Firewall Blackjack request on port 1025

Discussion in 'other firewalls' started by Fraha, Apr 19, 2004.

Thread Status:
Not open for further replies.
  1. Fraha

    Fraha Registered Member

    Joined:
    Feb 3, 2003
    Posts:
    189
    Location:
    The Hague - Netherlands
    Hi all!

    My firewall (Norman) keeps asking for internet access for port 1025 for svchost.exe

    I can't determen wich service this is. It tells me 'system' that's all.
    But it keeps wanting to connect to another ip address.

    TDS cannot find anything wrong, I can only see it's there in port explorer (great proggie!)

    What can I do?

    Frans
     
  2. Fraha

    Fraha Registered Member

    Joined:
    Feb 3, 2003
    Posts:
    189
    Location:
    The Hague - Netherlands
    Here's my hijackthis log. Can somebody check this for me? I think I saw a switch point at the end!

    Logfile of HijackThis v1.97.7
    Scan saved at 15:22:33, on 19-4-2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    H:\ftp\security\regprot\regprot\regprot.exe
    C:\Weather Watcher\ww.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\ProcessGuard\dcsuserprot.exe
    C:\WINDOWS\System32\GEARSec.exe
    C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\PGPsdkServ.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\Palm\HOTSYNC.EXE
    C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
    C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
    C:\WINDOWS\System32\hpoipm07.exe
    C:\Program Files\Norman\NPF\NPFMSG.EXE
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\ProcessGuard\procguard.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\United Devices\UD.EXE
    C:\Program Files\United Devices\ud_6800466.exe
    C:\Program Files\United Devices\ud_6800466_0.dir\ud_ligfit_Release.exe
    C:\Norman\Nvc\BIN\Zlh.exe
    C:\Norman\Nvc\BIN\Zanda.exe
    C:\NORMAN\Nvc\BIN\NIP.EXE
    C:\NORMAN\Nvc\BIN\nvcoas.exe
    C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
    C:\NORMAN\Nvc\BIN\NJEEVES.EXE
    C:\NORMAN\Nvc\BIN\nipsvc.exe
    C:\NORMAN\Nvc\BIN\cclaw.exe
    C:\NORMAN\Nvc\BIN\NYMSE.EXE
    C:\Program Files\Port Explorer\PortExplorer.exe
    C:\Program Files\TrojanHunter 3.8\TrojanHunter.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.nl
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nos.nl/nieuws/nieuws/index.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.nl
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Fraha's own explorer
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: ANWB Toolbar - {EBB03E3E-020A-418D-B322-761B730CA860} - C:\Program Files\ANWBToolbar\ANWBToolbar.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
    O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
    O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [CookieWall] C:\Program Files\AnalogX\CookieWall\cookie.exe
    O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
    O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
    O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
    O4 - HKLM\..\Run: [ScriptSentry] C:\Program Files\Script Sentry\ScriptSentry.exe /check
    O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
    O4 - HKLM\..\Run: [Total Uninstall] C:\Program Files\Total Uninstall\Tun.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [CSSplash] C:\Program Files\CryptoSuite\cs_splash.exe
    O4 - HKLM\..\Run: [SBAutoUpdate] "C:\Program Files\SpywareBlaster\sbautoupdate.exe"
    O4 - HKLM\..\Run: [RegProt] h:\ftp\security\regprot\regprot\regprot.exe /start
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
    O4 - HKCU\..\Run: [WeatherWatcher] C:\Weather Watcher\ww.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Iomega Active Disk] C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [MailWasher] C:\PROGRA~1\MAILWA~2\MAILWA~1.EXE
    O4 - HKCU\..\Run: [SecureItPro] C:\Program Files\SecureIt Pro\secureitpro470p.exe /LOADSILENT
    O4 - HKCU\..\Run: [RssReader] C:\Program Files\RssReader\RssReader.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Startup: Process Guard.lnk = C:\ProcessGuard\procguard.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Startup: StickIt Note Launcher.lnk = C:\StickIt\StickIt Launcher.exe
    O4 - Startup: StickIt UDP Server.lnk = C:\StickIt\SIserver.exe
    O4 - Startup: UD Agent.lnk = C:\Program Files\United Devices\UD.EXE
    O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
    O4 - Global Startup: HPAiODevice(hp officejet d series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
    O4 - Global Startup: ID-Blaster Plus.lnk = C:\Program Files\ID-Blaster Plus\idblasterplus.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: NPF Messenger.lnk = ?
    O4 - Global Startup: PGPtray.lnk = ?
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
    O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: ieSpell (HKLM)
    O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
    O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: ANWB (HKLM)
    O9 - Extra 'Tools' menuitem: ANWB-toolbar (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O15 - Trusted Zone: www.anwb.nl
    O15 - Trusted Zone: http://www.devolkskrant.nl
    O15 - Trusted Zone: http://groups.msn.com
    O15 - Trusted Zone: http://www.nosnieuws.nl
    O15 - Trusted Zone: nl.sitestat.com
    O15 - Trusted Zone: www.tspeedtest.nl
    O16 - DPF: HushEncryptionEngine - https://mailserver1.hushmail.com/shared/HushEncryptionEngine.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/sikes/nl/win/QuickTimeInstaller.exe
    O16 - DPF: {54BA1E8F-818D-407F-949D-BAE1692C5C18} (Attribute Class) - http://gemal.dk/browserspy/capicom.dll
    O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/250ce77526692283cb05/netzip/RdxIE601.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs7b.instantservice.com/jars/customerxsigned33.cab
    O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
    O16 - DPF: {97AFC0D9-660E-4ACE-B025-46FD64AE335A} (EmailImport.EmailImportControl) - http://www.friendster.com/import/emailimport.cab
    O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37645.3993171296
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444554340000} - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://fraha.instantlogic.com/XUpload.ocx
    O16 - DPF: {EE5CA45C-BFAC-48E6-BE6C-3C607620FF43} - http://companion.logitech.com/companion/logitech/ver1.3.0.2041/bin/imvid.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O16 - DPF: {F630A6F3-F89E-4374-99CC-28A8AA003208} - http://sls.switchpoint.com/Connect/switchpoint/5.1/Starter.cab

    Greetings and regards

    Frans
     
  3. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    which IP number is it asking to connect to

    most outgoing svchost "system" connections are legitimate" but if we have the Ip number we can check
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
  5. Fraha

    Fraha Registered Member

    Joined:
    Feb 3, 2003
    Posts:
    189
    Location:
    The Hague - Netherlands
    The ip numbers are here and are from all over the globe. I've seen brazil, Japan and others!

    151,200,246,190
    194,236,144,79
    195,186,215,213
    195,96,66,214
    200,149,245,176
    200,164,83,44
    200,171,128,150
    200,171,132,166
    207,46,244,186
    208,163,33,71
    213,98,154,16
    61,146,10,65
    61,95,246,214
    81,214,167,159
    82,185,121,194
    194,109,104.104

    Enjoy! ;-)

    Frans
     
  6. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    providing it's outgoing I let it go but I have all incoming blocked so \I don't get bothered with alerts, but I use kerio as I find it more configureable for me

    No doubt one of the firewall experts will be able to advise better
     
  7. Fraha

    Fraha Registered Member

    Joined:
    Feb 3, 2003
    Posts:
    189
    Location:
    The Hague - Netherlands
    OK, thanks for the reply,

    I'll wait for other reactions then.

    Regards

    Frans
     
  8. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi Frans

    Can you provide any more detail on the type of communication from your logs? (Protocol, direction, source port, destination port, destination IP - complete log entries would help, just xxx out your public IP)

    Regards,

    CrazyM
     
  9. Fraha

    Fraha Registered Member

    Joined:
    Feb 3, 2003
    Posts:
    189
    Location:
    The Hague - Netherlands
    Thanks for all the respons. It seems solved for now. If this returns I'll be back!

    Frans
     
  10. asad

    asad Registered Member

    Joined:
    Apr 26, 2004
    Posts:
    4
    Hi Guys,

    I am having same problems. Svchost.exe accepts connection from differnet ips. Everytime i run tcpview, i see port 1025 is connected to some ip either on my cable network or some from internet...different countries..

    I tried all sort of tricks, reading packets, watching port etc...i dont know, whats happening there..i can block the port but i am more curious to know whats happening on there..


    Looking forward for somehelp

    [edit] -> its a TCP connection and connected ip is different everytime

    Thanks,
    as
     
  11. The_ALL

    The_ALL Guest

  12. asad

    asad Registered Member

    Joined:
    Apr 26, 2004
    Posts:
    4
    Hi,

    Well i kept investigation on port 1025 connection. And i found remote computer connects to my pc using WBEM, and it creates some files under C:\WINDOWS\System32\WBEM\Repository\FS

    So WIM or WBEM can be source of big exploit...as WIM gives entire details of workstation along with remote control...

    Investigating further on it......


    Regards,
     
  13. The_ALL

    The_ALL Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    1
    Location:
    Italy Venice
    i want to understand what you want know about 1025 port.

    as i posted, the link explane how work a network behind a router or modem or proxy.
    if the nat is active or you have a server browser,the port from 1025 to 5000 must be open, or if these ports are not open, external client computers are not able to access the Web sites or other application you run.

    if you want more security,restrict incoming traffic on your firewall by Internet protocol (IP) address instead of by port.For example, create a filter that only allows traffic from the proxy server through the perimeter network's internal firewall, on any port in the 1025 to 5000 range,so this filter allows incoming traffic on any port that has a source address that matches the proxy server's address, and blocks all other traffic.
     
