process "system:8" open 400 to 500 lintening tcp port
Page 1 of 2 12 LastLast
Results 1 to 10 of 20

Thread: process "system:8" open 400 to 500 lintening tcp port

  1. #1
    Junior Member
    Join Date
    Jun 2005
    Posts
    9

    process "system:8" open 400 to 500 lintening tcp port

    Hi, my problem is in windows 2000 server machine, process system PID 8 open 400 to 500 lintening tcp port, there start in port 2000 or 3000 or 4000 I think that is seudo random, and doing that every 5 sec, please help

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    No need to post it twice. You just might need patience. It might be helpful to know what is running on PID 8. Perhaps you could check TaskManager and/or use Process Explorer.

    Have you done AntiVirus scans in safe-mode to verify that it's not a worm/trojan? Additionally, have you run (in the command window) netstat -ano to see if there is a remote connection somewhere?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #3
    Junior Member
    Join Date
    Jun 2005
    Posts
    9
    ohh so sorry by double posting, I think I'm posted in a wrong discussions.
    Ok now, in PID 8 is the prosess "System"
    I'm so tired to scan my pc with norton, without find anything.
    I use tcpview to know what port are open in my pc, when just restarted the machine no problem but wait 20-30 sec and the problem begin, many many port open, close, open, close in about 10sec. sometimes I found connection to remote port 445 from PID 8.
    I can stop that with Ipsec, but I know that it in my pc are something wrong.

    P.S. sorry by my English, I hope that you can understand.

  4. #4
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Well, this page should give you a little more info on port 445. What is connecting to 445?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  5. #5
    Junior Member
    Join Date
    Jun 2005
    Posts
    9
    thanks for that page, the problem is that connection if from my server to another pc at port 445.
    for example:
    Process: System:8
    Protocol: TCP
    Local Address: 0.0.0.0:3220
    Remote Address: x.x.x.x:445

    Thanks
    Status: Established

    Process: System:8
    Protocol: TCP
    Local Address: 0.0.0.0:2100
    Remote Address: 0.0.0.0:0
    Status: Listening

    where: port 2100 and 3220 can be any port from 1000 to 4000 and x.x.x.x is a real ip address outside my network.

  6. #6
    Junior Member
    Join Date
    Jun 2005
    Posts
    9
    that I take from tcpview of my server:

    System:8 TCP 0.0.0.0:2773 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2874 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2875 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2876 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2877 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2880 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2881 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2882 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2883 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2884 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2885 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2886 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2887 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2888 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2889 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2890 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2891 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2892 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2893 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2894 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2895 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2896 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2897 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2898 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2899 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2900 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2901 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2902 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2903 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2904 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2905 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2906 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2907 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2908 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2909 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2910 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2911 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2912 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2913 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2914 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2915 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2916 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2917 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2918 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2919 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2920 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2921 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2922 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2923 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2924 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2925 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2926 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2927 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2928 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2929 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2930 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2931 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2932 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2933 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2934 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2935 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2936 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2937 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2938 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2939 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2940 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2941 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2942 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2943 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2944 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2945 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2946 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2947 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2948 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2949 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2950 0.0.0.0:0 LISTENING
    System:8 TCP 0.0.0.0:2951 0.0.0.0:0 LISTENING
    System:8 TCP 200.84.198.x:2773 83.46.100.76:445 ESTABLISHED
    System:8 TCP 200.84.198.x:2881 82.71.6.93:445 ESTABLISHED
    System:8 TCP 200.84.198.x:2882 218.160.98.6:445 ESTABLISHED
    System:8 TCP 200.84.198.x:2883 216.19.214.79:445 ESTABLISHED
    System:8 TCP 200.84.198.x:2884 84.130.171.45:445 ESTABLISHED
    System:8 TCP 200.84.198.x:2886 220.138.46.53:445 ESTABLISHED

    that really drive me crazy, please somebady help me

  7. #7
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Without knowning what's running on your system, I'd say it looks like a backdoor or worm (Nimda?) of some type. Don't rely on your AV software to necessarily find this. First thing I'd do is boot into safe-mode and start checking what might be attempted to start. Second thing start looking for what is causing the process. A program like process explorer can help with this.

    You should have a firewall in front of this box and stop it from going out to port 445. When you did you're last AV scan did you do the following: i) make sure it had the latest AV definitions? ii) do it in safe mode?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  8. #8
    Junior Member
    Join Date
    Jun 2005
    Posts
    9
    hey I find something, the problem that I have only begins when start a terminal server connection, I hope that this help to find what is my big problem, thank

  9. #9
    Senior Member
    Join Date
    Jul 2004
    Posts
    469
    Is that an outbound or inbound TS connection?

    Also, I think process explorer is your best bet for solving this. You can dive down into the actions of the system process and find out what exactly it is doing. The information you've given us is to vague to put any real guesses together. With PE, you can come up with a list of what is attached to the system process, which should lead you to the answer.

  10. #10
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    Ummm, according to your post, your host is listening for connections on those ports in the 2,000 range. You have a small number of CIFS sessions connected from hosts on the internet.

    This should be a no brainer:

    1) Patch your system.
    2) Check the signature date on your AV scanner. If you are out of date then you're not going to find anything.
    3) Check all the usual places in the registry and folders on your system where processes get called to start.
    4) If all else fails, throw a sniffer up and see what if anything it reviels.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •