-
March 10th, 2004, 04:17 AM
#1
Norton Firewall Alert Analysis
I got back from class tonight, and got this message on the pic attached, and the other pic is the norton trace of the IP.
I use Norton personal firewall, along with Norton AV and Ad aware, spybot, all are updated and ran very frequently.
Here is the log entry:
Details: This one time, the user has chosen to "block" communications
Inbound TCP connection
Local address,service is (asdfasd-3v39q1qzj(xxx.xxx.xxx.xxx),1025)
Remote address,service is (xxx.xxxx.xxx.xxx,3442)
Process name is "C:\WINDOWS\System32\svchost.exe"
Basically, I am worried because I wasn't around when Norton asked permission to allow it access to the internet. It happened by itself, not from my normal use. Port 1025 on google came up with internet Blackjack. I don't use anyform of card game on this box. I have found threads on AO about closing it, but I am worried that something is wrong because it attempted to connect by itself.
I am concerned because C:\WINDOWS\System32\svchost.exe doesn't look like blackjack. My specific questions are, what caused this, why was it random, is there someone on the other end at the University of Vermont screwing with me, and are they worth reporting?
Thanks Yall
Soda
-
March 10th, 2004, 04:38 AM
#2
dang... another one during my post-
Same deal...
This one time, the user has chosen to "block" communications
Inbound TCP connection
Local address,service is (blahblahblah-3v39q1qzj(xxx.xxx.xxx.xxx),1025)
Remote address,service is (xxx.xxx.xxx.xxx,3056)
Process name is "C:\WINDOWS\System32\svchost.exe"
Heres the tracking info.
OrgName: Apogee Telecom Inc.
OrgID: APOG
City: Austin
StateProv: TX
So why all of a sudden is port 1025 throwing parties behind my back?
-
March 10th, 2004, 05:06 AM
#3
Not for certain, but I thought that svchost is a sort of transport for DNS queries.
I don't think it will hurt anything to let it through. It is part of the operating system.
-
March 10th, 2004, 05:12 AM
#4
Well, I'm getting mixed reports no matter where I go.
The well known ports list says blackjack.
Others say that ports 1025-1026 are needed to communicate with the domain controller which is using the DNS Client service. (RPC)
Some say (blackhats) that 1025 is used by the AT service. (task scheduler)
Killing any of those services doesn't close port 1025 for me.
(in fact, they were not running on my machine and I still had 1025 listening on 0.0.0.0)
I have NIS and I have that service blocked for that port. Hasn't caused me any harm as of yet. (crosses fingers)
Run a sniffer and see what kind of data its trying to send.
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
-
March 10th, 2004, 06:26 PM
#5
-
March 20th, 2004, 12:58 AM
#6
hey soda never mind my personal message to you. I remember now, I had found that someone had reinstalled norton internet security without removing it, Becuase it kept on saying that "norton is waiting for a scan of download #862487632" and the download # isn't important but norton kept scanning the same file over and over from kazzalite. So then my freind didnt tell me that he reinstalled norton. The reason he reinstalled it because the computer was practicly freezing while norton was going thru the scanning process. Needless to say after he reinstalled it without removel it began the alert popup I traced it back to lucomserver which is norton's update server. Anyway I removed all and reinstalled and the problem is gone sorry for the confusion...
-
April 3rd, 2004, 08:45 PM
#7
Junior Member
svchost.exe is a generic host process used by WinXP. It can be used to exchange data for any number of purposes. I was plugged into a customers Verizon DSL last week for a few hours and I blocked atleast 20+ attempts to access svchost.exe via port 1025. Probably a worm or someone scanning for access to a popular trojan.
-
April 3rd, 2004, 09:06 PM
#8
svchost is exactly as it's name implies. It hosts services that cannot host themselves, usually DLL's.
Read this and you should be able to determine what it is opening 1025.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|