Results 1 to 6 of 6

Thread: OldSod, I ran a "netstat" on my machine si...

  1. #1
    svasko Guest

    Default OldSod, I ran a "netstat" on my machine si...

    OldSod,



    I ran a "netstat" on my machine since you reminded me of that command to see the active connections on my own machine. Can you tell me anything about these open connections just by their ports? They are very high ports and it's mythoughts that if there are open ports in that high range this is not good.
    Can you please give me some suggestions on this?
    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.C:\>netstatActive Connections
    Proto
    Local Address








    Foreign Address






    State

    TCP


    stephen:1203









    localhost:3992







    TIME_WAIT

    TCP


    stephen:3680









    localhost:3996







    TIME_WAIT

    TCP


    stephen:3985









    localhost:3987







    TIME_WAIT

    TCP


    stephen:3988









    localhost:3990







    TIME_WAIT

    TCP


    stephen:3991









    localhost:3993







    TIME_WAIT

    TCP


    stephen:3994









    localhost:3995







    TIME_WAIT

    TCP


    stephen:3999









    localhost:4002







    TIME_WAIT

    TCP


    stephen:10021








    localhost:4009







    TIME_WAIT

    TCP


    stephen:10021








    localhost:4010







    TIME_WAIT

    TCP


    stephen:4008









    mail.b.hostedemail.comop3
    TIME_WAIT
    Thank you very much,Stephen


    Operating System:Windows XP Pro
    Software Version:7.0
    Product Name:ZoneAlarm Internet Security Suite

  2. #2
    svasko Guest

    Default Re: How to determine what program requests svchost service

    Hello psyncho!

    I know what you are attempting to find out in this thread and it is why I popped in to ask a question myself.
    According to Arin the 198.162 is for
    "special purposes". It also states it resolves to the servers
    "BLACKHOLE-1.IANA.ORG, which is of course iana.
    "
    As I stated my own personal IP is 192.168.0.1/2.
    The .1 is the Gateway for my router with Hughesnet and the .2 is my own IP.
    I've been having issues with several of the svchosts as well asking for connections, etc.
    The router suppliedby HughesNet does not have a firewall but I do use ZoneAlarm.
    It also does not go into a WAN -wide area network.
    I am connected to a Satellite via their Modem/Router. They use Multicast to broadcast out to the internet.
    From what I understand the ports of 135-139 are common for attacks and are thus blocked via my ZoneAlarm as well as port 445.
    I was
    under the impression that High port numbers 4000-5000 should not be used and are mainly used by outside attackers trying to
    gain entrance to your machine. But this is besides the point.

    SVCHOSTS show up in my ZoneAlarm under Programs of course. It does not show what programs are being used by the svchosts as you stated. I didn't see OldSod's reply to you on how to find out what programs are gaining access via those until after I posted in this thread so excuse my intrusion.



    I use to have alot more knowledge of these things but I
    haven't been in the business for quite some time now otherwise I wouldn't have "bothered" this thread and would have researched it further on my own as I use to do.
    Thanks for your reply.

  3. #3
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: OldSod, I ran a "netstat" on my machine si...


    <blockquote><hr>svasko wrote:
    OldSod,



    I ran a "netstat" on my machine since you reminded me of that command to see the active connections on my own machine. Can you tell me anything about these open connections just by their ports? They are very high ports and it's mythoughts that if there are open ports in that high range this is not good.
    Can you please give me some suggestions on this?
    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.C:\>netstatActive Connections
    Proto
    Local Address








    Foreign Address






    State

    TCP


    stephen:1203









    localhost:3992







    TIME_WAIT

    TCP


    stephen:3680









    localhost:3996







    TIME_WAIT

    TCP


    stephen:3985









    localhost:3987







    TIME_WAIT

    TCP


    stephen:3988









    localhost:3990







    TIME_WAIT

    TCP


    stephen:3991









    localhost:3993







    TIME_WAIT

    TCP


    stephen:3994









    localhost:3995







    TIME_WAIT

    TCP


    stephen:3999









    localhost:4002







    TIME_WAIT

    TCP


    stephen:10021








    localhost:4009







    TIME_WAIT

    TCP


    stephen:10021








    localhost:4010







    TIME_WAIT

    TCP


    stephen:4008









    mail.b.hostedemail.comop3
    TIME_WAIT
    Thank you very much,Stephen


    Operating System:
    Windows XP Pro
    Software Version:
    7.0
    Product Name:
    ZoneAlarm Internet Security Suite

    <hr></blockquote>


    These addresses are all localhost and are not internet connections. Your pop3 connection is self evident
    "TIME WAIT'' means the connections were once established and are not presently active, just basically waiting.
    Nor are the ports to be considered "unusually high".
    All of the remote ports are still under 5000.
    You should not concerned about normal and the usual connections - and these connections listed are very normal and usual.

    Oldsod.
    Best regards.
    oldsod

  4. #4
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: How to determine what program requests svchost service

    <blockquote><hr>svasko wrote:
    Hello psyncho!

    I know what you are attempting to find out in this thread and it is why I popped in to ask a question myself.
    According to Arin the 198.162 is for
    "special purposes". It also states it resolves to the servers
    "BLACKHOLE-1.IANA.ORG, which is of course iana.
    "
    As I stated my own personal IP is 192.168.0.1/2.
    The .1 is the Gateway for my router with Hughesnet and the .2 is my own IP.
    I've been having issues with several of the svchosts as well asking for connections, etc.
    The router suppliedby HughesNet does not have a firewall but I do use ZoneAlarm.
    It also does not go into a WAN -wide area network.
    I am connected to a Satellite via their Modem/Router. They use Multicast to broadcast out to the internet.
    From what I understand the ports of 135-139 are common for attacks and are thus blocked via my ZoneAlarm as well as port 445.
    I was
    under the impression that High port numbers 4000-5000 should not be used and are mainly used by outside attackers trying to
    gain entrance to your machine. But this is besides the point.

    SVCHOSTS show up in my ZoneAlarm under Programs of course. It does not show what programs are being used by the svchosts as you stated. I didn't see OldSod's reply to you on how to find out what programs are gaining access via those until after I posted in this thread so excuse my intrusion.



    I use to have alot more knowledge of these things but I
    haven't been in the business for quite some time now otherwise I wouldn't have "bothered" this thread and would have researched it further on my own as I use to do.
    Thanks for your reply.
    <hr></blockquote>
    ARIN is NOT a knowledge base!
    Do not refer to ARIN for details of the general internet and networking!
    IANA is the knowledge base!

    IANA will show the 192.168.0.0/16 is reserved for Private-Use Networks [RFC1918].
    And this range of 192.168.0.0-192.168.255.255 is NOT PUBLIC addressing, just private address use.
    Your addresses of 192.168.01 and 192.168.02 are not an issue for security by any means or in any shape or form.


    "I've been having issues with several of the svchosts as well asking for connections, etc."
    What connections? If this is the issue, then why did you not list these events? Connections to the dhcp and dns by the svchost.exe is very normal and also is it's accepting incoming connections from these is very normal. (read further for a quick explaination).
    You should definitely make sure the dhcp and the dns are listed as trusted in the zones of the ZA and that the svchost.exe not only has trusted and internet accesses but also the trusted server rights.


    "The router supplied
    by HughesNet does not have a firewall but I do use ZoneAlarm."
    Many peoples would consider a router's NAT to be a firewall. It may even have SPI enabled, if you had checked.

    "From what I understand the ports of 135-139 are common for attacks and are thus blocked via my ZoneAlarm as well as port 445."
    Are you concerned about open ports in your router or in your firewall? Most routers do not have these ports opened and some modems will. It all depends on the hardware, setups and situations.
    How did you determine these specific ports are at risk - did you port scan these ports and verify the IP getting tested?
    These specific ports are stealthed and closed to the Internet Zone by the ZA, as well as the other 1-65535 ports on your computer, so I really see no real reason to be concerned or alarmed.


    "They use Multicast to broadcast out to the internet."
    No they do not. They will only MAYBE broadcast and ping to your own providers network and not to the internet. The multicast and broadcast if it is actually happening at all will still not be able to go further than your own provider's network. And your provider's network is not the actual internet, as it is "off" the internet and it itself is seen as another Private network. You maybe pinging a site or dns if the internet web site is unavailable but this is in no manner a security risk.
    Multicast and broadcast is in fact only occurring on your LAN.
    The only situations where multicast and broadcast will be seen carried over the internet, if it can actually be called that, is if there is a VPN connection established, and in this case these would not be carried over the internet to random servers, but to the secondary local area network of the established connection.


    "I was under the impression that High port numbers 4000-5000 should not be used and are mainly used by outside attackers trying to gain entrance to your machine. But this is besides the point."
    You are messing things up and using not valid information.
    It is not usual to see these ports used as the source port for outgoing external connection. In fact do not be surprised to see 1024-5000 as the usual source ports for establishing outgoing internet (not your local internal localhost) connection for the usual http, https and pop3 connections. It is the remote ports if seen as unusual that should be of concern.
    Especially important are incoming internet connections to the not normally used ports for usual http, https and pop3 connections.
    Usually the correct dhcp connections are using the computer's own port 68 (bootpc or dhcp client as defined by the ZA) and the DHCP server's (your own router in your situation) port 67 (bootps or dhcp as defined by the ZA) - and this is two way traffic with open ports for each. By UDP only - not TCP should be involved.
    Usually the dns connections are to the DNS server's remote port 53, by UDP, from ANY of your computer's source ports (1-65535). And again this is two way traffic with open ports for both.

