-
December 9th, 2008, 04:23 AM
#1
Ports 1029&1030 open
I've exhausted my knowledge trying to fix this one...
Here's the situation.
I went to GRC.com to do a port scan to make sure everything is ship shape with my firewall and security. GRC's scan reports that ports 1029&1030 are open.
Fine, then. I set up my firewall (ZoneAlarm Security Suite) to block incoming TCP and UDP requests to those ports. No luck. I forced ZoneAlarm to allow Windows Firewall (it's disabled by default) and activated it. No luck. I ran the ZoneAlarm AV and AS scans and also ran the Symantec online scans. Again, no luck (no infections or spyware found). I disabled DCOM and related activities thru a macro program aquired from GRC. No luck.
Something is obviously holding those two ports open. What could it be? I've looked at the svchost.exe processes in the task manager. There are at least a half dozen of them, but I'm not sure what exactly they are doing. 2 of them are "Network Services", but I'm not sure what applications could be using them.
Using Vista Home Premium. What I wonder is...how can an OS override the rules in my firewall? (If that is what's happening)
Anyone with similar experiences/advice for me?
O
"entia non sunt multiplicanda praeter necessitatem"
"entities should not be multiplied beyond necessity."
-Occam's Razor
-
December 9th, 2008, 06:35 AM
#2
A computer running directly connected to the net... that's never good.. especially with things like MS08-067 floating around. Outside of this thread, I'd suggest you sink a few bucks into a router and put your computer behind that...
We can figure out what's causing it though.
If you run netstat -anb (you'll most likely need to run your command prompt as Administrator -- Right Click --> Run As Administrator) you should get output like this:
Code:
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
RpcSs
[svchost.exe]
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING
[wininit.exe]
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING
Eventlog
[svchost.exe]
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING
nsi
[svchost.exe]
TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING
Schedule
[svchost.exe]
TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING
[lsass.exe]
TCP 0.0.0.0:49157 0.0.0.0:0 LISTENING
[services.exe]
TCP 127.0.0.1:895 0.0.0.0:0 LISTENING
[openvpnas.exe]
TCP 127.0.0.1:5354 0.0.0.0:0 LISTENING
[mDNSResponder.exe]
TCP 127.0.0.1:27015 0.0.0.0:0 LISTENING
[AppleMobileDeviceService.exe]
TCP 127.0.0.1:27015 127.0.0.1:52807 ESTABLISHED
[AppleMobileDeviceService.exe]
TCP 127.0.0.1:52807 127.0.0.1:27015 ESTABLISHED
[iTunesHelper.exe]
TCP 192.168.1.196:139 0.0.0.0:0 LISTENING
Under the local address heading locate the port in question. In my case I'm going to work using port 49153.
Code:
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING
Eventlog
[svchost.exe]
There are a couple of things here. The first line is your standard information. The second line is the process within svchost and the third line is the executable.
In this case we don't have a unique executable and as you mentioned there are many svchost.exe's running.
So now we can determine which process it is with the command tasklist /svc:
Code:
Image Name PID Services
========================= ======== ============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 408 N/A
csrss.exe 472 N/A
csrss.exe 528 N/A
wininit.exe 536 N/A
services.exe 572 N/A
lsass.exe 584 SamSs
lsm.exe 592 N/A
svchost.exe 772 DcomLaunch, PlugPlay
winlogon.exe 804 N/A
svchost.exe 868 RpcSs
svchost.exe 932 Audiosrv, Dhcp, Eventlog
svchost.exe 992 AudioEndpointBuilder, hidserv, Netman,
UxSms, wudfsvc
svchost.exe 1008 Appinfo, BITS, gpsvc, LanmanServer, MMCSS,
ProfSvc, Schedule, Themes, Winmgmt, wuauser
audiodg.exe 1092 N/A
SLsvc.exe 1128 slsvc
svchost.exe 1340 EventSystem, LanmanWorkstation, nsi
I've truncated the list, but you can see from the bolded line above that Eventlog within SVC Host is PID 932... now we know the cause of the problem. This should provide more potential information regarding the source of your problem.
Normally I would say that your ports in the 10xx range are RPC Endpoints, however in Vista these Endpoints appear to exist in roughly the 491xx range.
Maybe after you come back to us with the details from this we'll be able to provide further information.
As a side note... I'd put little to no stock in anything from GRC.com and anything related to GRC... It's as bad as reading the Guides to (Mostly) Harmless Hacking.
-
December 10th, 2008, 03:20 AM
#3
Here's what I've got for you...
Nothing terribly suspicious to my amateur eye. Scheduler and PolicyAgent are functions within Vista that I've looked into. Can those processes be safely killed and prevented from launching at startup?
I don't know where the 'cannot obtain ownership information' is coming from. My OS is fully licensed and legal.
O
Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.
C:\Users\Administrator>netstat -anb
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
RpcSs
[svchost.exe]
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
Can not obtain ownership information
x: Windows Sockets initialization failed: 5
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
[wininit.exe]
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING
Eventlog
[svchost.exe]
TCP 0.0.0.0:1027 0.0.0.0:0 LISTENING
[lsass.exe]
TCP 0.0.0.0:1028 0.0.0.0:0 LISTENING
Schedule
[svchost.exe]
TCP 0.0.0.0:1029 0.0.0.0:0 LISTENING
PolicyAgent
[svchost.exe]
TCP 0.0.0.0:1030 0.0.0.0:0 LISTENING
[services.exe]
TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING
Can not obtain ownership information
x: Windows Sockets initialization failed: 5
TCP xx.xx.xx.xx:139 0.0.0.0:0 LISTENING
Can not obtain ownership information
x: Windows Sockets initialization failed: 5
TCP xx.xx.xx.xx:1085 74.125.95.83:443 CLOSE_WAIT
[firefox.exe]
TCP xx.xx.xx.xx:1247 74.125.95.83:443 CLOSE_WAIT
[firefox.exe]
TCP xx.xx.xx.xx:1280 74.125.95.17:443 CLOSE_WAIT
[firefox.exe]
TCP xx.xx.xx.xx:1344 74.125.95.17:443 CLOSE_WAIT
[firefox.exe]
TCP xx.xx.xx.xx:1352 74.125.95.83:443 CLOSE_WAIT
[firefox.exe]
TCP xx.xx.xx.80:1611 67.135.105.137:80 TIME_WAIT
TCP xx.xx.xx.80:1612 67.135.105.137:80 TIME_WAIT
TCP 127.0.0.1:1074 127.0.0.1:1075 ESTABLISHED
[firefox.exe]
TCP 127.0.0.1:1075 127.0.0.1:1074 ESTABLISHED
[firefox.exe]
TCP 127.0.0.1:1076 127.0.0.1:1077 ESTABLISHED
[firefox.exe]
TCP 127.0.0.1:1077 127.0.0.1:1076 ESTABLISHED
[firefox.exe]
TCP [::]:135 [::]:0 LISTENING
RpcSs
[svchost.exe]
TCP [::]:445 [::]:0 LISTENING
Can not obtain ownership information
x: Windows Sockets initialization failed: 5
TCP [::]:1025 [::]:0 LISTENING
[wininit.exe]
TCP [::]:1026 [::]:0 LISTENING
Eventlog
[svchost.exe]
TCP [::]:1027 [::]:0 LISTENING
[lsass.exe]
TCP [::]:1028 [::]:0 LISTENING
Schedule
[svchost.exe]
TCP [::]:1029 [::]:0 LISTENING
PolicyAgent
[svchost.exe]
TCP [::]:1030 [::]:0 LISTENING
[services.exe]
TCP [::]:5357 [::]:0 LISTENING
