Re: svchost.exe -k BITSgroup open port 1269. Is it normal?

From: Alan Illeman (illemann_at_surfbest.net)
Date: 03/25/04

• Next message: Dave: "Re: Log Viewer Help"
• Previous message: damned: "Re: Wich protocol numbers?"
• In reply to: Ben: "svchost.exe -k BITSgroup open port 1269. Is it normal?"
• Next in thread: Steven L Umbach: "Re: svchost.exe -k BITSgroup open port 1269. Is it normal?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 24 Mar 2004 18:31:01 -0500

"Ben" <tainhan@hotmail.com> wrote in message
news:uXIdSIdEEHA.3040@TK2MSFTNGP12.phx.gbl...
> My PC is Win2000 Pro.
> I found my PC opened port 1269 to a remote address at port 80 with
ESTABLISH
> status.
> Another process also open port 1269 for LISTENING.
> "svchost.exe -k BITSgroup" open port 1269. But I don't know which program
> load that "svchost.exe -k BITSgroup".
> Is it a normal situation? How I can trace out which program load that
> svchost.exe at port 1269?
>
> Also port 1718,1720,1724 are opened via "svchost.exe -k wugroup". Are
those
> ports opend normally?
>
> Do you have any ideal?
>
> I scaned my PC for virus. Everything seems OK.
>
> Do you know any open source or free firewall?
> Or any software to detect what program load svchost.exe to open a certain
> port?
>
> You know, the sistuation is: If I doubt that port 1269 is a backdoor, I
> cannot just simply stop svchost.exe
>
> Thank you for any help

Ben, what did you spend on your computer? A licenced copy of Kerio
only costs $55US, lifetime licence, that is. Included for the first year is
a $22 subscription for free updates.

I've had 12 TCP attacks on c:\winnt\system32\svchost.exe in the last
hour - and Kerio denied all of them. (www.kerio.com)

Network Security->Applications->c:\winnt\system32\svchost.exe
    Trusted: IN:deny, OUT:deny
    Internet: IN:deny, OUT:deny

I'm not sure I really understand all this stuff in the log, but the
'Remote point' (source of the attacks?) were:

64.10.124.131:1987
64.10.130.100:2057
64.10.92.21:3005
64.10.92.21:4388
64.10.99.103:1649
64.10.99.168:3653
64.2.132.69:3125
81.240.27.177:3835
64.10.130.12:2359
64.10.99.168:2623
64.10.130.75:3153
64.10.90..39:4000

I've had 5 more while I was typing this :)

• Next message: Dave: "Re: Log Viewer Help"
• Previous message: damned: "Re: Wich protocol numbers?"
• In reply to: Ben: "svchost.exe -k BITSgroup open port 1269. Is it normal?"
• Next in thread: Steven L Umbach: "Re: svchost.exe -k BITSgroup open port 1269. Is it normal?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Port 2967 ... I have noticed a large number of TCP attacks on port 2967 being dropped by my ... firewall. ... This appears to be associated with Symantec SSC Agent whatever that ... (comp.security.firewalls) Re: Port 2967 ... I have noticed a large number of TCP attacks on port 2967 being dropped by my ... firewall. ... This appears to be associated with Symantec SSC Agent whatever that ... (comp.security.firewalls) Re: Port 2967 ... I have noticed a large number of TCP attacks on port 2967 being dropped by my ... firewall. ... This appears to be associated with Symantec SSC Agent whatever that ... (comp.security.firewalls) Re: Port 2967 ... I have noticed a large number of TCP attacks on port 2967 being dropped by my ... firewall. ... This appears to be associated with Symantec SSC Agent whatever that ... I've blacklisted the port in Shorewall, so hits don't clutter the log. ... (comp.security.firewalls) Port 2967 ... I have noticed a large number of TCP attacks on port 2967 being dropped by my ... firewall. ... This appears to be associated with Symantec SSC Agent whatever that ... (comp.security.firewalls)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint