Port 1025 - opened by "System"

Discussion in 'Computer Security' started by Minder, Sep 8, 2003.

  1. Minder

    Minder Guest

    Just installed Win2k SP4 and closed all ports but one.

    ----------------------------------
    c:\>netstat -an
    Proto Local Address Foreign Address State
    TCP 0.0.0.0:1025 0.0.0.0:0 Listening

    c:\>fport
    Pid Process Port Proto Path
    8 System --> 1025 TCP

    Process Explorer: shows "System Pid 8" as the parent of many child
    processes such as SMSS, Winlogon and LSASS, so I'll assume it can't
    be disabled.

    WinTask Pro: Describes "System" as the Microsoft Windows System
    Process, and shows no path to an executable.
    ---------------------------------

    Does anyone know what 'System' does, why it's listening on TCP 1025
    and most importantly, how to make it stop ?

    Minder
     
    Minder, Sep 8, 2003
    #1
    1. Advertising

  2. Minder

    Mimic Guest

    "Minder" <---@---.---> wrote in message
    news:...
    > Just installed Win2k SP4 and closed all ports but one.
    >
    > ----------------------------------
    > c:\>netstat -an
    > Proto Local Address Foreign Address State
    > TCP 0.0.0.0:1025 0.0.0.0:0 Listening
    >
    > c:\>fport
    > Pid Process Port Proto Path
    > 8 System --> 1025 TCP
    >
    > Process Explorer: shows "System Pid 8" as the parent of many child
    > processes such as SMSS, Winlogon and LSASS, so I'll assume it can't
    > be disabled.
    >
    > WinTask Pro: Describes "System" as the Microsoft Windows System
    > Process, and shows no path to an executable.
    > ---------------------------------
    >
    > Does anyone know what 'System' does, why it's listening on TCP 1025
    > and most importantly, how to make it stop ?
    >
    > Minder


    sounds like svchosts.exe to me.
    If youre in an NT based platform (xp for example) try this

    C:\windows> netstat -ano
    (to get the pid of the process or i see you use fport)

    C:\windows> tasklist /svc -fi "pid eq XXX"
    (where XXX is the pid)

    Port 1025 shouldnt be running on your internet IP, it should just run on
    0.0.0.0 for system use.
    I remeber we had a big discussion about this when tracker claimed it was
    redbroker trojan or some windows game.
    --
    Mimic

    "Without Knowledge you have fear, With fear you create your own nightmares."
    "There are 10 types of people in this world. Those that understand Binary,
    and those that dont."
    "C makes it easy to shoot yourself in the foot. C++ makes it harder, but
    when you do, it blows away your whole leg"
     
    Mimic, Sep 8, 2003
    #2
    1. Advertising

  3. Minder

    Minder Guest

    On Mon, 8 Sep 2003 17:01:36 +0100, "Mimic" <> wrote:

    >"Minder" <---@---.---> wrote in message
    >news:...
    >> Just installed Win2k SP4 and closed all ports but one.
    >>
    >> ----------------------------------
    >> c:\>netstat -an
    >> Proto Local Address Foreign Address State
    >> TCP 0.0.0.0:1025 0.0.0.0:0 Listening
    >>
    >> c:\>fport
    >> Pid Process Port Proto Path
    >> 8 System --> 1025 TCP
    >>
    >> Process Explorer: shows "System Pid 8" as the parent of many child
    >> processes such as SMSS, Winlogon and LSASS, so I'll assume it can't
    >> be disabled.
    >>
    >> WinTask Pro: Describes "System" as the Microsoft Windows System
    >> Process, and shows no path to an executable.
    >> ---------------------------------
    >>
    >> Does anyone know what 'System' does, why it's listening on TCP 1025
    >> and most importantly, how to make it stop ?
    >>
    >> Minder

    >
    >sounds like svchosts.exe to me.


    I have two svchost processes with PID's 356 and 358.
    My concern is with PID 8 "System", listening on 1025.

    >If youre in an NT based platform (xp for example) try this
    >
    >C:\windows> netstat -ano
    >(to get the pid of the process or i see you use fport)
    >
    >C:\windows> tasklist /svc -fi "pid eq XXX"
    >(where XXX is the pid)
    >
    >Port 1025 shouldnt be running on your internet IP, it should just run on
    >0.0.0.0 for system use.


    I don't think Port 1025 is running on my Internet IP, its on 0.0.0.0.

    I'm not sure I follow... I thought when netstat reports "Local Address
    0.0.0.0:1025" as "Listening" to "Foreign Address 0.0.0.0:0" it means
    the local computer is ready to accept connection attempts to port 1025
    on any adapter (ppp,ethernet,modem,etc.) from ANY remote host.

    e.g.
    c:\>netstat -an
    Proto Local Address Foreign Address State
    TCP 0.0.0.0:1025 0.0.0.0:0 Listening

    Are you saying 0.0.0.0 is reserved for system use and no remote host
    can connect to it?

    >I remeber we had a big discussion about this when tracker claimed it was
    >redbroker trojan or some windows game.


    Minder
     
    Minder, Sep 8, 2003
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Incognito

    Unable to delete opened NAT ports

    Incognito, Mar 1, 2005, in forum: Cisco
    Replies:
    3
    Views:
    480
  2. Replies:
    1
    Views:
    627
    Walter Roberson
    Oct 24, 2005
  3. Jon Watson

    Port 1025

    Jon Watson, Oct 12, 2003, in forum: Computer Support
    Replies:
    10
    Views:
    1,027
    °Mike°
    Oct 13, 2003
  4. Tony Martin

    port 1025 open by svchost.exe, how 2 disable?

    Tony Martin, Aug 3, 2004, in forum: Computer Security
    Replies:
    6
    Views:
    6,751
    Tony Martin
    Aug 5, 2004
  5. Morph
    Replies:
    2
    Views:
    753
    Plato
    Feb 1, 2005
Loading...

Share This Page