Help: "bug.cgi" images don't show.

  • Thread starter Thread starter Jim Wood
  • Start date Start date
J

Jim Wood

All of a sudden, certain graphic images on websites refuse
to display. Right-clicking on these and questioning
Properties shows them to have a URL address such as:
http://127.0.0.1:2081/bug.cgi (this one from eBay). What
happened, what do I have to reinstall or confirm manually?
 
Jim Wood said:
All of a sudden, certain graphic images on websites refuse
to display. Right-clicking on these and questioning
Properties shows them to have a URL address such as:
http://127.0.0.1:2081/bug.cgi (this one from eBay). What
happened, what do I have to reinstall or confirm manually?
Click to expand...

I'm not sure why that port number is being selected but the
likely explanation for the IP address is that you have an override
to DNS lookup being done via an entry in your HOSTS file.

Usually that mapping (to the TCP/IP loopback address)
is put there to inhibit advertising. If you don't care about seeing
advertising and you don't have any other need for the entries
in your HOSTS file get rid of it (e.g. delete or rename it.)


HTH

Robert Aldwinckle
---
 
I have the same problem with the eBay sites also with the same properties. I
renamed the hosts file and this didn't help. Something else to try???
 
I have the same problem. IE has SP2 and the latest updates applied.
Renaming the hosts file didn't help.
 
....
I have the same problem with the eBay sites also with the same properties. I
renamed the hosts file and this didn't help. Something else to try???
Click to expand...

The only remaining possible explanations are:
1. You didn't find the right HOSTS file.
2. Your DNS is giving you that incorrect mapping.
3. You have malware which has infiltrated your TCP-IP stack
and it is intercepting and selectively modifying lookups.

All three possibilities are better discussed in a newsgroup
which specializes in networking for your OS (which neither
of you has bothered disclosing.)


Good luck

Robert
---
 
Robert, thanks for your reply. I'm using XP with SP2 and the latest updates
applied. There were only two hosts files on the system and I renamed them.
Neither contained anything unusual, just a 127.0.0.1 with a name of
localhost. Could you explain to me what you think is happening so I can
better describe the problem in another newsgroup?
 
Riverview said:
Robert, thanks for your reply. I'm using XP with SP2 and the latest updates
applied.
Click to expand...

Thanks. That's the same as I have so I may be able to help a bit more.

There were only two hosts files on the system and I renamed them.
Neither contained anything unusual, just a 127.0.0.1 with a name of
localhost. Could you explain to me what you think is happening so I can
better describe the problem in another newsgroup?
Click to expand...

Well, first of all I don't know if that 127.0.0.1:81 occurs in the HTML source.
Then I don't know if it it occurs in the source that the host server sent.
(The difference would be that something, somewhere would be
intercepting the source as sent and replacing a valid URL with this
unusable one.)

My first guess was that the source wasn't the problem but that an
override to the DNS lookup of the server name in a URL in the source
was. The common trick people use to block advertising images is to
notice that they all originate on one server and then substitute the
TCP-IP loopback address (127.0.0.1) for such server names via
entries in their HOST file. Some malware could also take advantage
of this by actually serving that address and then fetching their own
images. (That might even account for that port number which was
reported. You might get some clues about that possibility from netstat.

netstat -anop tcp

Do you actually have something listening on that port 81?
If so the o switch will show you the PID of the listening process.)

When users started discovering how the HOSTS file worked
the bad guys figured out a way to use a different HOSTS file
(the QHosts exploit). To check that the HOSTS file is where
you think it is try this command:

netsh diag show adapter /v | find /i "DataBasePath"

Now it appears the bad guys have figured out ways to insert filters
into the TCP-IP stack to do what they want. This seems to show up
most in NT5 systems.

Here is a excerpt about my current understanding about that:

<excerpt>

FYI for XPsp2 there is a new repair command for the latter possibility:

netsh winsock reset

Otherwise there is

netsh interface ip reset

You might try checking for abnormalities beforehand by

netsh winsock show catalog type=LSP

ipseccmd show filters

(ipseccmd is on the XP Pro Support Tools)


BTW you may get better suggestions in a newsgroup
which specializes in networking for your OS.


Good luck

Robert Aldwinckle
---
 
Thanks again Robert, if nothing else I'm learning alot with this problem.
Using System Restore checkpoints I was able to isolate the failure to the
latest upgrade to ZoneAlarm. They are now blocking web bugs. The red x's
are the web bugs. I thought that they were used only in HTML e-mail. It
appears that eBay and other sites are using them as tracking tools. I will
research this further.
 
Back
Top