Hi, my problem is in windows 2000 server machine, process system PID 8 open 400 to 500 lintening tcp port, there start in port 2000 or 3000 or 4000 I think that is seudo random, and doing that every 5 sec, please help
Printable View
Hi, my problem is in windows 2000 server machine, process system PID 8 open 400 to 500 lintening tcp port, there start in port 2000 or 3000 or 4000 I think that is seudo random, and doing that every 5 sec, please help
No need to post it twice. You just might need patience. It might be helpful to know what is running on PID 8. Perhaps you could check TaskManager and/or use Process Explorer.
Have you done AntiVirus scans in safe-mode to verify that it's not a worm/trojan? Additionally, have you run (in the command window) netstat -ano to see if there is a remote connection somewhere?
ohh so sorry by double posting, I think I'm posted in a wrong discussions.
Ok now, in PID 8 is the prosess "System"
I'm so tired to scan my pc with norton, without find anything.
I use tcpview to know what port are open in my pc, when just restarted the machine no problem but wait 20-30 sec and the problem begin, many many port open, close, open, close in about 10sec. sometimes I found connection to remote port 445 from PID 8.
I can stop that with Ipsec, but I know that it in my pc are something wrong.
P.S. sorry by my English, I hope that you can understand.
Well, this page should give you a little more info on port 445. What is connecting to 445?
thanks for that page, the problem is that connection if from my server to another pc at port 445.
for example:
Process: System:8
Protocol: TCP
Local Address: 0.0.0.0:3220
Remote Address: x.x.x.x:445
Thanks
Status: Established
Process: System:8
Protocol: TCP
Local Address: 0.0.0.0:2100
Remote Address: 0.0.0.0:0
Status: Listening
where: port 2100 and 3220 can be any port from 1000 to 4000 and x.x.x.x is a real ip address outside my network.
that I take from tcpview of my server:
System:8 TCP 0.0.0.0:2773 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2874 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2875 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2876 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2877 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2880 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2881 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2882 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2883 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2884 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2885 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2886 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2887 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2888 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2889 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2890 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2891 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2892 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2893 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2894 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2895 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2896 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2897 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2898 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2899 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2900 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2901 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2902 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2903 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2904 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2905 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2906 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2907 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2908 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2909 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2910 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2911 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2912 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2913 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2914 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2915 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2916 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2917 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2918 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2919 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2920 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2921 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2922 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2923 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2924 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2925 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2926 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2927 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2928 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2929 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2930 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2931 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2932 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2933 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2934 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2935 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2936 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2937 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2938 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2939 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2940 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2941 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2942 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2943 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2944 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2945 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2946 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2947 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2948 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2949 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2950 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2951 0.0.0.0:0 LISTENING
System:8 TCP 200.84.198.x:2773 83.46.100.76:445 ESTABLISHED
System:8 TCP 200.84.198.x:2881 82.71.6.93:445 ESTABLISHED
System:8 TCP 200.84.198.x:2882 218.160.98.6:445 ESTABLISHED
System:8 TCP 200.84.198.x:2883 216.19.214.79:445 ESTABLISHED
System:8 TCP 200.84.198.x:2884 84.130.171.45:445 ESTABLISHED
System:8 TCP 200.84.198.x:2886 220.138.46.53:445 ESTABLISHED
that really drive me crazy, please somebady help me
Without knowning what's running on your system, I'd say it looks like a backdoor or worm (Nimda?) of some type. Don't rely on your AV software to necessarily find this. First thing I'd do is boot into safe-mode and start checking what might be attempted to start. Second thing start looking for what is causing the process. A program like process explorer can help with this.
You should have a firewall in front of this box and stop it from going out to port 445. When you did you're last AV scan did you do the following: i) make sure it had the latest AV definitions? ii) do it in safe mode?
hey I find something, the problem that I have only begins when start a terminal server connection, I hope that this help to find what is my big problem, thank
Is that an outbound or inbound TS connection?
Also, I think process explorer is your best bet for solving this. You can dive down into the actions of the system process and find out what exactly it is doing. The information you've given us is to vague to put any real guesses together. With PE, you can come up with a list of what is attached to the system process, which should lead you to the answer.
Ummm, according to your post, your host is listening for connections on those ports in the 2,000 range. You have a small number of CIFS sessions connected from hosts on the internet.
This should be a no brainer:
1) Patch your system.
2) Check the signature date on your AV scanner. If you are out of date then you're not going to find anything.
3) Check all the usual places in the registry and folders on your system where processes get called to start.
4) If all else fails, throw a sniffer up and see what if anything it reviels.
Are inbound TS connection.
I've a list of all processes rumming in the server, one when the server just start and other when some client conect to TS and the problem begins, I check and the only differences are the processes of TS.
In awhile I sent processes list for you review.
Thanks a lot.
If I read your list correctly there are no active TS connections..
IIRC active TS connections show up as:
a.b.c.d:3389 x.x.x.x:yyyyy ESTABLISHED
Where a.b.c.d is your ip address, x.x.x.x is the connecting client and yyyyy is a random portnumber..
It looks like you've got a couple of outbound CIFS (netbios) connections..
Even if it's a terminal server that still wouldn't explain the huge amount of ports listed as LISTENING. Maybe some user installed a P2P application?
my list are no complete there are just an extract.
let me try to explain
1.- I Start the server, everything works well, I've left it up about five days, without problem.
2.- In a client start TS connection to the server.
3.- In about 10 min, the server start to open LISTENING ports and outbound connection to netbios port.
4.- I close the TS connection, but the problem continue.
5.- A temporal solution is restart the server :(
I'm sure that there no one installed P2P application
alright, clear on that ;)
Does this also happen when no TS users log in?
Does it happen with one user account in perticular? With other user accounts?
Does this also happen when no TS users log in?
nope
Does it happen with one user account in perticular? With other user accounts?
wth all accounts, is the same
that is processes list when the server is fine and just restarted:
ImageName PID Threads Priority CPU Owner
Idle 0 2 0 49 Error 0x6 : Controlador no vßlido.
System 8 42 8 0 Error 0x5 : Acceso denegado.
SMSS.EXE 156 6 11 0 NT AUTHORITY\SYSTEM
CSRSS.EXE 216 13 13 0 NT AUTHORITY\SYSTEM
WINLOGON.EXE 212 20 13 0 NT AUTHORITY\SYSTEM
SERVICES.EXE 268 32 9 0 NT AUTHORITY\SYSTEM
LSASS.EXE 280 40 9 0 NT AUTHORITY\SYSTEM
termsrv.exe 392 13 10 0 NT AUTHORITY\SYSTEM
svchost.exe 500 10 8 0 NT AUTHORITY\SYSTEM
spoolsv.exe 528 10 8 0 NT AUTHORITY\SYSTEM
msdtc.exe 720 26 8 0 NT AUTHORITY\SYSTEM
Apache.exe 840 3 8 0 NT AUTHORITY\SYSTEM
DefWatch.exe 872 3 8 0 NT AUTHORITY\SYSTEM
tcpsvcs.exe 888 17 8 0 NT AUTHORITY\SYSTEM
svchost.exe 920 30 8 0 NT AUTHORITY\SYSTEM
pds.exe 956 5 8 0 NT AUTHORITY\SYSTEM
LLSSRV.EXE 1000 9 9 0 NT AUTHORITY\SYSTEM
NSCM.exe 1076 20 8 0 PDVSA2000\NetShowServices
ntfrs.exe 1160 19 8 0 NT AUTHORITY\SYSTEM
omtsreco.exe 1204 4 8 0 NT AUTHORITY\SYSTEM
agntsrvc.exe 1332 3 8 0 NT AUTHORITY\SYSTEM
Apache.exe 1344 51 8 0 NT AUTHORITY\SYSTEM
Apache.exe 1556 4 8 0 NT AUTHORITY\SYSTEM
CMD.EXE 1564 1 8 0 NT AUTHORITY\SYSTEM
dbsnmp.exe 1572 17 8 0 NT AUTHORITY\SYSTEM
TNSLSNR.EXE 1608 4 8 0 NT AUTHORITY\SYSTEM
oracle.exe 1684 14 8 0 NT AUTHORITY\SYSTEM
regsvc.exe 1280 2 8 0 NT AUTHORITY\SYSTEM
RsFsa.exe 1716 11 8 0 NT AUTHORITY\SYSTEM
RsSub.exe 1756 4 8 0 NT AUTHORITY\SYSTEM
mstask.exe 1768 7 8 0 NT AUTHORITY\SYSTEM
Apache.exe 1836 56 8 0 NT AUTHORITY\SYSTEM
java.exe 2116 13 8 0 NT AUTHORITY\SYSTEM
java.exe 2124 11 8 0 NT AUTHORITY\SYSTEM
Rtvscan.exe 2132 38 8 0 NT AUTHORITY\SYSTEM
isqlplus 1276 25 8 0 NT AUTHORITY\SYSTEM
WinMgmt.exe 2384 6 8 0 NT AUTHORITY\SYSTEM
WINS.EXE 2444 18 8 0 NT AUTHORITY\SYSTEM
svchost.exe 2456 8 8 0 NT AUTHORITY\SYSTEM
DNS.EXE 2496 16 8 0 NT AUTHORITY\SYSTEM
inetinfo.exe 2528 36 8 0 NT AUTHORITY\SYSTEM
nspm.exe 2592 15 8 0 PDVSA2000\NetShowServices
nsum.exe 2676 29 8 0 PDVSA2000\NetShowServices
RsEng.exe 3108 10 8 0 NT AUTHORITY\SYSTEM
svchost.exe 3196 8 8 0 NT AUTHORITY\SYSTEM
svchost.exe 3312 12 8 0 NT AUTHORITY\SYSTEM
explorer.exe 3644 15 8 0 PDVSA2000\ranpaco
sistray.exe 3656 1 8 0 PDVSA2000\ranpaco
Keyhook.exe 3904 2 8 0 PDVSA2000\ranpaco
gcasServ.exe 4104 5 4 0 PDVSA2000\ranpaco
DUMeter.exe 4084 3 8 0 PDVSA2000\ranpaco
VPTray.exe 3972 3 8 0 PDVSA2000\ranpaco
internat.exe 4044 1 8 0 PDVSA2000\ranpaco
gcasDtServ.exe 3984 7 8 0 PDVSA2000\ranpaco
WZQKPICK.EXE 3908 1 8 0 PDVSA2000\ranpaco
CMD.EXE 4112 1 8 0 PDVSA2000\ranpaco
GIANTAntiSpywar 540 6 8 50 PDVSA2000\ranpaco
Process.exe 3692 1 13 0 PDVSA2000\ranpaco
and that when start some inbound connection of TS and virus is actived
ImageName PID Threads Priority CPU Owner
Idle 0 2 0 41 Error 0x6 : Controlador no vßlido.
System 8 42 8 0 Error 0x5 : Acceso denegado.
SMSS.EXE 156 6 11 0 NT AUTHORITY\SYSTEM
CSRSS.EXE 216 12 13 0 NT AUTHORITY\SYSTEM
WINLOGON.EXE 212 17 13 0 NT AUTHORITY\SYSTEM
SERVICES.EXE 268 32 9 0 NT AUTHORITY\SYSTEM
LSASS.EXE 280 41 9 0 NT AUTHORITY\SYSTEM
termsrv.exe 392 15 10 0 NT AUTHORITY\SYSTEM
svchost.exe 504 11 8 0 NT AUTHORITY\SYSTEM
spoolsv.exe 544 11 8 0 NT AUTHORITY\SYSTEM
msdtc.exe 712 26 8 0 NT AUTHORITY\SYSTEM
Apache.exe 836 3 8 0 NT AUTHORITY\SYSTEM
DefWatch.exe 868 3 8 0 NT AUTHORITY\SYSTEM
tcpsvcs.exe 884 17 8 0 NT AUTHORITY\SYSTEM
svchost.exe 908 30 8 0 NT AUTHORITY\SYSTEM
pds.exe 936 5 8 0 NT AUTHORITY\SYSTEM
LLSSRV.EXE 992 9 9 0 NT AUTHORITY\SYSTEM
NSCM.exe 1076 20 8 0 PDVSA2000\NetShowServices
ntfrs.exe 1168 19 8 0 NT AUTHORITY\SYSTEM
agntsrvc.exe 1328 3 8 0 NT AUTHORITY\SYSTEM
Apache.exe 1336 58 8 0 NT AUTHORITY\SYSTEM
CMD.EXE 1556 1 8 0 NT AUTHORITY\SYSTEM
dbsnmp.exe 1564 17 8 0 NT AUTHORITY\SYSTEM
TNSLSNR.EXE 1596 4 8 0 NT AUTHORITY\SYSTEM
oracle.exe 1672 14 8 0 NT AUTHORITY\SYSTEM
regsvc.exe 1700 2 8 0 NT AUTHORITY\SYSTEM
RsFsa.exe 1716 11 8 0 NT AUTHORITY\SYSTEM
RsSub.exe 1752 4 8 0 NT AUTHORITY\SYSTEM
mstask.exe 1824 6 8 0 NT AUTHORITY\SYSTEM
Rtvscan.exe 1904 38 8 0 NT AUTHORITY\SYSTEM
WinMgmt.exe 696 5 8 0 NT AUTHORITY\SYSTEM
