Closing Port 1025

Discussion in 'Port Explorer' started by Rainwalker, Aug 2, 2003.

Thread Status:
Not open for further replies.
  1. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    Greetings,
    After a number of days drowing in hesitation, some would say ignorance, I have decided to ask.. When ever I run the Steve Test for open ports I find that port 1025 is always open ( XP Home). With Port Explorer I stop sending and receiving on the socket but it makes no differance. My FW does catch it so I'm thinking no big deal but why is it open. If I Kill Process then my internet connection is blocked............... Hmmmm maybe I'm on to something here....... it works for Blaze... wonder if he got the bugs out !!??
     
    Last edited by a moderator: Jul 19, 2004
  2. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi Rainwalker!

    Its hard to answer your question with so little info. Ports 1025 and above are called "ephemeral ports" which means that the OS will use these as needed for transactions requiring a network connection. Usually, these are temporary and will increment for each transaction.

    If you could post the name of the process that holds this port, whether it is always that process (across several reboots), what the destination address is and the destination port; we could better answer your question/concern.

    Thanks,

    Dan
     
  3. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Also, in addition to what Dan asked, could you explain what you mean by these statements: "...I find that port 1025 is always open." and "My FW does catch it so I'm thinking no big deal but why is it open."

    I'm asking because these seem to conflict if you mean that from an "external port scan" the port shows as open, but your firewall still catches it.

    However, if you mean that locally on your system that port is listening, but from the view of an external scan, your firewall is blocking - then you are okay.
     
  4. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    ...finally, is there any "pattern" in your internet useage concerning the scan?
    E.g. do you browse to the online scan site first after establishing your connection to the internet? always after a long time of surfing? always after a long time of surfing and email queries? sometimes early sometimes late without a pattern?

    TIA,
    Andreas
     
  5. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    Thanks for getting back
    Dan: I am using a stand alone home computer w/dial up. After a few reboots the process remains svchost 712...Distination=o.o.o.o, listening,host
    Low Water Mark: When GRC scan checks for open ports it always shows 1025 to be open and while the test is going on my FW asks for pemission to let probe in. I refuse and presume it blocks it.
    Andreas:No pattern
    Hope this helps and again when I use PE to end Recieving and Sending I expected GRC to not see port. Other ports are as they should be.

    TIA
     
  6. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Ah, okay, that makes sense. Generic Host Process for Win32 Services (aka. svchost.exe) will listen on one or more of the early ephemeral ports depending upon which of its various services you have enabled.

    Now, as to a firewall alerting the user of a connection attempt to a port that svchost is listening on, well that all depends upon the specific firewall and the rules that are set in it.

    My Windows XP system also has svchost.exe listening on TCP port 1025. However, I block svchost from having server rights, (that's just the terminology used in Zone Alarm that refers to allowing a program to receive unsolicited external connection attempts), so I don't get prompted when a connection is attempted on that port.

    You can probably just change your firewall rules or settings to prevent it from alerting and asking you about that. I don't know of any circumstance that I'd ever recommend that you allow such a connection, so why let it ask? It's just a bother at that point. If you want to tell us what firewall you are using, I'm sure someone can recommend the proper rule or setting.

    Edit: Oh, and regarding "killing the process" and having that break your Internet connection, on Windows XP most people find they must allow svchost.exe some access rights or they can't maintain a network connection. It varies some by specific services enabled in XP and by ISP connection methods, but, on XP killing svchost is very likely to terminate your network access. Svchost is a core part of Windows XP.
     
  7. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    Greetings LWM and thank you for your time. Helpful...
    Yes, I have been wanting to close the port o_O. Maybe someone will tell me how. I am running NIS 2003.
     
  8. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    There was a tool around that could tell you what was the commandline used to invoke this instance of svchost - this should give clues as to what service this is related to. Only i don't remember the tool (was it something of the Faber Toys? or DCS's APM?) Don't know, someone else will have to fill this in - the procedure would be to note the PID of the svchost process that possesses port 1025 and then use the tool to get info about this PID. (Probably there are several processes of svchost, this one being used to run all sorts of services.)

