been accessing the internet all this time without my knowledge.

Ultimately, I just want to know where that IP address goes to. Friend or foe? Since someone with Linux was in the same situation, I assume it doesn't lead to MS. I know it's not the router's manufacturer either.

*shrugs* It may remain a mystery to me.
Back to top
usasma



Joined: May 06, 2003
Posts: 5006



PostPosted: Wed May 05, 2004 6:45 pm    Post subject:

I guess I'm just a glutton for punishment! Razz (I'm also reading the WinXP Resource Kit cover to cover! :blink:

So, the question is: Who is 239.255.255.250? Am I correct? (BTW - if it is correct, I can't answer it!) Razz
Back to top
athome



Joined: Sep 26, 2003
Posts: 23



PostPosted: Wed May 05, 2004 10:53 pm    Post subject:

Yep, the question is who is 239.255.255.250?

I've pretty much given up. Tried ip-trace.com, infosyssec.com and samspade.org to no avail. Nada.

Also wanted to see which program(s) uses rundll32.exe and it's only Windows. Maybe it's safe to allow it access to the Internet. I'll try Microsoft's web site to find info on why it's being activated to go online. I'm guessing wildly that the automatic Windows Update may have something to do with it.

That gives me a thought. (OK, where's the "idea" smilie?)
Back to top
surrealist



Joined: Feb 28, 2003
Posts: 1039



PostPosted: Thu May 06, 2004 3:15 am    Post subject:

Quote:
Yep, the question is who is 239.255.255.250?

I've pretty much given up. Tried ip-trace.com, infosyssec.com and samspade.org to no avail. Nada.

Also wanted to see which program(s) uses rundll32.exe and it's only Windows. Maybe it's safe to allow it access to the Internet. I'll try Microsoft's web site to find info on why it's being activated to go online. I'm guessing wildly that the automatic Windows Update may have something to do with it.

That gives me a thought. (OK, where's the "idea" smilie?)

Although it's a valid IP address, it's not a valid Internet address in the traditional sense. According to the RFCs, valid Internet IPs range up to 223.255.255.255. Higher addresses are used for multicasting, or, in this case, Universal Plug and Play (UPnP). UPnP is a network protocol that allows devices to detect and automatically configure each other, similiarly to the way hardware Plug and Play works in a PC, or more to the point, the way a DHCP server automatically assigns IP addressing information. The idea is that UPnP will simplify network configuration.

While UPnP is theoretically not a bad thing, Microsoft implementation is somewhat dubious. Currently, I would recommend disabling UPnP, or at the least blocking it with your firewall.
Back to top
usasma



Joined: May 06, 2003
Posts: 5006



PostPosted: Thu May 06, 2004 12:22 pm    Post subject:

Now my head is spinning! :blink:
Laughing Laughing Laughing Laughing Laughing
Back to top
surrealist



Joined: Feb 28, 2003
Posts: 1039



PostPosted: Fri May 07, 2004 5:16 am    Post subject:

The reason you can't ping or trace route to 239.255.255.250 is that it's not a host, per se. Internet routers will ignore that IP because it is not a valid IP for an Internet host. With several exceptions, the 'legal' Internet address space ranges from 0.0.0.0 to 223.255.255.255.

However, if a router has UPnP enabled, and received UPnP packet on port 1900, it would respond. The IP address 239.255.255.250 is just a standard place to send UPnP traffic. All UPnP compliant devices are configured to listen on that IP and port and will respond.

Rundll32.exe is an application that allows DLLs to be run as if they were applications themselves. Zone Alarm sees rundll32.exe trying to access what it considers to be the Internet (that is, any network not local) and pops up a warning. Chances are, rundll32.exe is merely broadcasting (on behalf of whatever DLLs make up UPnP) to any listening device that another device with UPnP enabled is on the line.

The outbound stuff isn't really too much to worry about, but since Zone Alarm is catching it, it might as well be blocked. It's the inbound stuff that needs to be blocked by the firewall, and most likely is.
Back to top
athome



Joined: Sep 26, 2003
Posts: 23



PostPosted: Fri May 07, 2004 4:46 pm    Post subject:

Quote:
The reason you can't ping or trace route to 239.255.255.250 is that it's not a host, per se. 

However, if a router has UPnP enabled, and received UPnP packet on port 1900, it would respond.  The IP address 239.255.255.250 is just a standard place to send UPnP traffic.  All UPnP compliant devices are configured to listen on that IP and port and will respond. 

Rundll32.exe is an application that allows DLLs to be run as if they were applications themselves.  Zone Alarm sees rundll32.exe trying to access what it considers to be the Internet (that is, any network not local) and pops up a warning.  Chances are, rundll32.exe is merely broadcasting (on behalf of whatever DLLs make up UPnP) to any listening device that another device with UPnP enabled is on the line.

The outbound stuff isn't really too much to worry about, but since Zone Alarm is catching it, it might as well be blocked.  It's the inbound stuff that needs to be blocked by the firewall, and most likely is.

Okay, I understand what you're saying. Surprise! Smile

It is my router's fault for getting me all worried. It wasn't the address the router's configured to on my computers, so I couldn't see why or what it was doing.

I won't worry any further and continue to have ZA block access out.

Thanks to both the hardware and software firewalls, I've been spared the agony of the latest worm.

Thanks to you, surrealist, for explaining all. B)
Back to top
kitsuneymg



Joined: Jul 06, 2005
Posts: 1



PostPosted: Wed Jul 06, 2005 10:57 pm    Post subject:

http://support.microsoft.com/default.aspx?...kb;en-us;317843
http://www.microsoft.com/technet/prodtechn...t/wftshoot.mspx
http://www.microsoft.com/technet/itsolutio...et/upnpsup.mspx

^^^^^^^^
It pays to know who makes your os......
Back to top
athome



Joined: Sep 26, 2003
Posts: 23



PostPosted: Thu Jul 07, 2005 11:16 pm    Post subject:

Quote:
http://support.microsoft.com/default.aspx?...kb;en-us;317843
http://www.microsoft.com/technet/prodtechn...t/wftshoot.mspx
http://www.microsoft.com/technet/itsolutio...et/upnpsup.mspx

^^^^^^^^
It pays to know who makes your os......
[right][snapback]275357[/snapback][/right]



Thanks for the links, kitsuneymg Smile

I don't use the Win98 computer much any more, but I think I fixed the problem -- this thread is so old I forgot what I did and was surprised to see the e-mail notice about it again.

~Janet
Back to top
Display posts from previous:   
Post new topic   General Reply to Topic (not reply to a specific post)    Forums Home -> Problem Solvers All times are: Eastern Time (US & Canada)
Page 1 of 1

 
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum