netstat -aon
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: netstat -aon

  1. #1
    Member
    Join Date
    Nov 2003
    Posts
    64

    netstat -aon

    Running netstat -aon
    Summary
    Active Connections

    Proto Local Address Foreign Address State PID
    TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 696
    TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING 476

    I have lsass.exe starting at 1025 all the time does that seem normal... I do know what lsass is...
    Another thing i look at the task manager i cant see any of the users that started the processes except for the system idle process.

    And usually if you look at the users tab in the task manager you should seee the user you are logged in as there. i dont see any entries...

    Im not sure if all these are realated since lsass deals with verifying the user logon on the PC

    Thanks in advance

    By the way "Security task manager" seems like a nice tool

  2. #2
    isass - isass.exe - Process Information

    Process File: isass or isass.exe
    Process Name: Optix.Pro virus

    Description:
    isass.exe is registered as the Optix.Pro virus which carries in it's payload, the ability to disable firewalls and local security protections, and a backdoor capability.
    For More Detailed Process Information Get WinTasks 5 Pro
    Author: n/a
    Part Of: Optix.Pro virus

    System Process: No
    Background Process: No
    Uses Network: No
    Hardware Related: No
    Common Errors: N/A

    Security Risk (0-5): 4
    Virus: No ( Remove )
    Spyware: No ( Remove )
    Trojan: Yes ( Remove )

    Remove/Block Process: Use WinTasks

    it's a virus, update your AV, boot into safe mode and do a deep system scan...

    http://www.liutilities.com/products/...library/isass/

    edit: my bad, Issas and lssas look kinda the same
    StreetsCrack.com Join The Best Music Social Network Online. Music downloads, promotions, forums, profile, games etc...

  3. #3
    Member
    Join Date
    Nov 2003
    Posts
    64
    Thanks for the response Copyright but im the Process im talking about is LSASS.exe " Local Security Authentication Server"

  4. #4
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    I thought that port 135 was indicative of the messenger process (not MSN but Messenger service)? And I believe Scheduler does things on 1025? But I could be mistaken... lack of sleep and all that..

    Both of those would be started by the System itself (hence the reason why you wouldn't see any users)
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  5. #5
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Port 135 is RPC
    Port 1025 is the Scheduler service
    LSASS is the local security authentication service

    All are normal W32 processes.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  6. #6
    Member
    Join Date
    Nov 2003
    Posts
    64
    Sorry if im not explainning right, let me try and clarify,

    I know that 135 is RPC, however the process that is listenning on port 1025 is with PID 476 and when i check the task manager LSASS is with PID 476. Now when you usually open the task manager you see the user coloumb and the different processes that are running. The user coloumb which usually shows LOCAL SERVICE, NETWORK SERVICE, ADMININSTATOR, "What ever you are logged in as" , SYSTEM is empty the only one shown is the system idle with a user SYSTEM which is normal. And the user tab is empty as well.

    Sorry if this seems vague again.

  7. #7
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    The bloody Little L and the Capital I problem.

    Has any one bothered to do Google on these services?

    You would have found this first

    http://www.liutilities.com/products/...library/lsass/

    http://www.neuber.com/taskmanager/pr...lsass.exe.html

    The lsass.exe file is located in the c:\windows\System32 folder. In other cases, lsass.exe is a virus, spyware, trojan or worm!
    so where is the file executeing from?
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  8. #8
    Member
    Join Date
    Nov 2003
    Posts
    64
    Und3ertak3r i have already seen these too links if you notice my first post i pointed out the security task manager tool but what i was wondering about is the fact that LSASS.exe is listenning on port 1025, and if that is normal.

    Again if anyone can point out why they think i cant see anything in the user coloumb of the taskmanager thanks

  9. #9
    Junior Member
    Join Date
    Oct 2004
    Posts
    4
    Cheers

    There is nothing to worry with port 1025..if u are concerned with sasser ....it uses TCP port 445,9996,5554

    Iz that wat you meant ?

    -Siddhs

  10. #10
    Senior Member
    Join Date
    Mar 2004
    Posts
    557
    Hi

    Actually, I am a bit wondering why lsass is listening on
    port 135 (RpcSs) and 1025 (Scheduler). Shouldn't this be
    the svchost.exe[1]? Svchost.exe checks at startup services
    which it must load. Svchost is thus a generic host process name.
    The services running under svchost can be checked using

    Code:
    tasklist /svc
    Crosscheck the given PIDs there (and given services) with the PID/Port
    obtained by

    Code:
    rem get listening ports
    netstat -ano
    
    rem get listing service (based on your dump)
    tasklist | findstr 696
    tasklist | findstr 476
    Comparing with the output of "tasklist /SVC" you should see that PID 696
    corresponds to svchost.exe (RpcSs) and 476 to a couple of services, like
    Dhcp, ..., Schedule, ... running under svchost.exe.

    Lsass.exe should listen to Port 500 only, on a "virginal" system.

    Cheers

    [1] http://support.microsoft.com/kb/314056/EN-US/
    If the only tool you have is a hammer, you tend to see every problem as a nail.
    (Abraham Maslow, Psychologist, 1908-70)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides