|
-
June 8th, 2005, 09:11 PM
#1
Junior Member
process "system:8" open 400 to 500 lintening tcp port
Hi, my problem is in windows 2000 server machine, process system PID 8 open 400 to 500 lintening tcp port, there start in port 2000 or 3000 or 4000 I think that is seudo random, and doing that every 5 sec, please help
-
June 8th, 2005, 09:16 PM
#2
No need to post it twice. You just might need patience. It might be helpful to know what is running on PID 8. Perhaps you could check TaskManager and/or use Process Explorer.
Have you done AntiVirus scans in safe-mode to verify that it's not a worm/trojan? Additionally, have you run (in the command window) netstat -ano to see if there is a remote connection somewhere?
-
June 9th, 2005, 08:47 PM
#3
Junior Member
ohh so sorry by double posting, I think I'm posted in a wrong discussions.
Ok now, in PID 8 is the prosess "System"
I'm so tired to scan my pc with norton, without find anything.
I use tcpview to know what port are open in my pc, when just restarted the machine no problem but wait 20-30 sec and the problem begin, many many port open, close, open, close in about 10sec. sometimes I found connection to remote port 445 from PID 8.
I can stop that with Ipsec, but I know that it in my pc are something wrong.
P.S. sorry by my English, I hope that you can understand.
-
June 9th, 2005, 08:50 PM
#4
Well, this page should give you a little more info on port 445. What is connecting to 445?
-
June 10th, 2005, 12:34 AM
#5
Junior Member
thanks for that page, the problem is that connection if from my server to another pc at port 445.
for example:
Process: System:8
Protocol: TCP
Local Address: 0.0.0.0:3220
Remote Address: x.x.x.x:445
Thanks
Status: Established
Process: System:8
Protocol: TCP
Local Address: 0.0.0.0:2100
Remote Address: 0.0.0.0:0
Status: Listening
where: port 2100 and 3220 can be any port from 1000 to 4000 and x.x.x.x is a real ip address outside my network.
-
June 14th, 2005, 05:57 AM
#6
Junior Member
that I take from tcpview of my server:
System:8 TCP 0.0.0.0:2773 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2874 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2875 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2876 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2877 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2880 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2881 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2882 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2883 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2884 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2885 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2886 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2887 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2888 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2889 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2890 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2891 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2892 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2893 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2894 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2895 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2896 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2897 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2898 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2899 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2900 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2901 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2902 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2903 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2904 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2905 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2906 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2907 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2908 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2909 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2910 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2911 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2912 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2913 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2914 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2915 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2916 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2917 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2918 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2919 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2920 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2921 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2922 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2923 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2924 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2925 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2926 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2927 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2928 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2929 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2930 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2931 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2932 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2933 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2934 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2935 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2936 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2937 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2938 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2939 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2940 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2941 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2942 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2943 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2944 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2945 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2946 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2947 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2948 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2949 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2950 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:2951 0.0.0.0:0 LISTENING
System:8 TCP 200.84.198.x:2773 83.46.100.76:445 ESTABLISHED
System:8 TCP 200.84.198.x:2881 82.71.6.93:445 ESTABLISHED
System:8 TCP 200.84.198.x:2882 218.160.98.6:445 ESTABLISHED
System:8 TCP 200.84.198.x:2883 216.19.214.79:445 ESTABLISHED
System:8 TCP 200.84.198.x:2884 84.130.171.45:445 ESTABLISHED
System:8 TCP 200.84.198.x:2886 220.138.46.53:445 ESTABLISHED
that really drive me crazy, please somebady help me
-
June 14th, 2005, 09:14 AM
#7
Without knowning what's running on your system, I'd say it looks like a backdoor or worm (Nimda?) of some type. Don't rely on your AV software to necessarily find this. First thing I'd do is boot into safe-mode and start checking what might be attempted to start. Second thing start looking for what is causing the process. A program like process explorer can help with this.
You should have a firewall in front of this box and stop it from going out to port 445. When you did you're last AV scan did you do the following: i) make sure it had the latest AV definitions? ii) do it in safe mode?
-
July 10th, 2005, 06:45 AM
#8
Junior Member
hey I find something, the problem that I have only begins when start a terminal server connection, I hope that this help to find what is my big problem, thank
-
July 10th, 2005, 04:51 PM
#9
Is that an outbound or inbound TS connection?
Also, I think process explorer is your best bet for solving this. You can dive down into the actions of the system process and find out what exactly it is doing. The information you've given us is to vague to put any real guesses together. With PE, you can come up with a list of what is attached to the system process, which should lead you to the answer.
-
July 11th, 2005, 11:46 AM
#10
Ummm, according to your post, your host is listening for connections on those ports in the 2,000 range. You have a small number of CIFS sessions connected from hosts on the internet.
This should be a no brainer:
1) Patch your system.
2) Check the signature date on your AV scanner. If you are out of date then you're not going to find anything.
3) Check all the usual places in the registry and folders on your system where processes get called to start.
4) If all else fails, throw a sniffer up and see what if anything it reviels.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
