Windows Explorer.EXE listening ?

Discussion in 'other firewalls' started by FireDancer, Aug 22, 2003.

Thread Status:
Not open for further replies.
  1. FireDancer

    FireDancer Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    316
    Hi,

    Decided to look at my logs real fast today (Kerio2.1.5) and WIN98SE and I found
    WindowsExplorer listening on port 1167. I made a rule real fast to block it inbound and outbound TCP/UDP until I could get conformation
    from someone here that this is acceptable or not. I have never seen
    Explorer listening anywhere..why now? Can someone please help me to understand?

    Best Regards,
    FireDancer
     
  2. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Hey

    Whats the Exact Filename and Path?
     
  3. FireDancer

    FireDancer Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    316
    Phantom,
    The path name is

    C:\WINDOWS\EXPLORER.EXE

    FireDancer
     
  4. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Hey FireDancer

    How many EXPLORER.EXE files on yo System? Scan your Host drive...
     
  5. FireDancer

    FireDancer Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    316
    Phantom,

    There is one on my system. I dont see what you are getting at .. you want to let me in on your ideas?

    I have run NOD32 TDS3 and all available scans that I have and found no viruses or any other types of intrusions.

    I dont understand why Explorer is listening on 1167. It has not connected to anything and I show no logs of it connecting as I would be alerted to it and it would of been logged.

    I am trying to find out if I need to block Explorer permantly as I have never had to deal with it. Is it dangerous? Is there a certain reason for it needed to connect to a remote endpoint?

    I am not trying to be errogant but if you can not give me a few ideas as to what I asked I will wait till someone can. For now Windows Explorer.EXE is blocked both ways until I get a conformation of it's possible intent and wether it is safe or not.

    I will continue to do some more google searches to try and find out what it is up to and what it's porpuse is.


    Regards,
    FireDancer
     
  6. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    FireDancer

    Without asking Questions it’ll not get a person anywhere’s, Explorer.exe is a browser of its own and it’s used for number of things. However most Deny it access to the Internet as it’s privacy issue for Windows XP users…
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Was thinking a moment of this possible infection like described here
    But doesn't see so with only one windows\explorer.exe there.
    Win98se has the habit to mix windows explorer and IE a lot, but this is needs deeper investigation.
    PE should tell you where it is connected to.
    Remote address also localhost port 1167 or different?
     
  8. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    That’s one of the reasons why I asked that question to verify it’s not possible Infection, after-all he did say “I have never seen Explorer listening anywhere..why now?”. Anyways I’ll know better to ask this dude questions in the future…
     
  9. _anvil

    _anvil Registered Member

    Joined:
    Jun 18, 2003
    Posts:
    56
    Well, it _could_ also be a backdoor, which injected itself into explorer.exe... :rolleyes:

    Have you checked the modules of explorer.exe with e.g. APM?

    edit: just saw, that my (now deleted) question has already been aswered...
     
  10. FireDancer

    FireDancer Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    316
    Hello All,

    I have opened Port Explorer, and found that Windows Explorer. EXE is listening on local 1167, remote 127.0.0.1


    I have run NOD32v2 and find no viruses, TDS3 and find no Trojans. I have blocked the application from being able to connect out. It shows up in PE as lisening for UDP
    only.

    I would like to say that I am not as computer savy as most here and am still learning. I come to Wilders for that reason ... to seek help from more knowledgable people. I did not mean to upset anyone, but I did not see the reason for Phantoms singular posts/questions as I felt I was in a guessing game..

    Jooske,

    I took your link and did read it and this application does not seem to be acting like a trojan. All possible scans indicate that it is not.

    Anymore input or help/instructions would be greatly appreciated.
    NOTE: I am still in the learning process with PE and any help on useing it in this situation would be appreciated. The screen shot here is showing process
    71609 that I am concerned with but it seems to only be communicating with the local system.


    Regards,
    FireDancer
     

    Attached Files:

  11. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    Fire Dancer,

    Those connections are Kerio's admin connections, it uses the localhost to communicate with itself between the GUI, and the resident program. When you use the firewall status you would see the program communicating with itself on ports like these. Also when explorer.exe starts listeing, like previously said, it can act just like IE.

    127.0.0.1 is your localhost, and its on your computer. If you type an address, or do some action explorer.exe can use the internet for some functions. A trojan doesn't have to be installed, you just have to use/enable some feature that makes it use the internet for something. I never use those features so I already have a blocking rule for explorer.exe, but it does do many things just like IE as IE was built into the operating system. IE, and explorer are basically the same program anymore.

    You have nothing to worry about since it says your clean, something you did started it, so a reboot should stop it from listening, if not then go over any options you have recently enabled.

    I'm surprised with all these people here, they are playing on your fears that its infected when they don't know of any functions of the program, or at least didn't mention them. Anyone every heard of offline files, and active destop? Explorer.exe does these things.
     

