Results 1 to 7 of 7

Thread: What are the services running?

  1. #1
    Senior Member Falcon21's Avatar
    Join Date
    Dec 2002
    Location
    Singapore
    Posts
    252

    What are the services running?

    I am running Windows Me and I perform a netstat command offline:

    Active Connections

    Proto Local Address Foreign Address State
    TCP 127.0.0.1:1035 0.0.0.0:0 LISTENING
    UDP 0.0.0.0:1025 *:*

    Any one know what services are running?
    I found out that the service as shown above listening on port 1035 listens on random port after some time, e.g. 1038

  2. #2
    Macht Nicht Aus moxnix's Avatar
    Join Date
    May 2002
    Location
    Huson Mt.
    Posts
    1,752
    Falcon21, repeat after me -- Google is my best friend. Number 1 item on a google search: http://mail-index.netbsd.org/tech-us...6/11/0001.html
    Subject: sethostent(1): is it really that useful with a DNS?
    To: None <tech-userlevel@netbsd.org>
    From: Chuck Cranor <chuck@research.att.com>
    List: tech-userlevel
    Date: 06/11/2001 11:07:26

    here is something that is annoying: every time you run netstat
    it makes a TCP connection to your DNS resolver. this is due to
    the sethostent(1) call in main.c. this leads to the following
    annoying effect:


    xxxcdc> netstat -f inet
    Active Internet connections
    Proto Recv-Q Send-Q Local Address Foreign Address State
    tcp 0 0 xxxcdc.research..64091 chips.research.a.telne ESTABLISHED
    xxxcdc> netstat -f inet
    Active Internet connections
    Proto Recv-Q Send-Q Local Address Foreign Address State
    tcp 0 0 xxxcdc.research..64090 malmsey.research.domai TIME_WAIT
    tcp 0 0 xxxcdc.research..64091 chips.research.a.telne ESTABLISHED
    xxxcdc> netstat -f inet
    Active Internet connections
    Proto Recv-Q Send-Q Local Address Foreign Address State
    tcp 0 0 xxxcdc.research..64089 malmsey.research.domai TIME_WAIT
    tcp 0 0 xxxcdc.research..64090 malmsey.research.domai TIME_WAIT
    tcp 0 0 xxxcdc.research..64091 chips.research.a.telne ESTABLISHED
    xxxcdc> netstat -f inet
    Active Internet connections
    Proto Recv-Q Send-Q Local Address Foreign Address State
    tcp 0 0 xxxcdc.research..64088 malmsey.research.domai TIME_WAIT
    tcp 0 0 xxxcdc.research..64089 malmsey.research.domai TIME_WAIT
    tcp 0 0 xxxcdc.research..64090 malmsey.research.domai TIME_WAIT
    tcp 0 0 xxxcdc.research..64091 chips.research.a.telne ESTABLISHED
    xxxcdc> netstat -f inet
    Active Internet connections
    Proto Recv-Q Send-Q Local Address Foreign Address State
    tcp 0 0 xxxcdc.research..64087 malmsey.research.domai TIME_WAIT
    tcp 0 0 xxxcdc.research..64088 malmsey.research.domai TIME_WAIT
    tcp 0 0 xxxcdc.research..64089 malmsey.research.domai TIME_WAIT
    tcp 0 0 xxxcdc.research..64090 malmsey.research.domai TIME_WAIT
    tcp 0 0 xxxcdc.research..64091 chips.research.a.telne ESTABLISHED
    xxxcdc> netstat -f inet
    Active Internet connections
    Proto Recv-Q Send-Q Local Address Foreign Address State
    tcp 0 0 xxxcdc.research..64086 malmsey.research.domai TIME_WAIT
    tcp 0 0 xxxcdc.research..64087 malmsey.research.domai TIME_WAIT
    tcp 0 0 xxxcdc.research..64088 malmsey.research.domai TIME_WAIT
    tcp 0 0 xxxcdc.research..64089 malmsey.research.domai TIME_WAIT
    tcp 0 0 xxxcdc.research..64090 malmsey.research.domai TIME_WAIT
    tcp 0 0 xxxcdc.research..64091 chips.research.a.telne ESTABLISHED
    xxxcdc> netstat -f inet
    Active Internet connections
    Proto Recv-Q Send-Q Local Address Foreign Address State
    tcp 0 0 xxxcdc.research..64085 malmsey.research.domai TIME_WAIT
    tcp 0 0 xxxcdc.research..64086 malmsey.research.domai TIME_WAIT
    tcp 0 0 xxxcdc.research..64087 malmsey.research.domai TIME_WAIT
    tcp 0 0 xxxcdc.research..64088 malmsey.research.domai TIME_WAIT
    tcp 0 0 xxxcdc.research..64089 malmsey.research.domai TIME_WAIT
    tcp 0 0 xxxcdc.research..64090 malmsey.research.domai TIME_WAIT
    tcp 0 0 xxxcdc.research..64091 chips.research.a.telne ESTABLISHED
    xxxcdc>




    what is this sethostent(1) really buying us? the man page says:

    The sethostent() function may be used to request the use of a connected
    TCP socket for queries. If the stayopen flag is non-zero, this sets the
    option to send all queries to the name server using TCP and to retain the
    connection after each call to gethostbyname(), gethostbyname2() or
    gethostbyaddr(). Otherwise, queries are performed using UDP datagrams.


    chuck
    \"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
    Author Unknown

  3. #3
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    moxnix, only if it's helpful. I don't know if that really answers his question.

    Falcon21, Google should be an avenue to check before posting here. If you don't find it, state that as well as the question.

    1025, IIRC, is task scheduler.
    1035, while unassigned in IANA, seems to be identified with a couple of trojans (dolly/multidropper) but I wonder if it might be your AV software?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  4. #4
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    Sockets bound to port numbers in the low 1024+ range generally indicate usage by client applications. Such applications don't actually care which port their sockets are on, and hence let the OS choose. It does so in a predictable fashion, and usually chooses ports between 1024 and 4000 or so, starting with low numbers.

    I'm sure there is a MS Windows equivalent of "fuser -n tcp 1035" which will tell you what application the socket belongs to.

    Some protocols (example FTP) rely on TCP listening sockets even for outgoing transfers. This does not mean these programs are trojans.

    I believe that MS IIS uses a low 1024+ TCP port number for its administration service (not always the same one), try stopping IIS and see if it disappears (Note: IIS can be running even if you have no Web, FTP or SMTP service going, look for the "IIS Admin" service)

    UDP sockets don't have different states (listening, etc), hence a client socket looks identical to a server socket in "netstat"

    Slarty

  5. #5
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    for windows there's fport from www.systernals.com. maps open ports back to the process that has it open.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  6. #6
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    Ok help me here:

    127.0.0.1 isn't that the tcp "loopback" IP.. or the localhost IP.. so basicly the system is listening to itself..
    and 0.0.0.0 is used for ????


    I don't have an understanding of the networking layers and services invoved.. but would the question being asked be more what services/programs are at play here.. certainly a tutorial on networking may be of more assistance.. just my extra 2c

    cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  7. #7
    Senior Member
    Join Date
    May 2003
    Posts
    217
    Good Points.... its may considered...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •