Port Explorer show process name as just "SYSTEM"

Discussion in 'Port Explorer' started by Eric Rizzo, Oct 28, 2003.

Thread Status:
Not open for further replies.
  1. Eric Rizzo

    Eric Rizzo Guest

    Port Explorer is showing ports open to remote mail servers, which is obviously some kind of trojan sending out email. Problem is, it shows the process name as "SYSTEM" (yes, all capitals, no extension).
    How can I tell what is opening these ports?

    TIA,
    Eric
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,873
    Location:
    New England
    Hi Eric,

    Are you sure that it is a Trojan? Have you scanned for it with either a good anti-virus or an Anti-Trojan product?

    In any case, what can you tell us about your setup? What version of Windows are you running? Can you post a screen image of what Port Explorer is showing? Are these connection(s) always there or only for a short time?

    On my Windows 9x system, there are valid port entries listed under SYSTEM, (see image below, which also includes a closing connection to my own SMTP server though this one is not under SYSTEM, but under my email client since it is known to PE.)

    Any extra information you can provide might be helpful in figuring this out.
     

    Attached Files:

  3. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Definitely hit File > Save Table and email it to support@diamondcs.com.au :)
     
  4. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    hi
    a friend of mine reported strange things in his pc, we d/lled port explorer to see if anything is connected::
    there was 2 processes with name SYSTEM, other had PID 0 and the second SYSTEM had PID 4....
    i scanned his system with everything i have: all scans have been clear... next i'll try avp commandline scanner when i get away from work.
    his sygate pro does not see the port(s) that the SYSTEM process(es) is keeping open, the connection details tab in spf only showed 3 open ports, while PE showed 6...

    hmm what do you think is going on here?
     
  5. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,873
    Location:
    New England
    Well, it could be a lot of things... What version of Windows is it? What ports are being shown on those processes? Can you paste some output from PE, netstat -an, etc?
     
  6. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    xp home

    pe table:
    ---------------------------------------------------------------------------------------------------------------------------------------------------
    | NAME | CREATION | PID | PROTOCOL | LOCAL ADDRESS | LOCAL PORT | REMOTE ADDRESS | REMOTE PORT | PORT STATUS | SENT | RECVD |
    ---------------------------------------------------------------------------------------------------------------------------------------------------
    | SYSTEM | --- | 4 | TCP | localhost | 1026 | localhost | 0 | LISTENING | --- | --- |
    | lsass.exe | 22:51 29/10/2003 | 600 | UDP | localhost | 500 | *.*.*.* | * | LISTENING | 0/0 | 0/0 |
    | svchost.exe | 22:50 29/10/2003 | 760 | TCP | localhost | 135 | localhost | 0 | LISTENING | 0/0 | 0/0 |
    | svchost.exe | 22:51 29/10/2003 | 784 | TCP | localhost | 1025 | localhost | 0 | LISTENING | 0/0 | 0/0 |
    | smc.exe | 22:51 29/10/2003 | 876 | UDP | localhost | 1027 | *.*.*.* | * | LISTENING | 0/0 | 0/0 |
    | mozilla.exe | 22:58 29/10/2003 | 1744 | TCP | localhost | 1029 | localhost | 1028 | ESTABLISHED | 0/0 | 746/938 |
    | mozilla.exe | 22:58 29/10/2003 | 1744 | TCP | localhost | 1028 | localhost | 1029 | ESTABLISHED | 938/938 | 0/0 |
    | mozilla.exe | --- | 1744 | TCP | localhost | 1028 | localhost | 0 | LISTENING | --- | --- |
    | mozilla.exe | --- | 1744 | TCP | localhost | 1029 | localhost | 0 | LISTENING | --- | --- |
    ---------------------------------------------------------------------------------------------------------------------------------------------------


    only one system process now...his sygate firewall crashes constantly and has to be restarted

    sygate shows these:
     

    Attached Files:

    • spf.jpg
      spf.jpg
      File size:
      84.7 KB
      Views:
      1,470
  7. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    another table, this time it shows
    -------------------------------------------------------------------------------------------------------------------------------------------------------
    | NAME | CREATION | PID | PROTOCOL | LOCAL ADDRESS | LOCAL PORT | REMOTE ADDRESS | REMOTE PORT | PORT STATUS | SENT | RECVD |
    -------------------------------------------------------------------------------------------------------------------------------------------------------
    | SYSTEM | --- | 0 | TCP | ************** | 1155 | 217.160.106.55 | 80 | TIME_WAIT | --- | --- |
    | SYSTEM | --- | 4 | TCP | 0.0.0.0 | 1026 | 0.0.0.0 | 0 | LISTENING | --- | --- |
    | lsass.exe | 22:51 29/10/2003 | 600 | UDP | 0.0.0.0 | 500 | *.*.*.* | * | LISTENING | 0/0 | 0/0 |
    | svchost.exe | 22:50 29/10/2003 | 760 | TCP | 0.0.0.0 | 135 | 0.0.0.0 | 0 | LISTENING | 0/0 | 0/0 |
    | svchost.exe | 22:51 29/10/2003 | 784 | TCP | 0.0.0.0 | 1025 | 0.0.0.0 | 0 | LISTENING | 0/0 | 0/0 |
    | smc.exe | 23:30 29/10/2003 | 1380 | UDP | 0.0.0.0 | 1086 | *.*.*.* | * | LISTENING | 0/0 | 0/0 |
    | mozilla.exe | 22:58 29/10/2003 | 1744 | TCP | 127.0.0.1 | 1029 | 127.0.0.1 | 1028 | ESTABLISHED | 0/0 | 1882/2295 |
    | mozilla.exe | 22:58 29/10/2003 | 1744 | TCP | 127.0.0.1 | 1028 | 127.0.0.1 | 1029 | ESTABLISHED | 2295/2295 | 0/0 |
    | mozilla.exe | --- | 1744 | TCP | 127.0.0.1 | 1028 | 0.0.0.0 | 0 | LISTENING | --- | --- |
    | mozilla.exe | --- | 1744 | TCP | 0.0.0.0 | 1029 | 0.0.0.0 | 0 | LISTENING | --- | --- |
    -------------------------------------------------------------------------------------------------------------------------------------------------------
    217.160.106.55
     
  8. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,873
    Location:
    New England
    On XP, you can get the open port status and port to process mapping direct "from the horses mouth" (Windows itself) by using "netstat -ano" in a CMD window. (The little "o" (oh) on the netstat command adds the PID column to the netstat output.) You should also do that and compare between the different outputs to help figure out what's what.

    Here's an image of the first PE output as I find it easier to read this way...
     

    Attached Files:

  9. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,873
    Location:
    New England
    From your second PE listing, the TIME_WAIT is simply waiting as a connection to the web server at 217.160.106.55 times out. I often see such things (on PID 0) if I close the program that had the connection. ("netstat -ano" will show exactly that.)

    I use IE6 on XP Home and if I just close it, any TIME_WAITs simply end up show as if they are from SYSTEM (PID 0) until they expire. The key question is, do you know what that address is 217.160.106.55? If so, it is probably nothing. If not, you need to catch the connection there to see what's doing it and from what program.

    Anything in any of the firewall logs related to that IP address? (From any point in time, when the firewall has not crashed?)
     
  10. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,873
    Location:
    New England
    Oh, and on my XP Home system I also have SYSTEM, PID:4 listening on port 1026. It's a normal port usage based upon Windows XP functions and specific system (services) configuration. (The PIDs of the two other ports open in the NETSTAT image below are both SVCHOST.EXE processes).
     

    Attached Files:

  11. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    thanks for help LWM :D
    netstat commands revealed same thing that PE.. only worry is the sygate crashes.. i have a hard time convincing him that sygate is basically unkillable, and that all dll's it reports loading are legit dlls... paranoia to the max.. :eek: :eek:

    he had a trojan infection on his sys a couple of weeks ago, just reformatted etc...

    and i have a hard time with this mobile connection of mine.. trying to submit new nasties and my connection keeps breaking all the time...grrr have to send my mails all over again...grrr
     
Thread Status:
Not open for further replies.