System (PID=8) listening on port 1025-1035

Discussion in 'Port Explorer' started by guysmilie, Dec 8, 2004.

Thread Status:
Not open for further replies.
  1. guysmilie

    guysmilie Registered Member

    Joined:
    Dec 8, 2004
    Posts:
    8
    I run winodws 2000 professional. I have disabled most unnecessary services and managed to stop all ports from listening EXCEPT one. So I downloaded Port Explorer to see if I could track down the final listening port.

    Port Explorer lists it as System, PID = 8. The protocol is TCP and both the local and remote IP's are 0.0.0.0. The local port seems to vary between 1025 and 1035 and the remote port is listed as port 0.

    I do not believe that this open port is caused by DCOM as I ran the decombobulator from grc.com and port 135 is totally closed now.

    Aswell I do not have universal plug and play running.

    Anyone who can help me figrue this out would be my hero!
    Thank you in advance to anyone with suggestions!
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi guysmilie, This is part of the system and port is is an internal (system) reserved address.
    Port 0 is officially a reserved port in TCP/IP networking, meaning that it should not be used for any TCP or UDP network communications.
    You can use this tool: http://www.firewallleaktester.com/wwdc.htm from GKweb to close the DCOM service and some other insecure services. :)

    HTH Pilli
     
  3. guy smilie

    guy smilie Guest

    Thank you for your reply. Can you tell me more about this "reserved" port 0. When searching on google there were some security/hacking forums that mentioned use of port 0 as a possible way to circumvent firewalls. Does activity on port 0 represent a security threat, and is it suspicious that there is a process
    which seems to be using port 0?
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
     
    Last edited: Jan 26, 2005
  5. Kaupp

    Kaupp Guest

    On my w2k system I had the same port (System pid 8 port 1025) listening as guysmilie
    I was able to close it by disabling all my unused network adapters in device manager
    Unfortunately I can't recall which one exactly it was

    Direct Parallel
    WAN Miniport (IP)
    WAN Miniport (L2TP)

    The best thing to do is disable them one by one checking netstat each time

    good luck
     
  6. Ean

    Ean Registered Member

    Joined:
    Jan 29, 2005
    Posts:
    23
    Location:
    LA, CA
    Nice to hear from some fellow Win2K users! I have the same thing as guysmile, but no deviced like Knaup to disable.

    And so far my system has passed every test I've found for it, so maybe these open NETSTAT ports are not a problem.

    But I'd dearly like to hear from other Win2K users, especially if you also use ZoneAlarm, and have installed and run many of the DCS utilities!

    I'd like to buy the whole package, but I would have to be SURE they would work first, and with each other, etc.
     
  7. GIGO

    GIGO Guest

    I just spent the last 4 days monitoring the exact same activity on a what I thought was an "infected" computer. At first I thought it was simply a next-generation rootkit with very clever process hiding abilities, but as I sat back and observed (real-time registry, network, & file activity) and crossreferenced what I was seeing I started to become very concerned with what I was seeing. I could be way off, but here are my thoughts. Someone implemented the cababilities of a next-gen rootkit (completey undectable by current conventions, including IDS, antivirus, and any other protection tools) with functionality that appears to be some form of a NULL Session exploit....which also appears to make use of crafted LDAP packets...and also exploits the SMB service...ok not so bad...right? Well here's the kick in the a**, from what I observed the suspicious activity also appears to have the capabilities of a worm which spread very quickly to all computers on the LAN. Specifically, the worm like activity appears to be similar if not exact to that of a previous worm called something like BHO1 worm. These are just my thoughts, as I am just an enthusiast...not an expert...but I think that we are on the verge of a very VERY nasty worm.

    PS-I found many new posts on the internet that support my thoughts...and I have over 8 pages of notes from my observations...if you would like to chat more about this...feel free to email me: gigo at retardedlogic dot org
     
  8. GIGO

    GIGO Guest

Thread Status:
Not open for further replies.