Results 1 to 8 of 8

Thread: Norton Firewall Alert Analysis

  1. #1

    Norton Firewall Alert Analysis

    I got back from class tonight, and got this message on the pic attached, and the other pic is the norton trace of the IP.

    I use Norton personal firewall, along with Norton AV and Ad aware, spybot, all are updated and ran very frequently.

    Here is the log entry:

    Details: This one time, the user has chosen to "block" communications
    Inbound TCP connection
    Local address,service is (asdfasd-3v39q1qzj(xxx.xxx.xxx.xxx),1025)
    Remote address,service is (xxx.xxxx.xxx.xxx,3442)
    Process name is "C:\WINDOWS\System32\svchost.exe"

    Basically, I am worried because I wasn't around when Norton asked permission to allow it access to the internet. It happened by itself, not from my normal use. Port 1025 on google came up with internet Blackjack. I don't use anyform of card game on this box. I have found threads on AO about closing it, but I am worried that something is wrong because it attempted to connect by itself.

    I am concerned because C:\WINDOWS\System32\svchost.exe doesn't look like blackjack. My specific questions are, what caused this, why was it random, is there someone on the other end at the University of Vermont screwing with me, and are they worth reporting?

    Thanks Yall

    Soda

  2. #2
    dang... another one during my post-


    Same deal...

    This one time, the user has chosen to "block" communications
    Inbound TCP connection
    Local address,service is (blahblahblah-3v39q1qzj(xxx.xxx.xxx.xxx),1025)
    Remote address,service is (xxx.xxx.xxx.xxx,3056)
    Process name is "C:\WINDOWS\System32\svchost.exe"

    Heres the tracking info.
    OrgName: Apogee Telecom Inc.
    OrgID: APOG
    City: Austin
    StateProv: TX

    So why all of a sudden is port 1025 throwing parties behind my back?

  3. #3
    Senior Member
    Join Date
    Feb 2003
    Location
    Memphis, TN
    Posts
    3,747
    Not for certain, but I thought that svchost is a sort of transport for DNS queries.

    I don't think it will hurt anything to let it through. It is part of the operating system.
    =

  4. #4
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Well, I'm getting mixed reports no matter where I go.

    The well known ports list says blackjack.

    Others say that ports 1025-1026 are needed to communicate with the domain controller which is using the DNS Client service. (RPC)

    Some say (blackhats) that 1025 is used by the AT service. (task scheduler)

    Killing any of those services doesn't close port 1025 for me.
    (in fact, they were not running on my machine and I still had 1025 listening on 0.0.0.0)
    I have NIS and I have that service blocked for that port. Hasn't caused me any harm as of yet. (crosses fingers)

    Run a sniffer and see what kind of data its trying to send.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  5. #5
    having same problem?

  6. #6
    hey soda never mind my personal message to you. I remember now, I had found that someone had reinstalled norton internet security without removing it, Becuase it kept on saying that "norton is waiting for a scan of download #862487632" and the download # isn't important but norton kept scanning the same file over and over from kazzalite. So then my freind didnt tell me that he reinstalled norton. The reason he reinstalled it because the computer was practicly freezing while norton was going thru the scanning process. Needless to say after he reinstalled it without removel it began the alert popup I traced it back to lucomserver which is norton's update server. Anyway I removed all and reinstalled and the problem is gone sorry for the confusion...

  7. #7
    Junior Member
    Join Date
    Mar 2004
    Posts
    6
    svchost.exe is a generic host process used by WinXP. It can be used to exchange data for any number of purposes. I was plugged into a customers Verizon DSL last week for a few hours and I blocked atleast 20+ attempts to access svchost.exe via port 1025. Probably a worm or someone scanning for access to a popular trojan.
    -Oly

  8. #8
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    svchost is exactly as it's name implies. It hosts services that cannot host themselves, usually DLL's.

    Read this and you should be able to determine what it is opening 1025.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •