UDP on ports 1026,1027 svchost.exe only sometimes?

**dogman** · June 8th, 2005, 11:07 PM

Ok finally goto my machine here is a netstat while I was posting this no other windows open:

C:\>netstat -a

Active Connections

Proto Local Address Foreign Address State
TCP oem:1026 oem:0 LISTENING
UDP oem:isakmp *:*
UDP oem:1027 *:*
UDP oem:1030 *:*
UDP oem:1045 *:*
UDP oem:1150 *:*
UDP oem:1170 *:*
UDP oem:4500 *:*
UDP oem:ntp *:*
UDP oem:ntp *:*
UDP oem:1028 *:*
UDP oem:1301 *:*
UDP oem:1339 *:*

C:\>
C:\>
C:\>
C:\>netstat -ano

Active Connections

Proto Local Address Foreign Address State PID
TCP 127.0.0.1:1026 0.0.0.0:0 LISTENING 164
UDP 0.0.0.0:500 *:* 628
UDP 0.0.0.0:1027 *:* 916
UDP 0.0.0.0:1030 *:* 980
UDP 0.0.0.0:1045 *:* 980
UDP 0.0.0.0:1150 *:* 980
UDP 0.0.0.0:1170 *:* 980
UDP 0.0.0.0:4500 *:* 628
UDP 67.3.229.235:123 *:* 916
UDP 127.0.0.1:123 *:* 916
UDP 127.0.0.1:1028 *:* 916
UDP 127.0.0.1:1301 *:* 2348
UDP 127.0.0.1:1339 *:* 2520

C:\>
C:\>
C:\>
C:\>
C:\>

also the MSDOS window was open

Process ID# 916? whats that?

I did find my messeger service disabled but I had a "HARDWARE"/ "profile1" enabled under the LOGON TAB in the Properties of the Messenger service,

I have since disabled this, I dont think this will effect operations on my own sigle computer? will it? , I will watch and see if the svchost.exe file trys to launch when the port is scanned with a UDP protocol and port 1024-1027???

Maybe this will stop it, by the way the svchost does not try to connect outgoing now, it only says tyhe program is activated like it is ready in case it gets a signal, ya know?

Anyone have any clue what I am babbling about?
will be monitoring this thread , oh ,,...and I did read the tutorial about a similar situation
http://www.antionline.com/showthread...hreadid=264811
"good read"

but not quit the same as what I am posting....Thank in advance for all the help/advice!

the

***MrLinus*** · June 9th, 2005, 07:11 PM

Process ID# 916? whats that?

A process that is running on your machine that is listed as #916. If you open taskmanager --> process (sort by PID) you should be able to find out what's running. Port 123 is used for Network Time Protocol. Have you set up your machine to contact a time server?

**dogman** · June 9th, 2005, 07:22 PM

No not as far as I am aware,... just running XP-Home and a editor for my webpages...

here is the latest updated "netstat"
as of the time on this post:

it has only occurred once today so far (the svchost.exe)from ip from the CHINA area again

C:\>netstat -ano

Active Connections

Proto Local Address Foreign Address State PID
TCP 4.240.138.155:2122 63.146.109.212:80 TIME_WAIT 0
TCP 4.240.138.155:2139 69.93.29.34:80 CLOSE_WAIT 632
TCP 4.240.138.155:2141 63.146.109.210:80 TIME_WAIT 0
TCP 4.240.138.155:2143 149.160.30.130:80 ESTABLISHED 632
TCP 4.240.138.155:2146 63.236.18.117:80 CLOSE_WAIT 632
TCP 4.240.138.155:2153 63.146.109.210:80 TIME_WAIT 0
TCP 4.240.138.155:2154 63.146.109.210:80 TIME_WAIT 0
TCP 127.0.0.1:1026 0.0.0.0:0 LISTENING 2040
UDP 0.0.0.0:500 *:* 628
UDP 0.0.0.0:1027 *:* 912
UDP 0.0.0.0:1029 *:* 976
UDP 0.0.0.0:1111 *:* 976
UDP 0.0.0.0:1121 *:* 976
UDP 0.0.0.0:1314 *:* 976
UDP 0.0.0.0:1328 *:* 976
UDP 0.0.0.0:4500 *:* 628
UDP 4.240.138.155:123 *:* 912
UDP 127.0.0.1:123 *:* 912
UDP 127.0.0.1:1028 *:* 912
UDP 127.0.0.1:1734 *:* 3084
UDP 127.0.0.1:1759 *:* 632

C:\>netstat -ano

Active Connections

Proto Local Address Foreign Address State PID
TCP 4.240.138.155:2122 63.146.109.212:80 TIME_WAIT 0
TCP 4.240.138.155:2139 69.93.29.34:80 CLOSE_WAIT 632
TCP 4.240.138.155:2141 63.146.109.210:80 TIME_WAIT 0
TCP 4.240.138.155:2143 149.160.30.130:80 ESTABLISHED 632
TCP 4.240.138.155:2146 63.236.18.117:80 CLOSE_WAIT 632
TCP 4.240.138.155:2153 63.146.109.210:80 TIME_WAIT 0
TCP 4.240.138.155:2154 63.146.109.210:80 TIME_WAIT 0
TCP 127.0.0.1:1026 0.0.0.0:0 LISTENING 2040
UDP 0.0.0.0:500 *:* 628
UDP 0.0.0.0:1027 *:* 912
UDP 0.0.0.0:1029 *:* 976
UDP 0.0.0.0:1111 *:* 976
UDP 0.0.0.0:1121 *:* 976
UDP 0.0.0.0:1314 *:* 976
UDP 0.0.0.0:1328 *:* 976
UDP 0.0.0.0:4500 *:* 628
UDP 4.240.138.155:123 *:* 912
UDP 127.0.0.1:123 *:* 912
UDP 127.0.0.1:1028 *:* 912
UDP 127.0.0.1:1734 *:* 3084
UDP 127.0.0.1:1759 *:* 632

C:\>

***MrLinus*** · June 9th, 2005, 07:26 PM

No not as far as I am aware,... just running XP-Home and a editor for my webpages...

Double click on the time at the bottom right. Select Internet Time. If the check box is checked, then you probably caught the system when it was doing the update. If not, then you need to figure out what is running at that PID. (note: PID are not static. They'll change for the most part to a different PID each time you startup the system and/or applications).

**dogman** · June 9th, 2005, 07:29 PM

Hey your right!, there is a check to syncronize with an time sever for exactly 11:05AM every day
gosh and the svchost.exe mmmh let me check the log... hang on...
I was think maybe the time update had something to do with the main challenge I started this thread with but I guess not...

Thread: UDP on ports 1026,1027 svchost.exe only sometimes?

Thread Tools

Display

Posting Permissions