-
June 7th, 2005, 07:22 PM
#1
Member
UDP on ports 1026,1027 svchost.exe only sometimes?
I was noticing my firewall on some UDP request activates my "svchost.exe" program and then my firwall blocks it when it attempts to connect "outgoing" is blocked as well asthe incoming request, what I want to know is, why on some requests the "svchost.exe" activates and others in does not, on all of these, UDP ports I am not initiating any of the request, it is the "nosey" China.net computers , here is an example of what I am talking about:
Alert
Source IP Address 61.152.158.152 The IP address of the computer that sent the packet which caused the alert.
Source Port 49387 The port used by the source computer when sending the packet.
Destination IP xxx.xxx.xxx.xxx(me loacally)
The IP address of the computer to which the packet was sent.
Destination Port 1026 The port on the destination computer used to receive the packet.
Transport Layer Protocol UDP The protocol that allows data to be transported between software programs on different computers.
Network Layer Protocol IP The protocol that allows two networked computers to locate each other on a network.
Link Layer Protocol Ethernet The protocol that allows two directly linked computers to share a
network cable.
Alert Date Jun-07-2005 11:00:59 AM PDT The time when ZoneAlarm Pro detected the alert on your computer.
Alert Count 1
ok that was copied ,obviously from Zonlabs alert "more info" now the next set of data is stating the svchost.exe program has activated..this is what I dont understand, as far as I have test all my ports are "stealth".....
Inside the firewall alert
Alert property Alert property value Technical explanation
Source IP Address 221.211.255.8 The IP address of the computer that sent the packet which caused the alert.
Source Port 32920 The port used by the source computer when sending the packet.
Destination IP xxx.xxx.xxx.xxx The IP address of the computer to which the packet was sent.
Destination Port 1027 The port on the destination computer used to receive the packet.
Transport Layer Protocol UDP The protocol that allows data to be transported between software programs on different computers.
Network Layer Protocol IP The protocol that allows two networked computers to locate each other on a network.
Link Layer Protocol Ethernet The protocol that allows two directly linked computers to share a network cable.
Program Name Generic Host Process for Win32 Services A program on your computer. This program either attempted to send an IP packet over the Internet or is waiting for an incoming packet.
(I think these are simply ports scans from the nosey china servers and/or looking for there "bots" but how does it make my single computer on dialup through earthlink activate svchost.exe on some port scans versus others?
File Name svchost.exe <---see this is what I am talking about?
The executable file on your computer that launches and runs Generic Host Process for Win32 Services.
Alert Date Jun-07-2005 11:09:35 AM PDT The time when ZoneAlarm Pro detected the alert on your computer.
Alert Count 1 Number of times this connection attempt repeated its attempt on your machine
To sum it all up why does the svchost.exe launch on similar port scans "UDP 1027" and "UDP 1026" but NOT everyone? Does this have something to do with STEALTH and NOt STEALTH ports, ?
-
June 7th, 2005, 07:57 PM
#2
svchost is a program that loads and executes DLL's.
The firewall blocks or allows based on the DLL being executed.
EDIT: From Microsoft:
INTRODUCTION
This article describes Svchost.exe and its functions. Svchost.exe is a generic host process name for services that run from dynamic-link libraries (DLLs).
Back to the top Back to the top
MORE INFORMATION
The Svchost.exe file is located in the %SystemRoot%\System32 folder. At startup, Svchost.exe checks the services part of the registry to construct a list of services that it must load. Multiple instances of Svchost.exe can run at the same time. Each Svchost.exe session can contain a grouping of services. Therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services permits better control and easier debugging.
Entire Article
-
June 7th, 2005, 09:20 PM
#3
Hi
svchost
Those incoming requests are daily background noise,
which you can ignore in principle. You mentioned something
about outgoing connection attempts by svchost.exe?
Can you specify/clarify? This might indicate some problems,
but it depends on the details. Please update.
If you want to know in general and more details about
svchost.exe, this already has been asked[1,2]. I hope,
it is not too technical. In short, and as d0ppy mentioned,
some other "programs" use svchost.exe in order to be able
to offer a service. So, it is not a priori clear, which "program"
actually wants to initialise a connection, is listening at a certain
port respectively. This has to be tracked down, as illustrated
in [2].
ports
Just as a short reminder. Scans often classify ports with the labels. For
here, I take these "definitions"[3], to illustrate it.
open: the associated service accepts incoming connections, which presents an opportunity for access. the associated service is listening.
closed: the service is available but doesn't accept incoming connections.
stealth: an invisible port that gives no indication that the service is loaded and running
Firewalls now can be configured such that ports, which are not
explicitly allowed, appear as "stealth". It does not represent,
whether there actually is no service listening on the port. This
answers your question, whether this is related to "stealth".
For some reason, your incoming UDP 1026 and 1027 get associated
with svchost.exe. It might be worth doing an
where I assume some Windows XP. This little tool tells you, which PID
(Process ID) is listening on which ports. These PIDs can be related
to programs with
You may find some connections between incoming requests and
their association with the PID of the listening ports.
Cheers.
[1] http://www.antionline.com/showthread...hlight=svchost
[2] http://www.antionline.com/showthread...hlight=svchost
[3] http://www.windowsitpro.com/WindowsS...554/20554.html
If the only tool you have is a hammer, you tend to see every problem as a nail.
(Abraham Maslow, Psychologist, 1908-70)
-
June 7th, 2005, 09:42 PM
#4
No offense here sec_ware:
[RANT]
I hate the word "stealth" with regard to ports.
It is a hype phrase that I believe was coined by Gibson, (www.grc.com), to imply that you have done something magical to your computer.
The facts are per RFC's:-
1. An open port _must_ respond to a SYN packet with a SYN/ACK packet.
2. A closed port must respond to a SYN packet with a RST, (Reset).
3. A Firewall does not respond to a SYN packet to a port it is _told_ is closed.
Thus:-
1. When you scan port 21, (FTP), on a server that provides FTP service then the server will respond to your scan with a SYN/ACK. Therefore your scanner knows that the port is open.
2. Doing the same scan against a server that does not provide FTP service will get you an RST. Therefore your scanner knows the port is closed.
3. When the port is firewalled, (the firewall is told that the port is to be protected), the scanner receives no response. Therefore the scanner knows the port/server is firewalled or "filtered".
Since you can no more exploit a closed port than you can a firewalled port the implication that something wonderful has occurred by "stealthing" the port is pure marketing crap. If you can ascertain that there is actually a computer behind the firewall, (by finding an open or closed port or by having received genuine transmissions from it's IP address), then you know damned well that port 21 is there. The fact that you cannot tell whether is is open or closed is irrelevant. It isn't "stealth" because you know damn well it is there......
The more accurate and un-hyped phrase is "filtered" or "firewalled"....
[/RANT]
Thank you for your time.... You will now be returned to your normal programming.....
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
June 7th, 2005, 10:59 PM
#5
Goddamn commercials.
But he's right.
-
June 8th, 2005, 12:45 AM
#6
Member
update my ports are closed but,...
Im running ZoneAlarm Pro, on a OS XP-Home(not by choice) on some Alerts I notice the User Data ?Protocol, the way I understand it this protocol allows "launching" of programs/software/files between 2 computers ....
Any way I am aware of for example" RealPlayer" may try to initiate a "call home" to transfer data for whatever reasons,although I think this type of svchost.exe is probably safe, and not after sensitive data,etc,... This is not whats going on.
Here is a summary of what my firewall told me as basic as I can understand it:
ZoneAlarm blocked traffic to port 1026 on your machine from port 39093 on a remote computer whose IP address is 61.152.158.151 On this Alert the svchost.exe did not launch...ok great! Thats what I want to see right? Oh, and there was no Domain name or info just ther IP traced back the Bejing Area, I thinking this is typical I see this all the time,
What got my attention was sometimes the svchost.exe atempts to launch but ZA-blocks it, I was wonder why or for what reasons this could happen I pretty sure my machine is "clean" but who really knows, hah? My machine doesn't accept incoming connections, if it doesn't, then How would it know to launch svchost.exe this is my real question?(unless maybe svchost.exe is always listening...? I read the Micrsoft article
stealth
ZoneAlarm blocked traffic to port 1027 on your machine from port 39093 on a remote computer whose IP address is 61.XXX.xxx.xxx( I have to get the exact IP but it too traces back to Bejing AREA as best I can tell, svchost.exe atempts to launch but ZA-blocks it in this above example, I pretty sure it does it for BOTH 1026 and 1027.
Not sure maybe it is a setting on my Firewall doing it?
I have recently decide to let ZA make "smart decision for me" now that is going right back to manal, but I set it this way because sometimes there are sooo many programs Process I dont know what is what!
It does not represent,
whether there actually is no service listening on the port I guess this is my reall question?
Everthing seems to run fine Processors is NOT overloaded, no strange programs, etc,....
I have tried diffrent setting too,
Another intresting fact is when I use my windows ME machine and ZA FREE, it does not show any svchost.exe program launches unless I know what it is , like an update( port 135 DCOM) or something OBvious,...
Maybe this is normail(hoping so) and it is common with XP Home, I tried the cmd for
a while later for example simple
-
June 8th, 2005, 07:44 AM
#7
Junior Member
-
June 8th, 2005, 09:10 AM
#8
-
June 8th, 2005, 02:38 PM
#9
Junior Member
Ic Ic.... Thanks for the info nihil.
I just did a quick google search and learned that Windows Messenger Service typicaly runs on port 1026 and sometimes it binds to 1027.... Here is the article Spamming of the Windows Messenger Service
So could an inbound UDP packet to one of these ports cause svchost.exe to run because it is trying to load a DLL to handle the Popup???? If so i guess that is what dogman is observing on his computer...
TTYL
WILL
P.S. Thanks for the welcome
-
June 8th, 2005, 05:18 PM
#10
Member
I have messenger disbaled, but it only occurs sometimes not everytime?
Maybe a unique to XP-home, dont know, I will keep a close eye on it, as long as it isnt affecting anything, and until I get to the bottom of it , I guess it is harmless,... but it still bug the crap out of me, arrrgggh,... Thank for all your input it has been helpful!
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|