WINS.EXE 2004 18 8 0 NT AUTHORITY\SYSTEM
svchost.exe 2012 7 8 0 NT AUTHORITY\SYSTEM
DNS.EXE 2036 16 8 0 NT AUTHORITY\SYSTEM
inetinfo.exe 2064 36 8 0 NT AUTHORITY\SYSTEM
nspm.exe 2140 15 8 0 PDVSA2000\NetShowServices
nsum.exe 2188 29 8 0 PDVSA2000\NetShowServices
RsEng.exe 2628 10 8 0 NT AUTHORITY\SYSTEM
svchost.exe 2740 12 8 0 NT AUTHORITY\SYSTEM
logon.scr 1796 1 4 0 NT AUTHORITY\SYSTEM
CSRSS.EXE 3164 11 13 0 NT AUTHORITY\SYSTEM
WINLOGON.EXE 3168 11 13 0 NT AUTHORITY\SYSTEM
rdpclip.exe 3356 2 8 0 PDVSA2000\ranpaco
explorer.exe 3400 14 8 0 PDVSA2000\ranpaco
sistray.exe 3184 1 8 0 PDVSA2000\ranpaco
gcasServ.exe 3460 5 4 0 PDVSA2000\ranpaco
DUMeter.exe 3504 3 8 0 PDVSA2000\ranpaco
internat.exe 3520 1 8 0 PDVSA2000\ranpaco
gcasDtServ.exe 3508 4 8 0 PDVSA2000\ranpaco
WZQKPICK.EXE 3564 1 8 0 PDVSA2000\ranpaco
CMD.EXE 3612 1 8 0 PDVSA2000\ranpaco
Process.exe 3576 1 13 0 PDVSA2000\ranpaco
thanks a lot
Hmm.. sistray kinda looks funny... Everything else looks legit at first glance..
You're running apache, oracle and you're serving TS clients on the same machine?
Hmmm.. I do suggest splitting all these different services across multiple machines..
jejeje it is a developer server, this is in my office for application testing, the only TS Client is me from my home.
There is no possibility of virus/worm infecte a system file, let say CSRSS.EXE???
All the recent malware just installs an extra program to mess up your system.. Haven't seen file-infectors for a while..
Have a look at that sistray.exe. That's definitely not a "regular" windows program. It looks a lot like systray.exe which IS a regular windows program. Because the names look similar I'll bet it's the one we're looking for ;)
Take a peek at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.. and see what gets started there. Do the same for HKEY_USERS\user's SID\Software\Microsoft\Windows\CurrentVersion\Run..
Or download and run Hijackthis and post it's log..
Sistray could be a tray program for a SiS chipset. If you don't have one, then this should be suspicious.
Process.exe is what I would look into. That looks very suspicious. Also, what is running in the cmd.exes that show as running?
Good point Zenger.... I also noticed mstask.exe and an regsvc.exe running as SYSTEM.. Looks suspicious too..
ranpaco: You seem to have a whole lot of processes running.. Some of these are probably legit but there are definitely a few suspicious ones..
To make it a little easier for yourself (and us too ;) ) shutdown apache and oracle.. Log in locally (not through TS).. Close as many programs as possible.. At least the ones you know.. Even better would be to boot into safe mode... Then run Hijackthis... post it's log here..
The reason you need to stop the processes you know is because it'll make the list shorter and therefor easier to search..
A Hijackthis log will give us a lot of info about processes running... What's started where and what kind of hooks are used..