Closing Port 1025

[Rainwalker]

Greetings,
After a number of days drowing in hesitation, some would say ignorance, I have decided to ask.. When ever I run the Steve Test for open ports I find that port 1025 is always open ( XP Home). With Port Explorer I stop sending and receiving on the socket but it makes no differance. My FW does catch it so I'm thinking no big deal but why is it open. If I Kill Process then my internet connection is blocked............... Hmmmm maybe I'm on to something here....... it works for Blaze... wonder if he got the bugs out !!??

[Dan Perez]

Hi Rainwalker!

Its hard to answer your question with so little info. Ports 1025 and above are called "ephemeral ports" which means that the OS will use these as needed for transactions requiring a network connection. Usually, these are temporary and will increment for each transaction.

If you could post the name of the process that holds this port, whether it is always that process (across several reboots), what the destination address is and the destination port; we could better answer your question/concern.

Thanks,

Dan

[LowWaterMark]

Also, in addition to what Dan asked, could you explain what you mean by these statements: "...I find that port 1025 is always open." and "My FW does catch it so I'm thinking no big deal but why is it open."

I'm asking because these seem to conflict if you mean that from an "external port scan" the port shows as open, but your firewall still catches it.

However, if you mean that locally on your system that port is listening, but from the view of an external scan, your firewall is blocking - then you are okay.

[Andreas1]

...finally, is there any "pattern" in your internet useage concerning the scan?
E.g. do you browse to the online scan site first after establishing your connection to the internet? always after a long time of surfing? always after a long time of surfing and email queries? sometimes early sometimes late without a pattern?

TIA,
Andreas

[Rainwalker]

Thanks for getting back
Dan: I am using a stand alone home computer w/dial up. After a few reboots the process remains svchost 712...Distination=o.o.o.o, listening,host
Low Water Mark: When GRC scan checks for open ports it always shows 1025 to be open and while the test is going on my FW asks for pemission to let probe in. I refuse and presume it blocks it.
Andreas:No pattern
Hope this helps and again when I use PE to end Recieving and Sending I expected GRC to not see port. Other ports are as they should be.

TIA

[LowWaterMark]

Ah, okay, that makes sense. Generic Host Process for Win32 Services (aka. svchost.exe) will listen on one or more of the early ephemeral ports depending upon which of its various services you have enabled.

Now, as to a firewall alerting the user of a connection attempt to a port that svchost is listening on, well that all depends upon the specific firewall and the rules that are set in it.

My Windows XP system also has svchost.exe listening on TCP port 1025. However, I block svchost from having server rights, (that's just the terminology used in Zone Alarm that refers to allowing a program to receive unsolicited external connection attempts), so I don't get prompted when a connection is attempted on that port.

You can probably just change your firewall rules or settings to prevent it from alerting and asking you about that. I don't know of any circumstance that I'd ever recommend that you allow such a connection, so why let it ask? It's just a bother at that point. If you want to tell us what firewall you are using, I'm sure someone can recommend the proper rule or setting.

Edit: Oh, and regarding "killing the process" and having that break your Internet connection, on Windows XP most people find they must allow svchost.exe some access rights or they can't maintain a network connection. It varies some by specific services enabled in XP and by ISP connection methods, but, on XP killing svchost is very likely to terminate your network access. Svchost is a core part of Windows XP.

[Rainwalker]

Greetings LWM and thank you for your time. Helpful...
Yes, I have been wanting to close the port . Maybe someone will tell me how. I am running NIS 2003.

[Andreas1]

Quote:

quoting: LowWaterMark link=board=7;threadid=11994;start=0#msg77487 date=1059956188]
Ah, okay, that makes sense. Generic Host Process for Win32 Services (aka. svchost.exe) will listen on one or more of the early ephemeral ports depending upon which of its various services you have enabled.

There was a tool around that could tell you what was the commandline used to invoke this instance of svchost - this should give clues as to what service this is related to. Only i don't remember the tool (was it something of the Faber Toys? or DCS's APM?) Don't know, someone else will have to fill this in - the procedure would be to note the PID of the svchost process that possesses port 1025 and then use the tool to get info about this PID. (Probably there are several processes of svchost, this one being used to run all sorts of services.)

HTHH,
Andreas

can't comment on NIS2003

[Jooske]

The rc in PE at least can tell you what the process is and it's full pathname, might give a clue?

[Rainwalker]

Jooske Andreas thanks for getting back
PE/rc.....(rc)...
As far as NIS, well I will not be holding my breath while waiting for a responce as it seems that I very well may be the only one on this forum using it.

TIA

[Jooske]

PE - Port Explorer
rc - right click (right mouse button click or mouse right button click)

In PE get to the process in question, right click on it, and in the meny there is the option to ask "what is ....(process name and PID) if you click on that (left mouse click) you get info on that process with the full pathname where the thing is located on your system; so you will see a thing is f.e. a lifeupdate or a musicplayer, whatever. Would be so nice if MS had been a but more user friendly and give that name in stead of the general svchost.exe for each of them.
But so you can see it too in PE.

[Dan Perez]

Hi All,

The tool that Andreas mentioned was able to give command-line arguments of running processes is DCS's APM but I just brought it open on my machine to outline steps to take and, unfortunately, realized that you cannot distinguish (such as by PID) between the different instances of svchost running.

It is probably a pretty simple addition to make to the program (but then I am no programmer )

I'll post a feature request on the DCS forum and point to this thread.

Regards,

Dan

BTW Rainwalker, I used a number of firewalls in the past but NIS was not one of them

[Andreas1]

Hi,
i have replied over at dcs as well, but here is another question:
I am quite sure that it was possible to do that in either FaberToys or Sysinternals' Process Explorer as well - with PIDs. Could anyone running windows and having these at hand check it out?
(Running in linux now and not rebooting so soon... )

CU,
Andreas

[Pilli]

Hi Andreas, In PE If I have process PID 868 SVCHOST Listening on 1025, Right clicking & selecting What svchost.exe is gives me the path etc.

In faber toys - Dependencies (PID86 - shows me that 133 modules loaded by svchost. Selecting properties (PID86 shows me 4 imported modules and the associated 13 imported functions.

In PE The *System - PID 4 processes which are local machine and my LAN do not have the what is (System) function i.e. it is greyed out as it is, as said, your own "System"

[Dan Perez]

Hi All,

Yes Andreas, The Sysinternals Process Explorer will show the command line args and you can discriminate between the various instances via the PID.

For anyone interested, here is the URL for it

http://www.sysinternals.com/ntw2k/fr.../procexp.shtml

Regards,

Dan

[Andreas1]

Thanks a lot Dan,

to recap then:
If you're in doubt about a connection or open port,
1. use DCS's PortExplorer to get the process that this is related to.
2. (supposed the process is the catch-all svchost.exe: ) Note the PID of the process.
3. Examine the instance of svchost.exe that has the correct PID in Sysinternals' ProcessExplorer to find out the commandline parameters that this instance was launched with.
4. Try to imagine what service could be related to those parameters - or search for the complete commandline in google.
5. Make up your mind if you should disable the service.

If you decide it should be disabled (and do so via your OS configuration):
6. Since sometimes M$ updates and apps re-activate services, check from time to time to see if it still is disabled.
7. Consider adding a rule in your firewall to block traffic for the corresponding port (see DCS's PE).

...and with 7. we're back with the open question:
How to achieve this in NIS 2003?

I've no idea about this, however...
HTHH so far,
Andreas

[CrazyM]

Hi Rainwalker

Quote:

quoting: Rainwalker link=board=7;threadid=11994;start=0#msg77604 date=1060011486]As far as NIS, well I will not be holding my breath while waiting for a responce as it seems that I very well may be the only one on this forum using it.

You are not alone, although I am not running it at this time.
If you are being prompted for unsolicited inbound connections, check under custom security settings and make sure "Alert when unused ports are accessed" is not selected.

http://www.gpick.com/agnisrules/page...tings_pg2.html

The above link refers to that setting in particular, you may find other useful information for NIS on the rest of the site.

Regards,

CrazyM

[Rainwalker]

Thank you all.... I hope this was in some way able to help others via the infomation you folks provided. I now have closed the bloody port . Too bad we are not all rich($) as it would be very to someday have one of those 'Festival in the Desert' type deals with the people of this forum. http://www.afropop.org/multi/feature/ID/196 ..... can you dig it '

With Sygate Personal Firewall 5.5,
Open the Advanced Options, click ADD, then goto PORTS AND PROTOCOLS, Select TCP, two options now appear, in LOCAL box type in 1025 and leave Remote box clear, in the Traffic Direction box select Incomming. Click OK , then OK again...
goto www.grc.com do the shields up, test ur computer, and then thank me... & youre welcome.
carry on soldiers
Swp&Clr

get sygate personal firewall here, http://smb.sygate.com/free/default.php

P.S. if this has helped you, please reply and let me know, thanks...
also please note: that this port is prone to the Netsky worm, that is currently running itself all over the world. Dont believe me, see for yourself at the website of Trend Micro, http://housecall.trendmicro.com/ and check out their virus map of the world and which country is getting hit by what... due to the overwhelming amount of people who have this port 1025 open they are susceptible to these worms and trojans.
i hope i have helped. good luck~

[gkweb]

Hi,

on my comp the ports 135 and 1025 are opened by default, and by using WWDC
http://perso.wanadoo.fr/jugesoftware...r/eng/wwdc.htm

and by closing DCOM with the first choice on the popup, my port 1025 after a reboot is really closed.

However, as mentioned on the page, doing that will make the scheduler service to fail to start if you are on XP or higher.

On this page I even advise Port Explorer to people wanted a good port to process mapper

regards,

gkweb.

Quote:

Originally Posted by gkweb

Hi,

on my comp the ports 135 and 1025 are opened by default, and by using WWDC
http://perso.wanadoo.fr/jugesoftware...r/eng/wwdc.htm

and by closing DCOM with the first choice on the popup, my port 1025 after a reboot is really closed.

However, as mentioned on the page, doing that will make the scheduler service to fail to start if you are on XP or higher.

On this page I even advise Port Explorer to people wanted a good port to process mapper

regards,

gkweb.

thank you ,
Very Useful

[Jooske]

Hello Kihei and welcome!
Did you find what you're looking for that fast? great! that's what this forum is intended for, being educative and informative!
Does your Port Explorer show the wanted results now too?

[BlueStar50]

Rainwalker, if you go to Steve Gibsons site at grc.com also check out his freeware programs that plugs up some things in XP: http://www.grc.com/freepopular.htm

[Dazed_and_Confused]

Very interesting discussion.

By coincidence I also noticed just yesterday that ports 1025 and 135 are always open on my PC (TCP connection), opened by svchost.exe. So last night I used Port Explorer to do a little eavesdropping (using Socket Spy) on these two processes. I found them communicating with Microsoft (207.46.253.221 and 64.4.21.92).

It appears that at least one of these has to do with Automatic Microsoft Updates. Still not sure about the other yet. Really love Socket Spy.

[Tassie_Devils]

Daisey...

I recommend the little 50Kb app by gkweb, it really "closes" those ports tight.

I did a test using PE, and I had 6 instances of svchost running, one listening on 1025 ~ Local/Remote addys being my own systm address.
[Of course I always do a Port Scan about once a fortnight to check, and always stealthed/closed at 4 sites I check with].

Now, I had forgotten about gk's wwdc.exe [I had originally put it on my daughter's PC but forget this one, DOH] so upon reading this thread got it and checked. I had 2 areas, not **fully** closed. [even though I had rules in Kerio on Ports 135-139 blocking, so safe on that score]

So I executed them in WWDC.exe [had to do 2 reboots between the lot] and finally it read all secured. I then checked with the same apps I had open before, Firefox, security apps, and then checked with PE....

I now only have 3 instances of scvhost.exe and not one of them on port 1025. Just like gk posted above.

The only other app on 1025 at the moment is my Kerio v4 Firewall, and that's only Local/Remote points of my own system address.

Try it.... You will probably have to do 2 reboots if couple not closed.

TAS