  14. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Are you running a firewall?

    Could you provide full details of the connections: protocol, source and destination IP/ports. Just xxx out your public IP.

    Regards,

    CrazyM
     
  15. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Which OS and services are you running?

    WIM? Did you mean WMI - Windows Management Instrumentation
    WBEM - Web Based Enterprise Management

    Regards,

    CrazyM
     
  16. asad

    asad Registered Member

    Joined:
    Apr 26, 2004
    Posts:
    4
    I am running Windows XP Professional.

    Protocol : TCP
    PORT: 1025

    IP: changes every time

    I have zone alarm as personal firewall but it doesnt detect.


    SVCHOST.exe accepts connection on port 1025. I am not behind any firewall and i use dsl here. Since there could be many instances of svchost.exe because it is used by os for internet connection etc.



    >>WIM? Did you mean WMI - Windows Management Instrumentation
    >>WBEM - Web Based Enterprise Management

    Yes, this is what i saw in file monitor. I downloaded a file system monitor from sysinternals and ran. I found the svchost.exe which has accepted connection on 1025 is reading and writing files in C:\WINDOWS\System32\WBEM\Repository\FS

    One file which was written on every session grown to 5 MB+, file is OBJECTS.DATA.

    Now i have disabled WIM service from services.msc and i dont see any such connection on 1025.

    It seems to be resolved but i am still curious to know, what was happening there..if i didnt stop, what would have been possible..etc..

    But i guess, its good start point to further investigate on this port 1025 thingy...

    Believe me WIM and WBEM can be used to do anything on a remote system as per my knowledge.

    cheers,
    A
     
  17. jimknock

    jimknock Guest

    I see about the same thing, and it started recently, within the last week or so.
    I see protocols 1025, 1026, and 1027 also associated is 3127 and 6129.
    I use Zone Alarm Pro on my own machine, so I just blocked the three lower ports.
    I harvisted the following list from the Kiwi Syslog deamon that I have logging traffic through my Linksys gateway router.

    The 68.94.xxx.xxx are within Cox.net, my cable provider.

    Jim

    68.208.82.194 4522 <my internet ip> 1025
    205.30.41.202 24937 <my internet ip> 1027
    205.141.54.10 11404 <my internet ip> 1026
    68.146.66.254 4056 <my internet ip> 1025
    68.146.66.2 1741 <my internet ip> 1025
    68.20.18.127 3919 <my internet ip> 1025
    68.94.201.135 4759 <my internet ip> 3127
    68.94.201.135 4760 <my internet ip> 6129
    68.94.201.135 4759 <my internet ip> 3127
    68.94.201.135 4760 <my internet ip> 6129
    68.94.201.135 4641 <my internet ip> 1025
    68.88.184.171 3621 <my internet ip> 1025
    68.4.238.220 2525 <my internet ip> 1025
    68.17.31.34 4862 <my internet ip> 1025
    68.4.225.56 4028 <my internet ip> 1025
    68.92.89.53 1277 <my internet ip> 1025
    68.163.58.24 4227 <my internet ip> 1025
    68.125.34.31 3717 <my internet ip> 1025
    68.92.154.200 4280 <my internet ip> 1025
    68.21.1.24 4189 <my internet ip> 2745
    68.21.1.24 4191 <my internet ip> 1025
    68.21.1.24 4196 <my internet ip> 3127
    68.21.1.24 4197 <my internet ip> 6129
    68.21.1.24 4196 <my internet ip> 3127
    68.21.1.24 4191 <my internet ip> 1025
     
  18. asad

    asad Registered Member

    Joined:
    Apr 26, 2004
    Posts:
    4
    Hi,

    As i mentioned in my last post that svchost.exe on port 1025, let remote computer access through WBEM or WIM.

    But i lately found, it doesnt use WBEM or WIM all time. This time it was using \WINDOWS\system32\modemui.dll

    I am really serious now and more curious to know, what does it do.

    As jim@knock.com just mentioned, it could be trojen. So it makes our concerns more serious.

    Guys, lets find the exact reason with soln.

    Regards,
    Abdul
     
  19. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    You mention "I have zone alarm as personal firewall but it doesnt detect", then say "I am not behind any firewall and i use dsl here".

    Are you currently running a firewall or not?
    Are you currently running any proxy or other web filtering utilities?

    You mention protocol TCP and port 1025, but in order to clarify what type of connections may be happening we need more details. Are these in fact remote systems connecting to your system, or connections initiated by your sytem? Protocol, direction, local address (xxx out your public IP), local port, remote address, remote port.

    Edit: svchost.exe may need some outbound access, but you should not be allowing unsolicited inbound connections.

    Regards,

    CrazyM
     
    Last edited: May 2, 2004
Loading...
Thread Status:
Not open for further replies.