    The usual outgoing http and https traffic will use the 1024-5000 as the source ports of your computer to the destination ports to the remote http (port 80 by TCP) and to remote https (port 443 by TCP).
    The returned incoming traffic sent by the remote server/web site will be seen as using the remote ports of 1024-5000 to the destination ports of port 80 (for http) and port 443 (for https) of your own computer.
    But do not be surprised if the remote ports used to send the return traffic to your http and https ports are not only from the usual 1020-5000 port range, but from the entire Registered ports (1024 49151) range.


    "SVCHOSTS show up in my ZoneAlarm under Programs of course. It does not show what programs are being used by the svchosts as you stated. I didn't see OldSod's reply to you on how to find out what programs are gaining access via those until after I posted in this thread so excuse my intrusion."

    The function of the svchost.exe is determined strictly by the services and daemons which are involved or active on your own windows operating system.

    "I use to have alot more knowledge of these things but I haven't been in the business for quite some time now otherwise I wouldn't have "bothered" this thread and would have researched it further on my own as I use to do."
    The internet has not changed in years basically since it's inception. No major changes or events have happened in years, so your previous knowledge is still valid. But perhaps you forgot many things or have not fully thought it out properly and from your newer perspective.
    These will be valid until the IPv6 is introduced - and even then much of the previous IPv4 procedures and methods will be carried over to the new IPv6. Albeit with some new ideas and changes introduced by the IPv6.


    Best regards.
    Oldsod.

    Message Edited by Oldsod on 10-30-2008 01:43 PM
    Best regards.
    oldsod

  5. #5
    svasko Guest

    Default Re: How to determine what program requests svchost service

    Yes, I know ARIN is not
    Knowledge Base and I don't use it as such. I use it only as a means to find out where (outside) connections are asking for connections to my machine are coming from. I use only actual Knowledge Bases to find out other issues and I thought I made that clear but apparently not.
    NAT is available on this router and I did check thank you very much.
    I've never heard of NAT being used as a firewall of sorts.
    If I had known I would be attacked just for asking a simple question I wouldn't have bothered neither of you high and mighty guys. I won't bother asking any further questions of you.
    I had held you in high regard since I watch your answers to people all the time and if I had known you would just be a smartalec to people who just ask something I wouldn't have bothered.
    I thought you were better than that OldSod.
    I'll sit out and not bother again. Funny that these boards are suppose to be used to get
    assistance and answers but not a bunch of guff just for asking something.
    Don't assume I know nothing.
    Later,Dragon

  6. #6
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: How to determine what program requests svchost service

    <blockquote><hr>svasko wrote:
    Yes, I know ARIN is not
    Knowledge Base and I don't use it as such. I use it only as a means to find out where (outside) connections are asking for connections to my machine are coming from. I use only actual Knowledge Bases to find out other issues and I thought I made that clear but apparently not.
    NAT is available on this router and I did check thank you very much.
    I've never heard of NAT being used as a firewall of sorts.
    If I had known I would be attacked just for asking a simple question I wouldn't have bothered neither of you high and mighty guys. I won't bother asking any further questions of you.
    I had held you in high regard since I watch your answers to people all the time and if I had known you would just be a smartalec to people who just ask something I wouldn't have bothered.
    I thought you were better than that OldSod.
    I'll sit out and not bother again. Funny that these boards are suppose to be used to get
    assistance and answers but not a bunch of guff just for asking something.
    Don't assume I know nothing.
    Later,Dragon
    <hr></blockquote>
    Things do seem contradictory.
    Checking your previous posts shows this one

    http://forum.zonelabs.org/zonelabs/b...ssage.id=20028

    from a year ago...

    http://forum.zonelabs.org/zonelabs/b...d=18552#M18552

    it does seem to be the same recurring theme.
    What should one make of it?
    Plus constant hijacking of other user's threads and expecting to be treated as though you started your own thread?
    If you feel I mistreated you, understand I held back.
    You can always report abuse to the Moderator and make a complaint.
    You got answer and very good ones at that - if you feel that is "guff" as you call it, then I can not help any further.


    NAT alone will prevent almost every unwanted inbound connection. Usually routers are referred to as a hardware firewall. For a good reason.

    Oldsod.

    Message Edited by Oldsod on 10-31-2008 10:15 AM
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •