Re: System Idle Process making TCP connections
- From: lee.e.rian@xxxxxxxxxx
- Date: Fri, 7 Jul 2006 19:47:19 -0400
Does TCPView ever show the System Idle Process with any connections in the
LISTENING or ESTABLISHED state?
All of the System Idle Process connections listed are in the TIME_WAIT
state - which most probably means that some other process created the
connection and closed it. ( I'd guess something trying to talk to
spoolsv.exe since it's listening on port 6160 )
Has anyone seen anything like this before?
No, not that many connections in a timed wait state. But whenever a
connection is closed it moves to the TIME_WAIT state and TCPView says it's
owned by [System Process]:0 on my windoze machine.
HTH,
Lee
John Davison <johndavison@xxxxxxxxxxxxxx> wrote on 07/07/2006 04:21:50 PM:
I've never seen anything like this before. After experiencing somereally
strange behavior from various applications and lot of looking around, Ia
downloaded TCPView from System Internals and found that the System Idle
Process (id 0) is making connections to itself, from source port 6160 to
series of local ports and keeps incrementing.
Has anyone seen anything like this before?
Here's a TCPView dump.
lsass.exe:676 TCP 0.0.0.0:1043 0.0.0.0:0 LISTENING
RSLINX.EXE:516 TCP 0.0.0.0:2222 0.0.0.0:0 LISTENING
RSLINX.EXE:516 TCP 0.0.0.0:44818 0.0.0.0:0 LISTENING
spoolsv.exe:1272 TCP 0.0.0.0:6160 0.0.0.0:0 LISTENING
svchost.exe:440 TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING
svchost.exe:960 TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
System:4 TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
System:4 TCP 10.1.1.150:139 0.0.0.0:0 LISTENING
System:4 TCP 10.1.1.150:4017 10.1.1.1:139 ESTABLISHED
[System Process]:0 TCP 10.1.1.150:3475 10.1.1.12:445 TIME_WAIT
RSLINX.EXE:516 TCP 10.1.1.150:1071 10.1.1.99:2222 ESTABLISHED
svchost.exe:440 TCP 10.1.1.150:3389 10.1.1.121:1989 ESTABLISHED
svchost.exe:440 TCP 10.1.1.150:3389 10.1.1.134:45843 ESTABLISHED
[System Process]:0 TCP 10.1.1.150:6160 10.1.1.150:3421 TIME_WAIT
[System Process]:0 TCP 10.1.1.150:6160 10.1.1.150:3422 TIME_WAIT
[System Process]:0 TCP 10.1.1.150:6160 10.1.1.150:3423 TIME_WAIT
[System Process]:0 TCP 10.1.1.150:6160 10.1.1.150:3424 TIME_WAIT
<.. snip ..>
------------------------------------------------------------------------------
This List Sponsored by: Black Hat
Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas.
World renowned security experts reveal tomorrow's threats today. Free of
vendor pitches, the Briefings are designed to be pragmatic regardless of your
security environment. Featuring 36 hands-on training courses and 10 conference
tracks, networking opportunities with over 2,500 delegates from 40+ nations.
http://www.blackhat.com
------------------------------------------------------------------------------
- Follow-Ups:
- Re: System Idle Process making TCP connections
- From: John Davison
- Re: System Idle Process making TCP connections
- References:
- System Idle Process making TCP connections
- From: John Davison
- System Idle Process making TCP connections
- Prev by Date: System Idle Process making TCP connections
- Next by Date: Re: System Idle Process making TCP connections
- Previous by thread: System Idle Process making TCP connections
- Next by thread: Re: System Idle Process making TCP connections
- Index(es):
Relevant Pages
|
