Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: System Idle Process making TCP connections

from [lee . e . rian] Network Security [Permanent Link]
Subject: Re: System Idle Process making TCP connections
Date: Fri, 7 Jul 2006 19:47:19 -0400 
Does TCPView ever show the System Idle Process with any connections in the
LISTENING or ESTABLISHED state?

All of the System Idle Process connections listed are in the TIME_WAIT
state - which most probably means that some other process created the
connection and closed it.  ( I'd guess something trying to talk to
spoolsv.exe since it's listening on port 6160 )


Has anyone seen anything like this before?


No, not that many connections in a timed wait state.  But whenever a
connection is closed it moves to the TIME_WAIT state and TCPView says it's
owned by [System Process]:0 on my windoze machine.

HTH,
Lee



John Davison <johndavison@compasseng.com> wrote on 07/07/2006 04:21:50 PM:


I've never seen anything like this before.  After experiencing some

really

strange behavior from various applications and lot of looking around, I
downloaded TCPView from System Internals and found that the System Idle
Process (id 0) is making connections to itself, from source port 6160 to

a

series of local ports and keeps incrementing.

Has anyone seen anything like this before?

Here's a TCPView dump.

lsass.exe:676   TCP   0.0.0.0:1043   0.0.0.0:0   LISTENING
RSLINX.EXE:516   TCP   0.0.0.0:2222   0.0.0.0:0   LISTENING
RSLINX.EXE:516   TCP   0.0.0.0:44818   0.0.0.0:0   LISTENING
spoolsv.exe:1272   TCP   0.0.0.0:6160   0.0.0.0:0   LISTENING
svchost.exe:440   TCP   0.0.0.0:3389   0.0.0.0:0   LISTENING
svchost.exe:960   TCP   0.0.0.0:135   0.0.0.0:0   LISTENING
System:4   TCP   0.0.0.0:445   0.0.0.0:0   LISTENING
System:4   TCP   10.1.1.150:139   0.0.0.0:0   LISTENING
System:4   TCP   10.1.1.150:4017   10.1.1.1:139   ESTABLISHED
[System Process]:0   TCP   10.1.1.150:3475   10.1.1.12:445   TIME_WAIT
RSLINX.EXE:516   TCP   10.1.1.150:1071   10.1.1.99:2222   ESTABLISHED
svchost.exe:440   TCP   10.1.1.150:3389   10.1.1.121:1989   ESTABLISHED



svchost.exe:440   TCP   10.1.1.150:3389   10.1.1.134:45843   ESTABLISHED



[System Process]:0   TCP   10.1.1.150:6160   10.1.1.150:3421   TIME_WAIT



[System Process]:0   TCP   10.1.1.150:6160   10.1.1.150:3422   TIME_WAIT



[System Process]:0   TCP   10.1.1.150:6160   10.1.1.150:3423   TIME_WAIT



[System Process]:0   TCP   10.1.1.150:6160   10.1.1.150:3424   TIME_WAIT


   <.. snip ..>


------------------------------------------------------------------------------
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas. 
World renowned security experts reveal tomorrow's threats today. Free of 
vendor pitches, the Briefings are designed to be pragmatic regardless of your 
security environment. Featuring 36 hands-on training courses and 10 conference 
tracks, networking opportunities with over 2,500 delegates from 40+ nations. 

http://www.blackhat.com
------------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  System Idle Process making TCP connections, John Davison
Next by Date:  Re: System Idle Process making TCP connections, John Davison
Previous by Thread:  System Idle Process making TCP connections, John Davison
Next by Thread:  Re: System Idle Process making TCP connections, John Davison
Indexes:  [Date] [Thread] [Top] [All Lists]