I run winodws 2000 professional. I have disabled most unnecessary services and managed to stop all ports from listening EXCEPT one. So I downloaded Port Explorer to see if I could track down the final listening port.

Port Explorer lists it as System, PID = 8. The protocol is TCP and both the local and remote IP's are 0.0.0.0. The local port seems to vary between 1025 and 1035 and the remote port is listed as port 0.

I do not believe that this open port is caused by DCOM as I ran the decombobulator from grc.com and port 135 is totally closed now.

Aswell I do not have universal plug and play running.

Anyone who can help me figrue this out would be my hero!
Thank you in advance to anyone with suggestions!

Hi guysmilie, This is part of the system and port is is an internal (system) reserved address.
Port 0 is officially a reserved port in TCP/IP networking, meaning that it should not be used for any TCP or UDP network communications.
You can use this tool: http://www.firewallleaktester.com/wwdc.htm from GKweb to close the DCOM service and some other insecure services. :)

HTH Pilli

Thank you for your reply. Can you tell me more about this "reserved" port 0. When searching on google there were some security/hacking forums that mentioned use of port 0 as a possible way to circumvent firewalls. Does activity on port 0 represent a security threat, and is it suspicious that there is a process
which seems to be using port 0?

-{ Quote: "and is it suspicious that there is a process
which seems to be using port 0?and is it suspicious that there is a process
which seems to be using port 0?
Not suspicious as I have a similar line, no concerd as it is not an external remote port.
Whether there is a method for circumventing firewalls I would not know but I believe Port Explorer will then show an external remote connection.
Now-a-days their are many ways of closing your AV, firewall etc. That is why DCS hsve developed ProcessGuard to protect such processes.

HTH Pilli

On my w2k system I had the same port (System pid 8 port 1025) listening as guysmilie
I was able to close it by disabling all my unused network adapters in device manager
Unfortunately I can't recall which one exactly it was

Direct Parallel
WAN Miniport (IP)
WAN Miniport (L2TP)

The best thing to do is disable them one by one checking netstat each time

good luck

Nice to hear from some fellow Win2K users! I have the same thing as guysmile, but no deviced like Knaup to disable.

And so far my system has passed every test I've found for it, so maybe these open NETSTAT ports are not a problem.

But I'd dearly like to hear from other Win2K users, especially if you also use ZoneAlarm, and have installed and run many of the DCS utilities!

I'd like to buy the whole package, but I would have to be SURE they would work first, and with each other, etc.

I just spent the last 4 days monitoring the exact same activity on a what I thought was an "infected" computer. At first I thought it was simply a next-generation rootkit with very clever process hiding abilities, but as I sat back and observed (real-time registry, network, & file activity) and crossreferenced what I was seeing I started to become very concerned with what I was seeing. I could be way off, but here are my thoughts. Someone implemented the cababilities of a next-gen rootkit (completey undectable by current conventions, including IDS, antivirus, and any other protection tools) with functionality that appears to be some form of a NULL Session exploit....which also appears to make use of crafted LDAP packets...and also exploits the SMB service...ok not so bad...right? Well here's the kick in the a**, from what I observed the suspicious activity also appears to have the capabilities of a worm which spread very quickly to all computers on the LAN. Specifically, the worm like activity appears to be similar if not exact to that of a previous worm called something like BHO1 worm. These are just my thoughts, as I am just an enthusiast...not an expert...but I think that we are on the verge of a very VERY nasty worm.

PS-I found many new posts on the internet that support my thoughts...and I have over 8 pages of notes from my observations...if you would like to chat more about this...feel free to email me: gigo at retardedlogic dot org

Sorry..I forgot to mention that the entire process seems to exploit DCOM as well, and here is link (a few days old) that seems to relate to the activity I saw.

http://text.dslreports.com/forum/remark,12620784~mode=text~days=10