Block external Interface 127.0.0.1

[fast 0]

Hi

I have a little problem, i will block from external interface loopback address 127.0.0.1.

Normaly will not routed, but i think i came some attack on this loopback address.

How can i block this address?

Simple:

you make a rules inbound src block 127.0.0.1, it works, but....

you can't use other programms any more. (example Firefox etc.)

How can resolve this problem?

Cheers

Hans

[Marcos 4,703]

Disabling this default rule should prevent any internal communication on localhost. However, it cannot help you unless an attacker has already gained access and is attacking locally running services.

[fast 0]

What can i do?

 

[itman 1,538]

Verify that an attacker has not set up a localhost proxy server on your device.

Open the hosts file in C:\Windows\System32\drivers\etc and see if entries have been added to the file. Also check the other files in the same directory and see if they have entries added.

[fast 0]

Local proxy is disabled, no proxy is active.

You mean the localhost file, localhost has changed, i have modified this file delete all ip Address.

I will check this.

Thank you

[fast 0]

restart the computer, same problem, exist,

I check my harddiskk with ESET SysRescue Live but nothing found.

Eset Antivirus (full scan) nothing found.

Mailebyte is nothing found.

i think the attack came from outside. i block temp. with src Inbound 127.0.0.0/8 Subnet, but if you restart you can't use other programms, because they use Loopback.

But why can i not use Loopback interface in Eset?

Block outside traffic on this interface?

[itman 1,538]

Eset uses a hidden proxy via localhost to monitor network traffic; see below screenshot.

Therefore, any firewall rules in regards to localhost monitoring need to be placed after the default firewall rule for ekrn.exe. My advice here is to leave Eset default monitoring of localhost traffic alone.

Edited July 13, 2022 by itman