UDP on ports 1026,1027 svchost.exe only sometimes?

[dogman]

I was noticing my firewall on some UDP request activates my "svchost.exe" program and then my firwall blocks it when it attempts to connect "outgoing" is blocked as well asthe incoming request, what I want to know is, why on some requests the "svchost.exe" activates and others in does not, on all of these, UDP ports I am not initiating any of the request, it is the "nosey" China.net computers , here is an example of what I am talking about:

Alert
Source IP Address 61.152.158.152 The IP address of the computer that sent the packet which caused the alert.
Source Port 49387 The port used by the source computer when sending the packet.
Destination IP xxx.xxx.xxx.xxx(me loacally)
The IP address of the computer to which the packet was sent.

Destination Port 1026 The port on the destination computer used to receive the packet.

Transport Layer Protocol UDP The protocol that allows data to be transported between software programs on different computers.

Network Layer Protocol IP The protocol that allows two networked computers to locate each other on a network.
Link Layer Protocol Ethernet The protocol that allows two directly linked computers to share a
network cable.

Alert Date Jun-07-2005 11:00:59 AM PDT The time when ZoneAlarm Pro detected the alert on your computer.

Alert Count 1



ok that was copied ,obviously from Zonlabs alert "more info" now the next set of data is stating the svchost.exe program has activated..this is what I dont understand, as far as I have test all my ports are "stealth".....


Inside the firewall alert



Alert property Alert property value Technical explanation
Source IP Address 221.211.255.8 The IP address of the computer that sent the packet which caused the alert.
Source Port 32920 The port used by the source computer when sending the packet.

Destination IP xxx.xxx.xxx.xxx The IP address of the computer to which the packet was sent.
Destination Port 1027 The port on the destination computer used to receive the packet.

Transport Layer Protocol UDP The protocol that allows data to be transported between software programs on different computers.

Network Layer Protocol IP The protocol that allows two networked computers to locate each other on a network.
Link Layer Protocol Ethernet The protocol that allows two directly linked computers to share a network cable.

Program Name Generic Host Process for Win32 Services A program on your computer. This program either attempted to send an IP packet over the Internet or is waiting for an incoming packet.

(I think these are simply ports scans from the nosey china servers and/or looking for there "bots" but how does it make my single computer on dialup through earthlink activate svchost.exe on some port scans versus others?




File Name svchost.exe <---see this is what I am talking about?


The executable file on your computer that launches and runs Generic Host Process for Win32 Services.

Alert Date Jun-07-2005 11:09:35 AM PDT The time when ZoneAlarm Pro detected the alert on your computer.

Alert Count 1 Number of times this connection attempt repeated its attempt on your machine



To sum it all up why does the svchost.exe launch on similar port scans "UDP 1027" and "UDP 1026" but NOT everyone? Does this have something to do with STEALTH and NOt STEALTH ports, ?

[d0ppy]

svchost is a program that loads and executes DLL's.


The firewall blocks or allows based on the DLL being executed.



EDIT: From Microsoft:

INTRODUCTION
This article describes Svchost.exe and its functions. Svchost.exe is a generic host process name for services that run from dynamic-link libraries (DLLs).
Back to the top Back to the top
MORE INFORMATION
The Svchost.exe file is located in the %SystemRoot%\System32 folder. At startup, Svchost.exe checks the services part of the registry to construct a list of services that it must load. Multiple instances of Svchost.exe can run at the same time. Each Svchost.exe session can contain a grouping of services. Therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services permits better control and easier debugging.

Entire Article

[sec_ware]

Hi


svchost

Those incoming requests are daily background noise,
which you can ignore in principle. You mentioned something
about outgoing connection attempts by svchost.exe?
Can you specify/clarify? This might indicate some problems,
but it depends on the details. Please update.


If you want to know in general and more details about
svchost.exe, this already has been asked[1,2]. I hope,
it is not too technical. In short, and as d0ppy mentioned,
some other "programs" use svchost.exe in order to be able
to offer a service. So, it is not a priori clear, which "program"
actually wants to initialise a connection, is listening at a certain
port respectively. This has to be tracked down, as illustrated
in [2].


ports


Just as a short reminder. Scans often classify ports with the labels. For
here, I take these "definitions"[3], to illustrate it.

open: the associated service accepts incoming connections, which presents an opportunity for access. the associated service is listening.
closed: the service is available but doesn't accept incoming connections.
stealth: an invisible port that gives no indication that the service is loaded and running

Firewalls now can be configured such that ports, which are not
explicitly allowed, appear as "stealth". It does not represent,
whether there actually is no service listening on the port. This
answers your question, whether this is related to "stealth".
For some reason, your incoming UDP 1026 and 1027 get associated
with svchost.exe. It might be worth doing an

Code:

> netstat -ano

where I assume some Windows XP. This little tool tells you, which PID
(Process ID) is listening on which ports. These PIDs can be related
to programs with

Code:

> tasklist /SVC

You may find some connections between incoming requests and
their association with the PID of the listening ports.

Cheers.


[1] http://www.antionline.com/showthread...hlight=svchost
[2] http://www.antionline.com/showthread...hlight=svchost
[3] http://www.windowsitpro.com/WindowsS...554/20554.html

[Tiger Shark]

No offense here sec_ware:

[RANT]

I hate the word "stealth" with regard to ports.

It is a hype phrase that I believe was coined by Gibson, (www.grc.com), to imply that you have done something magical to your computer.

The facts are per RFC's:-

1. An open port _must_ respond to a SYN packet with a SYN/ACK packet.

2. A closed port must respond to a SYN packet with a RST, (Reset).

3. A Firewall does not respond to a SYN packet to a port it is _told_ is closed.

Thus:-

1. When you scan port 21, (FTP), on a server that provides FTP service then the server will respond to your scan with a SYN/ACK. Therefore your scanner knows that the port is open.

2. Doing the same scan against a server that does not provide FTP service will get you an RST. Therefore your scanner knows the port is closed.

3. When the port is firewalled, (the firewall is told that the port is to be protected), the scanner receives no response. Therefore the scanner knows the port/server is firewalled or "filtered".

Since you can no more exploit a closed port than you can a firewalled port the implication that something wonderful has occurred by "stealthing" the port is pure marketing crap. If you can ascertain that there is actually a computer behind the firewall, (by finding an open or closed port or by having received genuine transmissions from it's IP address), then you know damned well that port 21 is there. The fact that you cannot tell whether is is open or closed is irrelevant. It isn't "stealth" because you know damn well it is there......

The more accurate and un-hyped phrase is "filtered" or "firewalled"....

[/RANT]

Thank you for your time.... You will now be returned to your normal programming.....

[d0ppy]

Goddamn commercials.

But he's right.

[dogman]

Im running ZoneAlarm Pro, on a OS XP-Home(not by choice) on some Alerts I notice the User Data ?Protocol, the way I understand it this protocol allows "launching" of programs/software/files between 2 computers ....

Any way I am aware of for example" RealPlayer" may try to initiate a "call home" to transfer data for whatever reasons,although I think this type of svchost.exe is probably safe, and not after sensitive data,etc,... This is not whats going on.
Here is a summary of what my firewall told me as basic as I can understand it:

ZoneAlarm blocked traffic to port 1026 on your machine from port 39093 on a remote computer whose IP address is 61.152.158.151 On this Alert the svchost.exe did not launch...ok great! Thats what I want to see right? Oh, and there was no Domain name or info just ther IP traced back the Bejing Area, I thinking this is typical I see this all the time,

What got my attention was sometimes the svchost.exe atempts to launch but ZA-blocks it, I was wonder why or for what reasons this could happen I pretty sure my machine is "clean" but who really knows, hah? My machine doesn't accept incoming connections, if it doesn't, then How would it know to launch svchost.exe this is my real question?(unless maybe svchost.exe is always listening...? I read the Micrsoft article
stealth
ZoneAlarm blocked traffic to port 1027 on your machine from port 39093 on a remote computer whose IP address is 61.XXX.xxx.xxx( I have to get the exact IP but it too traces back to Bejing AREA as best I can tell, svchost.exe atempts to launch but ZA-blocks it in this above example, I pretty sure it does it for BOTH 1026 and 1027.

Not sure maybe it is a setting on my Firewall doing it?
I have recently decide to let ZA make "smart decision for me" now that is going right back to manal, but I set it this way because sometimes there are sooo many programs Process I dont know what is what!


It does not represent,
whether there actually is no service listening on the port I guess this is my reall question?


Everthing seems to run fine Processors is NOT overloaded, no strange programs, etc,....
I have tried diffrent setting too,

Another intresting fact is when I use my windows ME machine and ZA FREE, it does not show any svchost.exe program launches unless I know what it is , like an update( port 135 DCOM) or something OBvious,...

Maybe this is normail(hoping so) and it is common with XP Home, I tried the cmd for


a while later for example simple

[isolatedchaos]

Greetings everyone

Well... This is my first post on this site and i apologize for not formally introducing myself.

Just a little background before i get to the point: I have been visiting this site, just to browse some of the forums and read articles. I consider myself a computer security enthusiast. I have no type of certifications or degrees (Yet!!!!) but i do have a fair amount of experience with networking, trouble shooting hardware/software, some programming C/VB and basic computer security.... Anyways, enough about me....

What caught my attention about this thread was the fact that dogman had random UDP packets arriving on ports 1026/1027.... I have actually sniffed some of these packets (Random UDP packets targeting ports 1026/1027) while doing some work on my *nix box but never thought anything of them.... When i saw this post i did a check of my firewall log and sure enough i have multiple occurrences of these packets originating from what seems to be a computer on the same network as dogman's remote computer (61.152.158.151), my log shows an IP of 61.152.158.123. As far as the actual Data portion of the packet this here is the HEX:


0000: 00 0D 61 AC 09 BA 00 0B : 23 C1 A0 36 08 00 45 00 | ..a.....#..6..E.
0010: 01 53 00 00 40 00 2D 11 : 00 0D 3D 98 9E 7B 45 6E | .S..@.-...=..{En
0020: 2B 0C 81 27 04 02 01 3F : 63 19 04 00 28 00 10 00 | +..'...?c...(...
0030: 00 00 00 00 00 00 00 00 : 00 00 00 00 00 00 00 00 | ................
0040: 00 00 F8 91 7B 5A 00 FF : D0 11 A9 B2 00 C0 4F B6 | ....{Z........O.
0050: E6 FC 38 43 16 9E 01 89 : 45 6E 25 2A FD D7 99 61 | ..8C....En%*...a
0060: 33 71 00 00 00 00 01 00 : 00 00 00 00 00 00 00 00 | 3q..............
0070: FF FF FF FF E7 00 00 00 : 00 00 10 00 00 00 00 00 | ................
0080: 00 00 10 00 00 00 53 59 : 53 54 45 4D 00 00 00 00 | ......SYSTEM....
0090: 00 00 00 00 00 00 10 00 : 00 00 00 00 00 00 10 00 | ................
00A0: 00 00 41 4C 45 52 54 00 : 00 00 00 00 00 00 00 00 | ..ALERT.........
00B0: 00 00 A3 00 00 00 00 00 : 00 00 A3 00 00 00 57 69 | ..............Wi
00C0: 6E 64 6F 77 73 20 68 61 : 73 20 65 6E 63 6F 75 6E | ndows has encoun
00D0: 74 65 72 65 64 20 61 6E : 20 49 6E 74 65 72 6E 61 | tered an Interna
00E0: 6C 20 45 72 72 6F 72 0A : 59 6F 75 72 20 57 69 6E | l Error.Your Win
00F0: 64 6F 77 73 20 72 65 67 : 69 73 74 72 79 20 69 73 | dows registry is
0100: 20 63 6F 72 72 75 70 74 : 65 64 2E 0A 41 6E 20 49 | corrupted..An I
0110: 6D 6D 65 64 69 61 74 65 : 20 73 79 73 74 65 6D 20 | mmediate system
0120: 73 63 61 6E 20 69 73 20 : 72 65 63 6F 6D 6D 65 6E | scan is recommen
0130: 64 65 64 2E 0A 0A 76 69 : 73 69 74 20 0A 0A 68 74 | ded...visit ..ht
0140: 74 70 3A 2F 2F 65 2D 72 : 65 67 70 61 74 63 68 2E | tp://e-regpatch.
0150: 63 6F 6D 0A 0A 74 6F 20 : 72 65 70 61 69 72 2E 0A | com..to repair..
0160: 00 : | .

Dont know if this helped at all but im curious to see what the experts thinks ....

Sorry for the long "first post"

Ill try to drop in more offten.

WILL

[nihil]

Someone is trying to send you a pop-up advert. Look here:

http://www.repairregistrypro.com/?hop=softfix

That is their site..............take a look at the EULA................you have to pay for a version that will "clean" your registry of the "errors" that I am sure it will "conveniently" find.........a typical internet scam

"Governed by the laws of Ontario, Canada"............. don't you have any then?

Cheers

And welcome to AO

[isolatedchaos]

Ic Ic.... Thanks for the info nihil.

I just did a quick google search and learned that Windows Messenger Service typicaly runs on port 1026 and sometimes it binds to 1027.... Here is the article Spamming of the Windows Messenger Service

So could an inbound UDP packet to one of these ports cause svchost.exe to run because it is trying to load a DLL to handle the Popup???? If so i guess that is what dogman is observing on his computer...

TTYL

WILL

P.S. Thanks for the welcome

[dogman]

I have messenger disbaled, but it only occurs sometimes not everytime?
Maybe a unique to XP-home, dont know, I will keep a close eye on it, as long as it isnt affecting anything, and until I get to the bottom of it , I guess it is harmless,... but it still bug the crap out of me, arrrgggh,... Thank for all your input it has been helpful!