    Attached Files:

  12. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    BlitzenZeus

    Stop excusing and making assumptions bro, go through how I played it. Now you tell me how the heck I was trying to play on his fears? Don’t attempt to be picky how others helps others on here! There is great deal of what you say on here that I could easily find fault in...snipped - disagreements are fine, insults are not - paul
     
  13. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    I'll make this statement, but I don't want to distract the point of the thread anymore past this comment. Any replies to this message shouldn't be via this thread.

    Phantom, the reply wasn't directed toward you personally, even though you took it personally. Calm down, hold off the caffeine, and don't take everything so seriously. :)

    Ever since IE which you could download for Win95, explorer.exe has become a internet tool, in which I'm surprised that some people might assume it a trojan before going to the features of the program which have been around for years. There were even times in older versions where explorer.exe would run all internet traffic even if you launched IE. However yes, there are explorer.exe trojans, and virii out there.

    After the scan was negative the focus changed to mainly trying to prove, or dis-prove it was part of the IE intregation. Which seems like the like the most possible case at this moment.

    Anyway, don't worry, be happy. Life is too short to take everything seriously :cool:
     
  14. FireDancer

    FireDancer Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    316
    BlitzenZues,

    Yes you were right.. I rebooted and Explorer.EXE is no longer listening.. thanks for the heads up. As far as making or changing settings ...yes lastnight I did make changes to OE allthough I am not sure that would be one in the same as IE. I am going to go through my system now and double check all settings I have made in the past 24 hours or so and see what if anything I did to cause this problem.

    I am going to continue with my Block rule for Explorer.EXE though for the reason that if it should try again I will be prepared and know what I am looking at next time.
    Again your expertise is always appreciated.

    Side Subject: Phantom I was not trying to make you feel like you could not help me. I felt that your questions though were a little incompleate and what your reasoning might be. You did not state what your reasoning was. The next few post I recieved was about possible trojans.

    In as much as I belive that BlitzenZues, was not doing that either, but you do have to admit your post did lean in that direction. I have always respected opinions here at wilders but.. I like to do a little resaerch on answers I do get when I am not familiar with the poster. (Second Opinion)

    You never know who might give you a answer that might be TOTAL disaster. And with me still being a novice at the computing world I feel that is the best policy for me right now. I hope you have not taken any offence here as I appreciate you replying and trying to help.

    I think BlitzenZues with his experiance with firewalls read what I wrote and analized the situation a little differantly and was able to help. maybe I wasnt clear enough in my original post and I will be more cautious of that in the future. My appoligies to all

    Thanks all for the responces and
    very best regards,

    FireDancer
     
  15. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    Since you rebooted, and it didn't listen, test it by opening OE again since that was the only program you changed. If its not listening again, your fine, if it does listen again its calling on some feature, and you have it blocked anyway. Make the rule logging, but I don't believe you will see it make any outbound attempts to the internet unless something got enabled by mistake.

    IE is tied into OE with many of the features, just like Explorer, that is why so many of these exploits in windows are much more dangerious than other operating systems. If Microsoft didn't intregate the browser, and its functions into the OS it would be much more stable, along with far less exploits possible. :D
     
  16. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Helping on the forums is like building a house out of bricks for an example; you go to fast you possibly end up making mistakes, and if you go to slow the workers gets frustrated. And how I seen it BlitzenZeus continued from what we currently had completed, and since there was enough Information possibly to jump onto a new theory…

    In any case I’m glad your problem was temporary resolved.
     
  17. DEAN

    DEAN Guest

    I found that sometimes the kerio admin program is viciously attempting connects to the NET just after I connected and sometimes it aint and I think it is how your ISPs DHCP Server configures you on Connect.
     
  18. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    Dean, your comment had nothing to do with this thread, and you don't even understand what your talking about.

    If you have it enabled to check for updates it will check for updates on startup, and if its enabled it will lookup dns entries for your logs so you see the rDNS name with the ip address. Your operating system has their own programs to get the DHCP lease, you just have to permit it with Kerio, just like any rule based firewall.
     
  19. FireDancer

    FireDancer Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    316
    Phantom,

    It was fixxed permantly, I now understand what the app does and why it was there I have now taken care of it for good :)

    FireDancer :)
     
  20. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Don't worry or feel bad to ask questions as we all learn from it and other visitors.
    Of course it's good always to be alert on a possibility of trojans or other infections, like Phantom said, as those are the most dangerous and urgent to take care of, when these are excluded one can look at other possibilities.
    One of the tests after scanning and nothing found could be looking at the file properties for a possible recent modification date.
    (In your PE - rightclick or doubleclick the process to see the info)
    The other steps you did too, looking at what you changed in your settings.
    True, OE, IE and explorer are very much integrated and an error in one of the three can rather often be solved by a repair install of IE via the add/remove (with all av/at down for that moment) and reboot.
    Active desktop i only allow when really needed and i disable it immediately after (security).

    There are some OE security settings specialists here in the forum, so fireup your questions and we dance through the options to fine settings; we all can learn from that!
    Best to do that in a new thread in another place in the forums, unless it is specific related to the firewall section, for which Phantom is one of the specialists here.
     
Loading...
Thread Status:
Not open for further replies.