Can not obtain ownership information
x: Windows Sockets initialization failed: 5
UDP 0.0.0.0:123 *:*
W32Time
[svchost.exe]
UDP 0.0.0.0:500 *:*
IKEEXT
[svchost.exe]
UDP 0.0.0.0:3702 *:*
FDResPub
[svchost.exe]
UDP 0.0.0.0:3702 *:*
FDResPub
[svchost.exe]
UDP 0.0.0.0:4500 *:*
IKEEXT
[svchost.exe]
UDP 0.0.0.0:5355 *:*
Dnscache
[svchost.exe]
UDP 0.0.0.0:64033 *:*
FDResPub
[svchost.exe]
UDP *:*
Can not obtain ownership information
x: Windows Sockets initialization failed: 5
UDP xx.xx.xx.xx:138 *:*
Can not obtain ownership information
x: Windows Sockets initialization failed: 5
UDP 127.0.0.1:61862 *:*
[sidebar.exe]
UDP [::]:123 *:*
W32Time
[svchost.exe]
UDP [::]:500 *:*
IKEEXT
[svchost.exe]
UDP [::]:3702 *:*
FDResPub
[svchost.exe]
UDP [::]:3702 *:*
FDResPub
[svchost.exe]
UDP [::]:64034 *:*
FDResPub
[svchost.exe]
C:\Users\Administrator>tasklist /svc
Image Name PID Services
========================= ======== ============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 380 N/A
csrss.exe 452 N/A
wininit.exe 500 N/A
csrss.exe 512 N/A
services.exe 544 N/A
lsass.exe 556 SamSs
lsm.exe 564 N/A
winlogon.exe 652 N/A
svchost.exe 760 DcomLaunch, PlugPlay
nvvsvc.exe 808 nvsvc
svchost.exe 836 RpcSs
svchost.exe 876 WinDefend
svchost.exe 968 Audiosrv, Dhcp, Eventlog, lmhosts, wscsvc
svchost.exe 1012 AudioEndpointBuilder, EMDMgmt, hidserv,
Netman, PcaSvc, SysMain,
TabletInputService, TrkWks, UxSms,
WdiSystemHost, WPDBusEnum, wudfsvc
svchost.exe 1044 AeLookupSvc, BITS, Browser, gpsvc, IKEEXT,
iphlpsvc, LanmanServer, MMCSS, ProfSvc,
RasMan, Schedule, seclogon, SENS,
ShellHWDetection, Themes, Winmgmt, wuauserv
audiodg.exe 1144 N/A
SLsvc.exe 1176 slsvc
svchost.exe 1224 EventSystem, fdPHost, FDResPub,
LanmanWorkstation, netprofm, nsi, SstpSvc,
W32Time, WebClient
rundll32.exe 1244 N/A
svchost.exe 1396 CryptSvc, Dnscache, KtmRm, NlaSvc, TapiSrv,
TermService
vsmon.exe 1460 vsmon
ScanningProcess.exe 1776 N/A
spoolsv.exe 1908 Spooler
ScanningProcess.exe 1948 N/A
svchost.exe 2032 BFE, DPS, MpsSvc
dwm.exe 1168 N/A
taskeng.exe 1356 N/A
explorer.exe 1592 N/A
taskeng.exe 1900 N/A
GoogleUpdate.exe 1268 N/A
MSASCui.exe 2092 N/A
itype.exe 2128 N/A
ipoint.exe 2164 N/A
rundll32.exe 2244 N/A
zlclient.exe 2320 N/A
dpupdchk.exe 2392 N/A
sidebar.exe 2428 N/A
RivaTuner.exe 2468 N/A
GoogleUpdaterService.exe 2584 gusvc
svchost.exe 2740 Net Driver HPZ12
svchost.exe 2804 Pml Driver HPZ12
svchost.exe 2828 PolicyAgent
svchost.exe 2856 stisvc
svchost.exe 2912 WerSvc
SearchIndexer.exe 2948 WSearch
WUDFHost.exe 3292 N/A
mobsync.exe 3480 N/A
wmpnscfg.exe 3704 N/A
unsecapp.exe 3916 N/A
WmiPrvSE.exe 4000 N/A
mantispm.exe 1372 N/A
firefox.exe 1300 N/A
cmd.exe 1264 N/A
tasklist.exe 2784 N/A
WmiPrvSE.exe 2696 N/A
C:\Users\Administrator>
Last edited by Ouroboros; December 10th, 2008 at 03:27 AM.
"entia non sunt multiplicanda praeter necessitatem"
"entities should not be multiplied beyond necessity."
-Occam's Razor
-
December 10th, 2008, 05:18 AM
#4
Update:
Unbelievable! I have, and have had a WRT54G LinkSys router for a long time, but I could never get it to work under Vista. I uninstalled ZoneAlarm, shut down my computer, reset my modem and router (both LinkSys), hooked everything back up and restarted. Viola! Everything works perfectly. All functional capabilities of the router (wireless/wired/gateway/router, etc) work just fine. Could it have been me just screwing around with the ZoneAlarm or LinkSys settings that messed things up, or did ZA make some modifications that would force their product to work with Vista and thusly compromise my security? I realize that's a loaded question, but getting rid of ZoneAlarm and resetting all of the hardware to its factory presets makes me wonder what's going on. My subscription to ZA is just about up anyway, so I think I'm going shopping for a new Firewall/AV/AS solution. Any recommendations?
For what it's worth, HT, after the drastic changes...GRC came up clean. I know you don't like Gibson, but it is a useful touchstone as far as the port scanning. I don't know of any other website that offers that in a user-friendly environment. If you have suggestions, please offer them.
O
"entia non sunt multiplicanda praeter necessitatem"
"entities should not be multiplied beyond necessity."
-Occam's Razor
-
December 10th, 2008, 10:12 PM
#5
For anti-spyware try Super AntiSpyware and Spybot Search & Destroy. Spybot has a useful (if somewhat annoying) registry protection feature. There are actually a ton of great anti-spyware applications out there.
Antivirus is a bit more tricky. There are several decent ones. I like Webroot's newer antivirus.
For a firewall, steer clear of Kaspersky and Symantec's products. They tend to do more harm than good. McAfee sucks too. Perhaps look into Comodo? I've heard good things about it.
For network testing, try scanning your own IP using nmap (various different types of scans including -sS) from somebody else's network.
-
December 11th, 2008, 12:57 PM
#6
Use a hardware firewall, like a router as HT suggests. As he says,
it's not good to hook a PC directly to the web. Then enable Windows
firewall behind that.
AntiVir for AV. Spybot and MalwareBytes for spyware. HTH.
“Everybody is ignorant, only on different subjects.” — Will Rogers
-
December 11th, 2008, 07:46 PM
#7
Originally Posted by keezel
.
For network testing, try scanning your own IP using nmap (various different types of scans including -sS) from somebody else's network.
You can use this site for external nmap:
http://nmap-online.com/
Also, if you have an older or spare PC you can use:
Clarkconnect, IPCop, or Smoothwall as a gateway router. I use Clarkconnect and it works great.
Also checkout Systernals' Process Explorer as an alternative to Task Manager. It will help show you what's running a lot better. I see that HTRegz has already pointed out tasklist /svc, which is very helpful.
-
December 12th, 2008, 05:19 AM
#8
lol i have vista home premy and that same router combo. except im running avast with windows firewall.
-
December 12th, 2008, 08:46 AM
#9
-
December 13th, 2008, 10:43 PM
#10
Tried out Norton Security Suite. Looked good, light-weight, user-friendly. Would have bought it, but then I remembered that my ISP (Charter Communications) offers a Security Suite that is included in the cost of my subscription. Talk about losing the forest for the trees.
It's essentially a branded version of F-Secure software. Has all the functions of an ISS that I expect and need, and it comes at no additional cost to me. Sweet. I don't know why or how I trapped myself into thinking that I had to shop around for security software, when a perfectly good solution was mine for the taking all along.
O
"entia non sunt multiplicanda praeter necessitatem"
"entities should not be multiplied beyond necessity."
-Occam's Razor
Similar Threads
-
By Irongeek in forum Security News
Replies: 9
Last Post: January 31st, 2006, 10:24 PM
-
By ali1 in forum Web Security
Replies: 13
Last Post: August 7th, 2004, 12:04 AM
-
By novkhan in forum Operating Systems
Replies: 3
Last Post: May 12th, 2004, 09:05 PM
-
By InfiniteL00p in forum IDS & Scanner Discussions
Replies: 9
Last Post: February 1st, 2004, 02:05 AM
-
By July in forum AntiOnline's General Chit Chat
Replies: 7
Last Post: March 9th, 2003, 12:24 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|