    HTHH,
    Andreas

    can't comment on NIS2003
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    The rc in PE at least can tell you what the process is and it's full pathname, might give a clue?
     
  10. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    Jooske Andreas thanks for getting back
    PE/rc.....(rc)... :oops: o_O
    As far as NIS, well I will not be holding my breath while waiting for a responce as it seems that I very well may be the only one on this forum using it. :D

    TIA
     
  11. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    PE - Port Explorer
    rc - right click (right mouse button click or mouse right button click)

    In PE get to the process in question, right click on it, and in the meny there is the option to ask "what is ....(process name and PID) if you click on that (left mouse click) you get info on that process with the full pathname where the thing is located on your system; so you will see a thing is f.e. a lifeupdate or a musicplayer, whatever. Would be so nice if MS had been a but more user friendly and give that name in stead of the general svchost.exe for each of them.
    But so you can see it too in PE.
     
  12. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi All,

    The tool that Andreas mentioned was able to give command-line arguments of running processes is DCS's APM but I just brought it open on my machine to outline steps to take and, unfortunately, realized that you cannot distinguish (such as by PID) between the different instances of svchost running.

    It is probably a pretty simple addition to make to the program (but then I am no programmer :D )

    I'll post a feature request on the DCS forum and point to this thread.

    Regards,

    Dan

    BTW Rainwalker, I used a number of firewalls in the past but NIS was not one of them :doubt: ;) :D
     
  13. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    Hi,
    i have replied over at dcs as well, but here is another question:
    I am quite sure that it was possible to do that in either FaberToys or Sysinternals' Process Explorer as well - with PIDs. Could anyone running windows and having these at hand check it out?
    (Running in linux now and not rebooting so soon... :D)

    CU,
    Andreas
     
  14. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Andreas, In PE If I have process PID 868 SVCHOST Listening on 1025, Right clicking & selecting What svchost.exe is gives me the path etc.

    In faber toys - Dependencies (PID86:cool: - shows me that 133 modules loaded by svchost. Selecting properties (PID86:cool: shows me 4 imported modules and the associated 13 imported functions.

    In PE The *System - PID 4 processes which are local machine and my LAN do not have the what is (System) function i.e. it is greyed out as it is, as said, your own "System"
     
  15. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
  16. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    Thanks a lot Dan,

    to recap then:
    If you're in doubt about a connection or open port,
    1. use DCS's PortExplorer to get the process that this is related to.
    2. (supposed the process is the catch-all svchost.exe: ) Note the PID of the process.
    3. Examine the instance of svchost.exe that has the correct PID in Sysinternals' ProcessExplorer to find out the commandline parameters that this instance was launched with.
    4. Try to imagine what service could be related to those parameters - or search for the complete commandline in google.
    5. Make up your mind if you should disable the service.

    If you decide it should be disabled (and do so via your OS configuration):
    6. Since sometimes M$ updates and apps re-activate services, check from time to time to see if it still is disabled.
    7. Consider adding a rule in your firewall to block traffic for the corresponding port (see DCS's PE).

    ...and with 7. we're back with the open question:
    How to achieve this in NIS 2003?

    I've no idea about this, however...
    HTHH so far,
    Andreas
     
  17. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi Rainwalker

    You are not alone, although I am not running it at this time.
    If you are being prompted for unsolicited inbound connections, check under custom security settings and make sure "Alert when unused ports are accessed" is not selected.

    http://www.gpick.com/agnisrules/pages/settings/settings_pg2.html

    The above link refers to that setting in particular, you may find other useful information for NIS on the rest of the site.

    Regards,

    CrazyM
     
  18. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    Thank you all.... I hope this was in some way able to help others via the infomation you folks provided. I now have closed the bloody port :D. Too bad we are not all rich($) as it would be very :cool: to someday have one of those 'Festival in the Desert' type deals with the people of this forum. http://www.afropop.org/multi/feature/ID/196 ..... can you dig it ' ;) :D
     
  19. swpnclr

    swpnclr Guest

    With Sygate Personal Firewall 5.5,
    Open the Advanced Options, click ADD, then goto PORTS AND PROTOCOLS, Select TCP, two options now appear, in LOCAL box type in 1025 and leave Remote box clear, in the Traffic Direction box select Incomming. Click OK , then OK again...
    goto www.grc.com do the shields up, test ur computer, and then thank me... & youre welcome.
    carry on soldiers
    Swp&Clr

    get sygate personal firewall here, http://smb.sygate.com/free/default.php

    P.S. if this has helped you, please reply and let me know, thanks...
    also please note: that this port is prone to the Netsky worm, that is currently running itself all over the world. Dont believe me, see for yourself at the website of Trend Micro, http://housecall.trendmicro.com/ and check out their virus map of the world and which country is getting hit by what... due to the overwhelming amount of people who have this port 1025 open they are susceptible to these worms and trojans.
    i hope i have helped. good luck~
     
  20. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hi,

    on my comp the ports 135 and 1025 are opened by default, and by using WWDC
    http://perso.wanadoo.fr/jugesoftware/firewallleaktester/eng/wwdc.htm

    and by closing DCOM with the first choice on the popup, my port 1025 after a reboot is really closed.

    However, as mentioned on the page, doing that will make the scheduler service to fail to start if you are on XP or higher.

    On this page I even advise Port Explorer to people wanted a good port to process mapper ;)

    regards,

    gkweb.
     
  21. Kihei

    Kihei Guest


    thank you ,
    :) Very Useful
     
  22. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hello Kihei and welcome!
    Did you find what you're looking for that fast? great! that's what this forum is intended for, being educative and informative!
    Does your Port Explorer show the wanted results now too?
     
  23. BlueStar50

    BlueStar50 Registered Member

    Joined:
    Jul 16, 2004
    Posts:
    15
  24. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Very interesting discussion. :)

    By coincidence I also noticed just yesterday that ports 1025 and 135 are always open on my PC (TCP connection), opened by svchost.exe. So last night I used Port Explorer to do a little eavesdropping (using Socket Spy) on these two processes. I found them communicating with Microsoft (207.46.253.221 and 64.4.21.92).

    It appears that at least one of these has to do with Automatic Microsoft Updates. Still not sure about the other yet. Really love Socket Spy. :D
     
  25. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Daisey...

    I recommend the little 50Kb app by gkweb, it really "closes" those ports tight.

    I did a test using PE, and I had 6 instances of svchost running, one listening on 1025 ~ Local/Remote addys being my own systm address.
    [Of course I always do a Port Scan about once a fortnight to check, and always stealthed/closed at 4 sites I check with].

    Now, I had forgotten about gk's wwdc.exe [I had originally put it on my daughter's PC but forget this one, DOH] so upon reading this thread got it and checked. I had 2 areas, not **fully** closed. [even though I had rules in Kerio on Ports 135-139 blocking, so safe on that score]

    So I executed them in WWDC.exe [had to do 2 reboots between the lot] and finally it read all secured. I then checked with the same apps I had open before, Firefox, security apps, and then checked with PE....

    I now only have 3 instances of scvhost.exe and not one of them on port 1025. :) Just like gk posted above. ;)

    The only other app on 1025 at the moment is my Kerio v4 Firewall, and that's only Local/Remote points of my own system address.

    Try it.... :D You will probably have to do 2 reboots if couple not closed.

    TAS
     

    Attached Files:

    • 070.GIF
      070.GIF
      File size:
      23.9 KB
      Views:
      19,269
Thread Status:
Not open for further replies.