Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Ports 1029&1030 open

  1. #1
    Senior Member Ouroboros's Avatar
    Join Date
    Nov 2001
    Location
    Superior, WI USA
    Posts
    636

    Ports 1029&1030 open

    I've exhausted my knowledge trying to fix this one...

    Here's the situation.

    I went to GRC.com to do a port scan to make sure everything is ship shape with my firewall and security. GRC's scan reports that ports 1029&1030 are open.

    Fine, then. I set up my firewall (ZoneAlarm Security Suite) to block incoming TCP and UDP requests to those ports. No luck. I forced ZoneAlarm to allow Windows Firewall (it's disabled by default) and activated it. No luck. I ran the ZoneAlarm AV and AS scans and also ran the Symantec online scans. Again, no luck (no infections or spyware found). I disabled DCOM and related activities thru a macro program aquired from GRC. No luck.

    Something is obviously holding those two ports open. What could it be? I've looked at the svchost.exe processes in the task manager. There are at least a half dozen of them, but I'm not sure what exactly they are doing. 2 of them are "Network Services", but I'm not sure what applications could be using them.

    Using Vista Home Premium. What I wonder is...how can an OS override the rules in my firewall? (If that is what's happening)

    Anyone with similar experiences/advice for me?

    O
    "entia non sunt multiplicanda praeter necessitatem"

    "entities should not be multiplied beyond necessity."

    -Occam's Razor


  2. #2
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,915
    A computer running directly connected to the net... that's never good.. especially with things like MS08-067 floating around. Outside of this thread, I'd suggest you sink a few bucks into a router and put your computer behind that...

    We can figure out what's causing it though.

    If you run netstat -anb (you'll most likely need to run your command prompt as Administrator -- Right Click --> Run As Administrator) you should get output like this:

    Code:
      Proto  Local Address          Foreign Address        State
      TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
      RpcSs
     [svchost.exe]
      TCP    0.0.0.0:49152          0.0.0.0:0              LISTENING
     [wininit.exe]
      TCP    0.0.0.0:49153          0.0.0.0:0              LISTENING
      Eventlog
     [svchost.exe]
      TCP    0.0.0.0:49154          0.0.0.0:0              LISTENING
      nsi
     [svchost.exe]
      TCP    0.0.0.0:49155          0.0.0.0:0              LISTENING
      Schedule
     [svchost.exe]
      TCP    0.0.0.0:49156          0.0.0.0:0              LISTENING
     [lsass.exe]
      TCP    0.0.0.0:49157          0.0.0.0:0              LISTENING
     [services.exe]
      TCP    127.0.0.1:895          0.0.0.0:0              LISTENING
     [openvpnas.exe]
      TCP    127.0.0.1:5354         0.0.0.0:0              LISTENING
     [mDNSResponder.exe]
      TCP    127.0.0.1:27015        0.0.0.0:0              LISTENING
     [AppleMobileDeviceService.exe]
      TCP    127.0.0.1:27015        127.0.0.1:52807        ESTABLISHED
     [AppleMobileDeviceService.exe]
      TCP    127.0.0.1:52807        127.0.0.1:27015        ESTABLISHED
     [iTunesHelper.exe]
      TCP    192.168.1.196:139      0.0.0.0:0              LISTENING
    Under the local address heading locate the port in question. In my case I'm going to work using port 49153.

    Code:
      TCP    0.0.0.0:49153          0.0.0.0:0              LISTENING
      Eventlog
     [svchost.exe]
    There are a couple of things here. The first line is your standard information. The second line is the process within svchost and the third line is the executable.

    In this case we don't have a unique executable and as you mentioned there are many svchost.exe's running.

    So now we can determine which process it is with the command tasklist /svc:
    Code:
    Image Name                     PID Services
    ========================= ======== ============================================
    System Idle Process              0 N/A
    System                           4 N/A
    smss.exe                       408 N/A
    csrss.exe                      472 N/A
    csrss.exe                      528 N/A
    wininit.exe                    536 N/A
    services.exe                   572 N/A
    lsass.exe                      584 SamSs
    lsm.exe                        592 N/A
    svchost.exe                    772 DcomLaunch, PlugPlay
    winlogon.exe                   804 N/A
    svchost.exe                    868 RpcSs
    svchost.exe                    932 Audiosrv, Dhcp, Eventlog
    svchost.exe                    992 AudioEndpointBuilder, hidserv, Netman,
                                       UxSms, wudfsvc
    svchost.exe                   1008 Appinfo, BITS, gpsvc, LanmanServer, MMCSS,
                                       ProfSvc, Schedule, Themes, Winmgmt, wuauser
    audiodg.exe                   1092 N/A
    SLsvc.exe                     1128 slsvc
    svchost.exe                   1340 EventSystem, LanmanWorkstation, nsi
    I've truncated the list, but you can see from the bolded line above that Eventlog within SVC Host is PID 932... now we know the cause of the problem. This should provide more potential information regarding the source of your problem.

    Normally I would say that your ports in the 10xx range are RPC Endpoints, however in Vista these Endpoints appear to exist in roughly the 491xx range.

    Maybe after you come back to us with the details from this we'll be able to provide further information.

    As a side note... I'd put little to no stock in anything from GRC.com and anything related to GRC... It's as bad as reading the Guides to (Mostly) Harmless Hacking.

  3. #3
    Senior Member Ouroboros's Avatar
    Join Date
    Nov 2001
    Location
    Superior, WI USA
    Posts
    636
    Here's what I've got for you...

    Nothing terribly suspicious to my amateur eye. Scheduler and PolicyAgent are functions within Vista that I've looked into. Can those processes be safely killed and prevented from launching at startup?

    I don't know where the 'cannot obtain ownership information' is coming from. My OS is fully licensed and legal.

    O


    Microsoft Windows [Version 6.0.6001]
    Copyright (c) 2006 Microsoft Corporation. All rights reserved.

    C:\Users\Administrator>netstat -anb

    Active Connections

    Proto Local Address Foreign Address State
    TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
    RpcSs
    [svchost.exe]
    TCP 0.0.0.0:445 0.0.0.0:0 LISTENING

    Can not obtain ownership information

    x: Windows Sockets initialization failed: 5
    TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
    [wininit.exe]
    TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING
    Eventlog
    [svchost.exe]
    TCP 0.0.0.0:1027 0.0.0.0:0 LISTENING
    [lsass.exe]
    TCP 0.0.0.0:1028 0.0.0.0:0 LISTENING
    Schedule
    [svchost.exe]
    TCP 0.0.0.0:1029 0.0.0.0:0 LISTENING
    PolicyAgent
    [svchost.exe]
    TCP 0.0.0.0:1030 0.0.0.0:0 LISTENING
    [services.exe]
    TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING

    Can not obtain ownership information

    x: Windows Sockets initialization failed: 5
    TCP xx.xx.xx.xx:139 0.0.0.0:0 LISTENING

    Can not obtain ownership information

    x: Windows Sockets initialization failed: 5
    TCP xx.xx.xx.xx:1085 74.125.95.83:443 CLOSE_WAIT
    [firefox.exe]
    TCP xx.xx.xx.xx:1247 74.125.95.83:443 CLOSE_WAIT
    [firefox.exe]
    TCP xx.xx.xx.xx:1280 74.125.95.17:443 CLOSE_WAIT
    [firefox.exe]
    TCP xx.xx.xx.xx:1344 74.125.95.17:443 CLOSE_WAIT
    [firefox.exe]
    TCP xx.xx.xx.xx:1352 74.125.95.83:443 CLOSE_WAIT
    [firefox.exe]
    TCP xx.xx.xx.80:1611 67.135.105.137:80 TIME_WAIT
    TCP xx.xx.xx.80:1612 67.135.105.137:80 TIME_WAIT
    TCP 127.0.0.1:1074 127.0.0.1:1075 ESTABLISHED
    [firefox.exe]
    TCP 127.0.0.1:1075 127.0.0.1:1074 ESTABLISHED
    [firefox.exe]
    TCP 127.0.0.1:1076 127.0.0.1:1077 ESTABLISHED
    [firefox.exe]
    TCP 127.0.0.1:1077 127.0.0.1:1076 ESTABLISHED
    [firefox.exe]
    TCP [::]:135 [::]:0 LISTENING
    RpcSs
    [svchost.exe]
    TCP [::]:445 [::]:0 LISTENING

    Can not obtain ownership information

    x: Windows Sockets initialization failed: 5
    TCP [::]:1025 [::]:0 LISTENING
    [wininit.exe]
    TCP [::]:1026 [::]:0 LISTENING
    Eventlog
    [svchost.exe]
    TCP [::]:1027 [::]:0 LISTENING
    [lsass.exe]
    TCP [::]:1028 [::]:0 LISTENING
    Schedule
    [svchost.exe]
    TCP [::]:1029 [::]:0 LISTENING
    PolicyAgent
    [svchost.exe]
    TCP [::]:1030 [::]:0 LISTENING
    [services.exe]
    TCP [::]:5357 [::]:0 LISTENING

    Can not obtain ownership information

    x: Windows Sockets initialization failed: 5
    UDP 0.0.0.0:123 *:*
    W32Time
    [svchost.exe]
    UDP 0.0.0.0:500 *:*
    IKEEXT
    [svchost.exe]
    UDP 0.0.0.0:3702 *:*
    FDResPub
    [svchost.exe]
    UDP 0.0.0.0:3702 *:*
    FDResPub
    [svchost.exe]
    UDP 0.0.0.0:4500 *:*
    IKEEXT
    [svchost.exe]
    UDP 0.0.0.0:5355 *:*
    Dnscache
    [svchost.exe]
    UDP 0.0.0.0:64033 *:*
    FDResPub
    [svchost.exe]
    UDP *:*

    Can not obtain ownership information

    x: Windows Sockets initialization failed: 5
    UDP xx.xx.xx.xx:138 *:*

    Can not obtain ownership information

    x: Windows Sockets initialization failed: 5
    UDP 127.0.0.1:61862 *:*
    [sidebar.exe]
    UDP [::]:123 *:*
    W32Time
    [svchost.exe]
    UDP [::]:500 *:*
    IKEEXT
    [svchost.exe]
    UDP [::]:3702 *:*
    FDResPub
    [svchost.exe]
    UDP [::]:3702 *:*
    FDResPub
    [svchost.exe]
    UDP [::]:64034 *:*
    FDResPub
    [svchost.exe]

    C:\Users\Administrator>tasklist /svc

    Image Name PID Services
    ========================= ======== ============================================
    System Idle Process 0 N/A
    System 4 N/A
    smss.exe 380 N/A
    csrss.exe 452 N/A
    wininit.exe 500 N/A
    csrss.exe 512 N/A
    services.exe 544 N/A
    lsass.exe 556 SamSs
    lsm.exe 564 N/A
    winlogon.exe 652 N/A
    svchost.exe 760 DcomLaunch, PlugPlay
    nvvsvc.exe 808 nvsvc
    svchost.exe 836 RpcSs
    svchost.exe 876 WinDefend
    svchost.exe 968 Audiosrv, Dhcp, Eventlog, lmhosts, wscsvc
    svchost.exe 1012 AudioEndpointBuilder, EMDMgmt, hidserv,
    Netman, PcaSvc, SysMain,
    TabletInputService, TrkWks, UxSms,
    WdiSystemHost, WPDBusEnum, wudfsvc
    svchost.exe 1044 AeLookupSvc, BITS, Browser, gpsvc, IKEEXT,
    iphlpsvc, LanmanServer, MMCSS, ProfSvc,
    RasMan, Schedule, seclogon, SENS,
    ShellHWDetection, Themes, Winmgmt, wuauserv
    audiodg.exe 1144 N/A
    SLsvc.exe 1176 slsvc
    svchost.exe 1224 EventSystem, fdPHost, FDResPub,
    LanmanWorkstation, netprofm, nsi, SstpSvc,
    W32Time, WebClient
    rundll32.exe 1244 N/A
    svchost.exe 1396 CryptSvc, Dnscache, KtmRm, NlaSvc, TapiSrv,
    TermService
    vsmon.exe 1460 vsmon
    ScanningProcess.exe 1776 N/A
    spoolsv.exe 1908 Spooler
    ScanningProcess.exe 1948 N/A
    svchost.exe 2032 BFE, DPS, MpsSvc
    dwm.exe 1168 N/A
    taskeng.exe 1356 N/A
    explorer.exe 1592 N/A
    taskeng.exe 1900 N/A
    GoogleUpdate.exe 1268 N/A
    MSASCui.exe 2092 N/A
    itype.exe 2128 N/A
    ipoint.exe 2164 N/A
    rundll32.exe 2244 N/A
    zlclient.exe 2320 N/A
    dpupdchk.exe 2392 N/A
    sidebar.exe 2428 N/A
    RivaTuner.exe 2468 N/A
    GoogleUpdaterService.exe 2584 gusvc
    svchost.exe 2740 Net Driver HPZ12
    svchost.exe 2804 Pml Driver HPZ12
    svchost.exe 2828 PolicyAgent
    svchost.exe 2856 stisvc
    svchost.exe 2912 WerSvc
    SearchIndexer.exe 2948 WSearch
    WUDFHost.exe 3292 N/A
    mobsync.exe 3480 N/A
    wmpnscfg.exe 3704 N/A
    unsecapp.exe 3916 N/A
    WmiPrvSE.exe 4000 N/A
    mantispm.exe 1372 N/A
    firefox.exe 1300 N/A
    cmd.exe 1264 N/A
    tasklist.exe 2784 N/A
    WmiPrvSE.exe 2696 N/A

    C:\Users\Administrator>
    Last edited by Ouroboros; December 10th, 2008 at 03:27 AM.
    "entia non sunt multiplicanda praeter necessitatem"

    "entities should not be multiplied beyond necessity."

    -Occam's Razor


  4. #4
    Senior Member Ouroboros's Avatar
    Join Date
    Nov 2001
    Location
    Superior, WI USA
    Posts
    636
    Update:

    Unbelievable! I have, and have had a WRT54G LinkSys router for a long time, but I could never get it to work under Vista. I uninstalled ZoneAlarm, shut down my computer, reset my modem and router (both LinkSys), hooked everything back up and restarted. Viola! Everything works perfectly. All functional capabilities of the router (wireless/wired/gateway/router, etc) work just fine. Could it have been me just screwing around with the ZoneAlarm or LinkSys settings that messed things up, or did ZA make some modifications that would force their product to work with Vista and thusly compromise my security? I realize that's a loaded question, but getting rid of ZoneAlarm and resetting all of the hardware to its factory presets makes me wonder what's going on. My subscription to ZA is just about up anyway, so I think I'm going shopping for a new Firewall/AV/AS solution. Any recommendations?

    For what it's worth, HT, after the drastic changes...GRC came up clean. I know you don't like Gibson, but it is a useful touchstone as far as the port scanning. I don't know of any other website that offers that in a user-friendly environment. If you have suggestions, please offer them.

    O
    "entia non sunt multiplicanda praeter necessitatem"

    "entities should not be multiplied beyond necessity."

    -Occam's Razor


  5. #5
    0_o Mastermind keezel's Avatar
    Join Date
    Jun 2003
    Posts
    1,024
    For anti-spyware try Super AntiSpyware and Spybot Search & Destroy. Spybot has a useful (if somewhat annoying) registry protection feature. There are actually a ton of great anti-spyware applications out there.

    Antivirus is a bit more tricky. There are several decent ones. I like Webroot's newer antivirus.

    For a firewall, steer clear of Kaspersky and Symantec's products. They tend to do more harm than good. McAfee sucks too. Perhaps look into Comodo? I've heard good things about it.

    For network testing, try scanning your own IP using nmap (various different types of scans including -sS) from somebody else's network.

  6. #6
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243
    Use a hardware firewall, like a router as HT suggests. As he says,
    it's not good to hook a PC directly to the web. Then enable Windows
    firewall behind that.

    AntiVir for AV. Spybot and MalwareBytes for spyware. HTH.
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  7. #7
    Member Slartarama's Avatar
    Join Date
    May 2008
    Location
    Pacific Northwest
    Posts
    53
    Quote Originally Posted by keezel View Post
    .

    For network testing, try scanning your own IP using nmap (various different types of scans including -sS) from somebody else's network.
    You can use this site for external nmap:

    http://nmap-online.com/

    Also, if you have an older or spare PC you can use:

    Clarkconnect, IPCop, or Smoothwall as a gateway router. I use Clarkconnect and it works great.

    Also checkout Systernals' Process Explorer as an alternative to Task Manager. It will help show you what's running a lot better. I see that HTRegz has already pointed out tasklist /svc, which is very helpful.

  8. #8
    Senior Member
    Join Date
    Dec 2006
    Location
    Myrtle Beach, SC
    Posts
    238
    lol i have vista home premy and that same router combo. except im running avast with windows firewall.

  9. #9
    Informative item

  10. #10
    Senior Member Ouroboros's Avatar
    Join Date
    Nov 2001
    Location
    Superior, WI USA
    Posts
    636
    Tried out Norton Security Suite. Looked good, light-weight, user-friendly. Would have bought it, but then I remembered that my ISP (Charter Communications) offers a Security Suite that is included in the cost of my subscription. Talk about losing the forest for the trees.

    It's essentially a branded version of F-Secure software. Has all the functions of an ISS that I expect and need, and it comes at no additional cost to me. Sweet. I don't know why or how I trapped myself into thinking that I had to shop around for security software, when a perfectly good solution was mine for the taking all along.

    O
    "entia non sunt multiplicanda praeter necessitatem"

    "entities should not be multiplied beyond necessity."

    -Occam's Razor


Similar Threads

  1. Nmap 4.0
    By Irongeek in forum Security News
    Replies: 9
    Last Post: January 31st, 2006, 10:24 PM
  2. closing open ports at my web server
    By ali1 in forum Web Security
    Replies: 13
    Last Post: August 7th, 2004, 12:04 AM
  3. Is my Redhat 9 safe with all this ports Open?
    By novkhan in forum Operating Systems
    Replies: 3
    Last Post: May 12th, 2004, 09:05 PM
  4. Need to Open Ports (help?)
    By InfiniteL00p in forum IDS & Scanner Discussions
    Replies: 9
    Last Post: February 1st, 2004, 02:05 AM
  5. Did hax0rs lab leave a backdoor?
    By July in forum AntiOnline's General Chit Chat
    Replies: 7
    Last Post: March 9th, 2003, 12:24 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •