Re: Port 1025 - opened by "System"

From: Minder (---_at_---.---)
Date: 09/08/03 

Date: Mon, 08 Sep 2003 14:34:44 -0400

On Mon, 8 Sep 2003 17:01:36 +0100, "Mimic" <null@void.net> wrote:

>"Minder" <---@---.---> wrote in message
>news:ug2plv8sjlvs8u8dna8291ua3nn7roipar@4ax.com...
>> Just installed Win2k SP4 and closed all ports but one.
>>
>> ----------------------------------
>> c:\>netstat -an
>> Proto Local Address Foreign Address State
>> TCP 0.0.0.0:1025 0.0.0.0:0 Listening
>>
>> c:\>fport
>> Pid Process Port Proto Path
>> 8 System --> 1025 TCP
>>
>> Process Explorer: shows "System Pid 8" as the parent of many child
>> processes such as SMSS, Winlogon and LSASS, so I'll assume it can't
>> be disabled.
>>
>> WinTask Pro: Describes "System" as the Microsoft Windows System
>> Process, and shows no path to an executable.
>> ---------------------------------
>>
>> Does anyone know what 'System' does, why it's listening on TCP 1025
>> and most importantly, how to make it stop ?
>>
>> Minder
>
>sounds like svchosts.exe to me.

I have two svchost processes with PID's 356 and 358.
My concern is with PID 8 "System", listening on 1025.

>If youre in an NT based platform (xp for example) try this
>
>C:\windows> netstat -ano
>(to get the pid of the process or i see you use fport)
>
>C:\windows> tasklist /svc -fi "pid eq XXX"
>(where XXX is the pid)
>
>Port 1025 shouldnt be running on your internet IP, it should just run on
>0.0.0.0 for system use.

I don't think Port 1025 is running on my Internet IP, its on 0.0.0.0.

I'm not sure I follow... I thought when netstat reports "Local Address
0.0.0.0:1025" as "Listening" to "Foreign Address 0.0.0.0:0" it means
the local computer is ready to accept connection attempts to port 1025
on any adapter (ppp,ethernet,modem,etc.) from ANY remote host.

e.g.
c:\>netstat -an
Proto Local Address Foreign Address State
TCP 0.0.0.0:1025 0.0.0.0:0 Listening

Are you saying 0.0.0.0 is reserved for system use and no remote host
can connect to it?

>I remeber we had a big discussion about this when tracker claimed it was
>redbroker trojan or some windows game.

Minder

Relevant Pages

  • Re: umount not working
    ... port 0xcf8-0xcff on ... Warning: pid 708 used static ldt allocation. ...
    (freebsd-current)
  • Re: 127.0.0.1
    ... hacker is probing other ports like port 1128 - your browser uses ports 80, ... look at the corresponding number in the PID column. ... You might want to start in Safe Mode to run your antivirus and anti-spyware ... How to start Windows in Safe Mode Windows XP ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Allow full port access on one IP to a sub-user
    ... This means that when an incoming packet hits the rule, the firewall examine ... and then having to reduce both the name obtained from the PID ... until it's destination can be verified by way of the auth demon (port 113). ...
    (comp.os.linux.security)
  • messages between processes
    ... port number and bind the socket to address calculated by adding the PID ... Thus PID 515 would bind to 127.0.2.3 with that port. ...
    (comp.os.linux.development.system)
  • Re: The Norwegian Dawn and Katrina
    ... can go directly from a US port to another US port. ... then to the foreign islands. ... do not permanently disembark at a different U.S. port. ... U.S. Customs Service has interpreted the Passenger Vessel Services Act to ...
    (rec.travel.cruises)