I got an eccess of port 135 traffic on my XP SP1 box with latest update applyed.
I have the latest avast! and grisoft antivirus and latest pestpatrol and spybot search and destroy. No infection is detected.
I had to stop 135 tcp traffic using an advanced rule on my sygate firewall. When the rule is disable the box starts to connect other IPs on the net.
I also tryed to sniff the connections.
Port 135 is used by DCE endpoint resolution as well as msblast. www.sysinternals.com has a utility that can show you what file/application is using what. See if that can tell you what is using the port.
Both Tcpview and Fport report that port 135 emap is used by
C:\WINDOWS\system32\svchost.exe
command line
C:\WINDOWS\system32\svchost -k rpcss
version
5.01.2600.0000
Nevertheless, as soon as i remove the port 135 block rule on my firewall,
i notice dozens of connections from my pc to the outside world.
Any suggestion ? can i monitor and report something else?
Thank you in advance
This is just less than 20 sec after disabling the rule
Connessioni attive
Proto Indirizzo locale Indirizzo esterno Stato
TCP 82.51.43.191:135 82.48.91.129:3419 ESTABLISHED
TCP 82.51.43.191:135 82.51.22.4:3031 ESTABLISHED
TCP 82.51.43.191:135 82.51.44.56:1743 ESTABLISHED
TCP 82.51.43.191:135 82.51.49.10:4351 ESTABLISHED
TCP 82.51.43.191:135 82.51.59.116:3929 ESTABLISHED
TCP 82.51.43.191:135 82.51.60.70:3225 ESTABLISHED
TCP 82.51.43.191:135 82.51.73.40:2744 ESTABLISHED
TCP 82.51.43.191:135 82.51.95.247:2783 ESTABLISHED
TCP 82.51.43.191:135 82.51.112.23:3877 ESTABLISHED
TCP 82.51.43.191:135 82.51.160.99:3074 ESTABLISHED
TCP 82.51.43.191:135 82.51.166.219:1647 ESTABLISHED
Logfile of HijackThis v1.97.7
Scan saved at 15.50.38, on 23/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Sygate\SPF\Smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\WINDOWS\System32\PGPsdkServ.exe
C:\Programmi\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\System32\vmnat.exe
C:\Programmi\Network Associates\PGP for Windows 2000\PGPservice.exe
C:\WINDOWS\System32\vmnetdhcp.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Compaq\Easy Access Button Support\cpqeadm.exe
C:\WINDOWS\System32\taskswitch.exe
C:\PROGRA~1\COMPAQ\EASYAC~1\BTTNSERV.EXE
C:\PROGRA~1\COMPAQ\EASYAC~1\EAUSBKBD.EXE
C:\WINDOWS\tppaldr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmi\Network Associates\PGP for Windows 2000\PGPtray.exe
C:\Programmi\InstallShield Software Corporation\802.11b Wireless Lan Utility\RtlWake.exe
C:\WINDOWS\COMMAND\putty.exe
C:\Programmi\RealVNC\vncviewer.exe
C:\Programmi\RealVNC\WinVNC\winvnc.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
C:\Documents and Settings\xxx\Desktop\Fport-2.0\procexp.exe
C:\Documents and Settings\xxx\Desktop\Fport-2.0\Tcpview.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Grisoft\AVG6\avgw.exe
C:\WINDOWS\COMMAND\putty.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\SYSTEM32\rasphone.exe
C:\Documents and Settings\xxx\Desktop\Fport-2.0\HijackThis.exe
It is near the area where im located.
And yes i know i have PGPnet and VNC. I use them both since a long time (5 years or so).
Neither avast, nor avg nor online scanner trendmicro’s housecall are able to detect an infection. I will use another scanner and read your report.
If someone else has any suggestion.
You are welcome
In that list of connections I see portnumbers that are not in the IANA port list, that makes me always supicious towards them. See if you can find out what is using the unknow port numbers
Removing 135 rule on INCOMING and OUTBOUND traffic, My sygate firewall found this:
File Version : 5.1.2600.0 (xpclient.010817-1148)
File Description : Generic Host Process for Win32 Services (svchost.exe)
File Path : C:\WINDOWS\SYSTEM32\svchost.exe
Process ID : 0x384 (Heximal) 900 (Decimal)
Connection origin : remote initiated
Protocol : TCP
Local Address : 82.49.62.250
Local Port : 135 (EPMAP - Location service - Dynamically assign ports for RPC)
Remote Name :
Remote Address : 82.49.206.227
Remote Port : 4280
Ethernet packet details:
Ethernet II (Packet Length: 62)
Destination: 68-7a-72-02-00-00
Source: f0-ed-20-00-03-00
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 20 bytes
Flags:
.1… = Don’t fragment: Set
…0. = More fragments: Not set
Fragment offset:0
Time to live: 123
Protocol: 0x6 (TCP - Transmission Control Protocol)
Header checksum: 0xccd5 (Correct)
Source: 82.49.206.227
Destination: 82.49.62.250
Transmission Control Protocol (TCP)
Source port: 4285
Destination port: 135
Sequence number: 3953400007
Acknowledgment number: 0
Header length: 28
Flags:
0… … = Congestion Window Reduce (CWR): Not set
.0… … = ECN-Echo: Not set
…0. … = Urgent: Not set
…0 … = Acknowledgment: Not set
… 0… = Push: Not set
… .0… = Reset: Not set
… …1. = Syn: Set
… …0 = Fin: Not set
Checksum: 0x37bb (Correct)
Data (0 Bytes)
Under “Indirizzo esterno” you see the connections like 82.51.160.99:3074
That means you are connected to 82.51.160.99 using port 3074, check what these connections are and what the ports normally are used for.
Here is what my personal port database has on them, perhaps it helps. It doesn’t mean ofcourse that no other (harmfull?) applications can or are using those ports.
Result for port 3419 = Isogon SoftAudit
Result for port 3031 = Remote AppleEvents/PPC Toolbox : MyDoom.B@mm : MicroSpy
Result for port 1743 = Cinema Graphics License Manager
Result for port 4351 = PLCY Net Services
Result for port 3929 = AMS Port
Result for port 3225 = FCIP
Result for port 2744 = honyaku
Result for port 2783 = AISES
Result for port 3877 = XMPCR Interface Port
Result for port 3074 = Xbox game port
Result for port 1647 = tcp rsap
Some ideas:
Remove the firewall and reinstall. Close ALL ports and open manually only those who are really needed to make the system work. While doing this, create a list (application, tcp/udp, portnr) so you can see for future reference what is using what and what is needed.
Closes all those ports and see if there is applicatation that stops working correctly.
No antivirus (avast, norton, avg, on line scanner) is able to find a virus.
As soon as i remove my firewall rule for blocking incoming and outgoing traffic, i get a bunch of traffic such as:
netstat -n
Connessioni attive
Proto Indirizzo locale Indirizzo esterno Stato
TCP 82.49.63.42:445 4.4.211.199:2136 ESTABLISHED
TCP 82.49.63.42:445 62.39.240.5:3730 ESTABLISHED
TCP 82.49.63.42:445 68.163.200.94:3250 ESTABLISHED
TCP 82.49.63.42:445 68.190.253.120:3757 ESTABLISHED
TCP 82.49.63.42:445 145.254.127.2:4224 SYN_RECEIVED
TCP 82.49.63.42:445 200.150.245.74:2314 ESTABLISHED
TCP 82.49.63.42:445 208.133.141.179:4284 ESTABLISHED
TCP 82.49.63.42:445 213.254.72.164:1750 ESTABLISHED
TCP 127.0.0.1:4274 127.0.0.1:4275 ESTABLISHED
TCP 127.0.0.1:4275 127.0.0.1:4274 ESTABLISHED
Let’s see if I can explain the things I want (english ain’t my native language) :-\
We are talking here about data traffic. Data traffic can be incomming and outgoing. Most applications are using them both. eg: a browser. You want to open a webpage so the browser sends data (outgoing), when the requisted page(site) is found it sends you the page (incomming). Nothing wrong with that, but the same goes for all aplications. So in order to find out if something is normal or not you need to know (find out) what application is causing the traffic, where it goes to and where it comes from and (if possible) what traffic it is. eg what the data content is.
At htis point, I think we better start from scratch since I got the impression you don’t know much about computers and how everyhting is working (no offense!)
visit one of my webpages (click on the link in my signature)
get/install the applications mentioned there
Update them
terminate the internet connection (unplug the cable)
run them (after doing so your system will be clean of viruses, spy-/adware and such)
Clean/remove everything harmfull things they find
Reboot
remove the firewall
reboot
install the firewall
plug back in to the internet
if the firewall asks if something is allowed, find out what exactly it is that is asking permission before saying yes/no
If you follow these steps, all traffic that still takes place should be ‘normal’ (not harmfull) I know I am asking a lot, but I truly believe this is what you should do at this point.