Generic host program?

Discussion in 'other firewalls' started by SonyaM32, May 27, 2005.

Thread Status:
Not open for further replies.
  1. SonyaM32

    SonyaM32 Registered Member

    Joined:
    Dec 23, 2004
    Posts:
    718
    Only for the last few days, this has started poping up when I restart my computer, and sometimes while it's running. I want to know why it is all the sudden comming up now? Can anyone tell me if I should allow it? And what is it?
    Thanks
     

    Attached Files:

  2. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Have you made any recent changes to your system (updates, applications)?

    You can block this from accessing the Internet and block Internet server. You can allow for the trusted zone or leave to prompt.

    Regards,

    CrazyM
     
  3. SonyaM32

    SonyaM32 Registered Member

    Joined:
    Dec 23, 2004
    Posts:
    718
    The only changes I can remember making within the last few months, is installing PaintShop, and PhotoShop, and Picasa. And the first two were installed almost a month ago, and this generic host has only been poping up for the last few days.
    I don't remember any aplications, or updates, unless they are automatic.
    So it is not important that I allow it? If not I will block it.
    Thank you!
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Port 135 is Microsofts DCE Locator service aka. end-point mapper. Can you access your firewall's "listening state"? In Kerio, it's showing svchost listening on port 135, aka epmap (endpoint mapper). It's also what RPC/DCOM listens on. It was also used for NETBIOS.

    That alert box doesn't give much information - what shows when you click Properties? Is there a remote IP address? Protocol? (TCP or UDP) What idoes your log show?

    What is suspicious is the "acting as server" notification. Trojans will install a backdoor server to try and connect out TCP. For instance, it was the port used by m32/blaster.

    Without more info (and not knowing ZA) I would post to your ZA forum for more analysis. Or post to

    http://www.dslreports.com/forum/security,1

    Port 135 is certainly not a port to permit access in or out without knowing what's going on.

    regards,

    -rich
     
  5. SonyaM32

    SonyaM32 Registered Member

    Joined:
    Dec 23, 2004
    Posts:
    718
    Here is what shows when I click properties. If you want me to click one of the other tabs, let me know.
     

    Attached Files:

  6. SonyaM32

    SonyaM32 Registered Member

    Joined:
    Dec 23, 2004
    Posts:
    718
    here is the version tab
     

    Attached Files:

  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    That's the properties of svchost.

    I guess your alert box doesn't provide additional information. Please post this question to the DSL SEcurity forum - the link I put in my post. Some ZA users over there can direct you further.

    regards,

    -rich
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I just noticed the "more info" box - did you check that?

    regards,

    -rich
     
  9. SonyaM32

    SonyaM32 Registered Member

    Joined:
    Dec 23, 2004
    Posts:
    718
    Yes, I just tried it, and it will not do anything . In other words, I click it, and it just sits there, no info. comes up.
     
  10. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    OK, ZA is doing it's job with the alert. I would deny it until you get more info.

    Does ZA have a forum? If not, post to the DSL forum.

    Hope you get it sorted out!

    Post back when you do - it's a curious situation...

    regards,

    -rich
     
  11. SonyaM32

    SonyaM32 Registered Member

    Joined:
    Dec 23, 2004
    Posts:
    718
    I will Rmus, Thank you!!
     
  12. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    It is quite normal on NT based systems to see svchost.exe listening on TCP port 135. The fact it is establishing a listening connection is why ZA indicated it is trying to "act as a server".

    DCE endpoint resolution (epmap) is something that should be blocked from/to the Internet. So block Internet and block Internet Server.

    As I noted above you can allow this for the trusted/local zone, leave it to promp or block. If you choose to block it in the trusted/local zone just watch things for awhile in the event something does not work as expected that may require it.

    Regards,

    CrazyM
     

    Attached Files:

  13. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Yes, I see it on both my Win2k and WinXP systems.

    Thanks for clarifying the "act as server" message - it was confusing because that doesn't appear in my Kerio listening state window - it just indicates that svchost is listening on Port 135-epmap.

    Why would Sonya just now be seeing that alert?

    -rich
     
  14. StevieO

    StevieO Guest

Thread Status:
Not open for further replies.