Can someone explain to me why my Windows XP box has port 1025 open?
NMAP on my Mandrake box tells me that it is:
1025 listen
What does this actually do?
Printable View
Can someone explain to me why my Windows XP box has port 1025 open?
NMAP on my Mandrake box tells me that it is:
1025 listen
What does this actually do?
Could you be more specific with the system. Could be that your using a File-Sharing program. Also, port 1025 is the first dynamically assigned port. Therefore, virtually any program that requests a port can be assigned one at this address. I use Morpheus, and whenever I download things off of multiple users...port 1025 opens up.
Furthermore, port 1025 is the network blackjack.
And if you want to know somethign real scary - port 1025 is the 'home' you could say for a few backdoors. These backdoors are listed here.
[list=1][*]Fraggle Rock[*]md5 Backdoor[*]NetSpy [*]Remote Storm [/list=1]
Thats about it...so double check your AV scans.
Yet then again you could be running some telnet. Such as fishroom for instance.
telnet fishroom.monrou.com 1025
So you see...it could be numerous things...just make sure you scan your PC again to make sure no Trojans are installed...check if your using programs that access the internet...and find out what port(s) they run on.
I will run a virus scan over night, but i don't think it'll be a virus and im not running any telnet servers... I'll run NMAP again now to check that its still open...
I've blocked internet access to 1025/tcp and 1025/udp thru ZoneAlarm Pro anyway, so if it is a trojan it ain't gonna get very far!
netstat -a on the XP box revealed that:
local remote status
------ ---------- --------
neo:1025 neo:0 LISTENING
There's also loads more listed as listening and I don't know why... ZAPro is on High security for the internet zone anyway so it should stealth them all... but i still like to know what's going on on my computers.
Hmmm, well maybe it's a file-sharing agent (if you have one that is). Because whenever I run Morpheus up and start downloading things from multiple users...port 1025 opens up. For me, right now at least, about 10-15 11523's are flooding my netstat with Time-Wait on them. (Dunno why I added that last part...just felt like sharing it to somebody :rolleyes: ).
But yes, I have the bought version of Zone Alarm Pro (not the trial)...and I'm on high sec. now...don't worry about it.
doesn't Kazaa and morpheus use that port....????
i think that may be the root of your problem
It might be worth noting that the reason a lot of trojans use 1025 is because it's the first port that ANY user can bind to. Binding to the restricted ports (1-1024) in *nix/*BSD requires special privileges -- it may even be root access, not 100% sure on that. At any rate, I think that NT/2K/XP require administrator or system level access to do the same.