PC Review


Reply
Thread Tools Rate Thread

heavy traffic on port 1025

 
 
=?Utf-8?B?RXJ3aW4gTWljaGllbHM=?=
Guest
Posts: n/a
 
      31st Jul 2004
Many people seem to have noticed heavy traffic on port 1025. This traffic is caused by the task scheduler service hosted by svchost.exe. This service opens port 1025 by default. There are two ways to block this traffic:

1) disable task scheduler service and reboot; be aware it is possible that prefetch, system restore and bootvis won't work properly anymore;

2) deny inbound traffic for svchost.exe using TCP on the local ports 1024-65535; you can use a firewall like Agnitum Outpost 1.0 (freeware) to configure your system this way ( http://www.agnitum.com/download/outpost1.html ).

To exploit task scheduler listening on port 1025, you can even download a tool from the net: remoxec from http://www.securityfriday.com/tools/Remoxec.html . This explains probably the amount of scans of port 1025.
 
Reply With Quote
 
 
 
 
Star Fleet Admiral Q
Guest
Posts: n/a
 
      31st Jul 2004
Question - if task scheduler is using port 1025, then why are you
telling everyone to block all the other ports 1024 and 1026-65535?
They may have other important applications running on those ports and
what you've told them just broke them - and yes, most people on these
groups are not "tech savey" so next there will be a post "My
such-n-such all of sudden quit working" - be mindful of your audience
when suggesting.

--

Star Fleet Admiral Q @ your service
--------------------------------------------------------
"Erwin Michiels" <(E-Mail Removed)> wrote in
message news:(E-Mail Removed)...
> Many people seem to have noticed heavy traffic on port 1025. This

traffic is caused by the task scheduler service hosted by svchost.exe.
This service opens port 1025 by default. There are two ways to block
this traffic:
>
> 1) disable task scheduler service and reboot; be aware it is

possible that prefetch, system restore and bootvis won't work properly
anymore;
>
> 2) deny inbound traffic for svchost.exe using TCP on the local ports

1024-65535; you can use a firewall like Agnitum Outpost 1.0 (freeware)
to configure your system this way (
http://www.agnitum.com/download/outpost1.html ).
>
> To exploit task scheduler listening on port 1025, you can even

download a tool from the net: remoxec from
http://www.securityfriday.com/tools/Remoxec.html . This explains
probably the amount of scans of port 1025.


 
Reply With Quote
 
 
 
 
Doug Knox MS-MVP
Guest
Posts: n/a
 
      31st Jul 2004
I don't see why, if he's one of these experiencing this issue, he doesn't use

NETSTAT -A -B

To see what program is trying to access port 1025. It may be task scheduler, but I doubt it. Probaly something that's running as a task.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

"Star Fleet Admiral Q" <Star_Fleet_Admiral_Q(NO-SPAM)@(FORGET-SPAM)hotmail.com> wrote in message news:%(E-Mail Removed)...
> Question - if task scheduler is using port 1025, then why are you
> telling everyone to block all the other ports 1024 and 1026-65535?
> They may have other important applications running on those ports and
> what you've told them just broke them - and yes, most people on these
> groups are not "tech savey" so next there will be a post "My
> such-n-such all of sudden quit working" - be mindful of your audience
> when suggesting.
>
> --
>
> Star Fleet Admiral Q @ your service
> --------------------------------------------------------
> "Erwin Michiels" <(E-Mail Removed)> wrote in
> message news:(E-Mail Removed)...
>> Many people seem to have noticed heavy traffic on port 1025. This

> traffic is caused by the task scheduler service hosted by svchost.exe.
> This service opens port 1025 by default. There are two ways to block
> this traffic:
>>
>> 1) disable task scheduler service and reboot; be aware it is

> possible that prefetch, system restore and bootvis won't work properly
> anymore;
>>
>> 2) deny inbound traffic for svchost.exe using TCP on the local ports

> 1024-65535; you can use a firewall like Agnitum Outpost 1.0 (freeware)
> to configure your system this way (
> http://www.agnitum.com/download/outpost1.html ).
>>
>> To exploit task scheduler listening on port 1025, you can even

> download a tool from the net: remoxec from
> http://www.securityfriday.com/tools/Remoxec.html . This explains
> probably the amount of scans of port 1025.
>
>

 
Reply With Quote
 
=?Utf-8?B?RXJ3aW4gTWljaGllbHM=?=
Guest
Posts: n/a
 
      31st Jul 2004
Please read carefull: "deny inbound traffic for svchost.exe using TCP on the local ports 1024-65535", this means ONLY for svchost.exe using TCP on the local ports 1024-65535; maybe I didn't emphasize this enough. As said you can do this using a firewall like Agnitum Outpost 1.0 (freeware).

I suggested the whole range of ports above 1024, because svchost.exe USUALLY runs on 1025, but actually it uses the first free port above 1024 when booting. So that can be another port also.

Sir, @ your service, sir.

"Star Fleet Admiral Q" wrote:

> Question - if task scheduler is using port 1025, then why are you
> telling everyone to block all the other ports 1024 and 1026-65535?
> They may have other important applications running on those ports and
> what you've told them just broke them - and yes, most people on these
> groups are not "tech savey" so next there will be a post "My
> such-n-such all of sudden quit working" - be mindful of your audience
> when suggesting.
>
>
> Star Fleet Admiral Q @ your service
> --------------------------------------------------------
> "Erwin Michiels" <(E-Mail Removed)> wrote in
> message news:(E-Mail Removed)...
> > Many people seem to have noticed heavy traffic on port 1025. This

> traffic is caused by the task scheduler service hosted by svchost.exe.
> This service opens port 1025 by default. There are two ways to block
> this traffic:
> >
> > 1) disable task scheduler service and reboot; be aware it is

> possible that prefetch, system restore and bootvis won't work properly
> anymore;
> >
> > 2) deny inbound traffic for svchost.exe using TCP on the local ports

> 1024-65535; you can use a firewall like Agnitum Outpost 1.0 (freeware)
> to configure your system this way (
> http://www.agnitum.com/download/outpost1.html ).
> >
> > To exploit task scheduler listening on port 1025, you can even

> download a tool from the net: remoxec from
> http://www.securityfriday.com/tools/Remoxec.html . This explains
> probably the amount of scans of port 1025.

 
Reply With Quote
 
=?Utf-8?B?RXJ3aW4gTWljaGllbHM=?=
Guest
Posts: n/a
 
      31st Jul 2004
I'm very positive it is task scheduler listening on TCP port 1025. I used Process Explorer (freeware: http://www.sysinternals.com ) to determine this:
1) search for the instance of svchost.exe listening on port 1025 (rightclick the instance/properties/tab "TCP/IP");
2) if you found the instance, look on the tab "services" which services are running under this instance; disable the services one by one: if svchost.exe stops listening, you've got the right one; the only tricky part is that you have to reboot each time you disable a service, otherwise svchost.exe keeps listening.
Other sources also agree it's task scheduler listening on TCP port 1025, for instance http://snakefoot.fateback.com/tweak/...vice/stuv.html . If you google for "xp listening 1025" you'll find more sources confirming this.

"Doug Knox MS-MVP" wrote:

> I don't see why, if he's one of these experiencing this issue, he doesn't use
>
> NETSTAT -A -B
>
> To see what program is trying to access port 1025. It may be task scheduler, but I doubt it. Probaly something that's running as a task.
>
> --
> Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display
> Win 95/98/Me/XP Tweaks and Fixes
> http://www.dougknox.com
> --------------------------------
> Per user Group Policy Restrictions for XP Home and XP Pro
> http://www.dougknox.com/xp/utils/xp_securityconsole.htm
> --------------------------------
> Please reply only to the newsgroup so all may benefit.
> Unsolicited e-mail is not answered.
>
> "Star Fleet Admiral Q" <Star_Fleet_Admiral_Q(NO-SPAM)@(FORGET-SPAM)hotmail.com> wrote in message news:%(E-Mail Removed)...
> > Question - if task scheduler is using port 1025, then why are you
> > telling everyone to block all the other ports 1024 and 1026-65535?
> > They may have other important applications running on those ports and
> > what you've told them just broke them - and yes, most people on these
> > groups are not "tech savey" so next there will be a post "My
> > such-n-such all of sudden quit working" - be mindful of your audience
> > when suggesting.
> >
> >
> > Star Fleet Admiral Q @ your service
> > --------------------------------------------------------
> > "Erwin Michiels" <(E-Mail Removed)> wrote in
> > message news:(E-Mail Removed)...
> >> Many people seem to have noticed heavy traffic on port 1025. This

> > traffic is caused by the task scheduler service hosted by svchost.exe.
> > This service opens port 1025 by default. There are two ways to block
> > this traffic:
> >>
> >> 1) disable task scheduler service and reboot; be aware it is

> > possible that prefetch, system restore and bootvis won't work properly
> > anymore;
> >>
> >> 2) deny inbound traffic for svchost.exe using TCP on the local ports

> > 1024-65535; you can use a firewall like Agnitum Outpost 1.0 (freeware)
> > to configure your system this way (
> > http://www.agnitum.com/download/outpost1.html ).
> >>
> >> To exploit task scheduler listening on port 1025, you can even

> > download a tool from the net: remoxec from
> > http://www.securityfriday.com/tools/Remoxec.html . This explains
> > probably the amount of scans of port 1025.

 
Reply With Quote
 
Star Fleet Admiral Q
Guest
Posts: n/a
 
      31st Jul 2004
Doug,
The point I was making, he said to blanket close all ports above
1024 - the respected audience if following these instructions,
especially on a networked PC (Home network reference say with a
standalone network printer and/or a few Linux machines), the user
may/may not relate closing the ports to say a database connection to
an MySQL database on another PC quit working, I believe 1040 is used
there, at least mine does, also, I have several other svhost services
running of other ports such as 1034, 1042, etc - which have nothing to
do with "Task Scheduler", which if disabled, completely prevents
connections to VNC hosts on my home network, and access to my
standalone network HP Printer on the router - and many of these
readers have hired people to come setup these home networks and now
they are going to have to pay to have someone fix it - all because
they blindly followed - close all ports above 1024 - true they
shouldn't blindly follow instructions they don't understand, but if
they did that, most of us would be out of a job :-)

--

Star Fleet Admiral Q @ your service
--------------------------------------------------------
"Doug Knox MS-MVP" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
I don't see why, if he's one of these experiencing this issue, he
doesn't use

NETSTAT -A -B

To see what program is trying to access port 1025. It may be task
scheduler, but I doubt it. Probaly something that's running as a
task.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

"Star Fleet Admiral Q"
<Star_Fleet_Admiral_Q(NO-SPAM)@(FORGET-SPAM)hotmail.com> wrote in
message news:%(E-Mail Removed)...
> Question - if task scheduler is using port 1025, then why are you
> telling everyone to block all the other ports 1024 and 1026-65535?
> They may have other important applications running on those ports

and
> what you've told them just broke them - and yes, most people on

these
> groups are not "tech savey" so next there will be a post "My
> such-n-such all of sudden quit working" - be mindful of your

audience
> when suggesting.
>
> --
>
> Star Fleet Admiral Q @ your service
> --------------------------------------------------------
> "Erwin Michiels" <(E-Mail Removed)> wrote in
> message news:(E-Mail Removed)...
>> Many people seem to have noticed heavy traffic on port 1025. This

> traffic is caused by the task scheduler service hosted by

svchost.exe.
> This service opens port 1025 by default. There are two ways to block
> this traffic:
>>
>> 1) disable task scheduler service and reboot; be aware it is

> possible that prefetch, system restore and bootvis won't work

properly
> anymore;
>>
>> 2) deny inbound traffic for svchost.exe using TCP on the local

ports
> 1024-65535; you can use a firewall like Agnitum Outpost 1.0

(freeware)
> to configure your system this way (
> http://www.agnitum.com/download/outpost1.html ).
>>
>> To exploit task scheduler listening on port 1025, you can even

> download a tool from the net: remoxec from
> http://www.securityfriday.com/tools/Remoxec.html . This explains
> probably the amount of scans of port 1025.
>
>



 
Reply With Quote
 
Doug Knox MS-MVP
Guest
Posts: n/a
 
      31st Jul 2004
<G> I see what you're saying, and I agree.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

"Star Fleet Admiral Q" <Star_Fleet_Admiral_Q(NO-SPAM)@(FORGET-SPAM)hotmail.com> wrote in message news:(E-Mail Removed)...
> Doug,
> The point I was making, he said to blanket close all ports above
> 1024 - the respected audience if following these instructions,
> especially on a networked PC (Home network reference say with a
> standalone network printer and/or a few Linux machines), the user
> may/may not relate closing the ports to say a database connection to
> an MySQL database on another PC quit working, I believe 1040 is used
> there, at least mine does, also, I have several other svhost services
> running of other ports such as 1034, 1042, etc - which have nothing to
> do with "Task Scheduler", which if disabled, completely prevents
> connections to VNC hosts on my home network, and access to my
> standalone network HP Printer on the router - and many of these
> readers have hired people to come setup these home networks and now
> they are going to have to pay to have someone fix it - all because
> they blindly followed - close all ports above 1024 - true they
> shouldn't blindly follow instructions they don't understand, but if
> they did that, most of us would be out of a job :-)
>
> --
>
> Star Fleet Admiral Q @ your service
> --------------------------------------------------------
> "Doug Knox MS-MVP" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> I don't see why, if he's one of these experiencing this issue, he
> doesn't use
>
> NETSTAT -A -B
>
> To see what program is trying to access port 1025. It may be task
> scheduler, but I doubt it. Probaly something that's running as a
> task.
>
> --
> Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display
> Win 95/98/Me/XP Tweaks and Fixes
> http://www.dougknox.com
> --------------------------------
> Per user Group Policy Restrictions for XP Home and XP Pro
> http://www.dougknox.com/xp/utils/xp_securityconsole.htm
> --------------------------------
> Please reply only to the newsgroup so all may benefit.
> Unsolicited e-mail is not answered.
>
> "Star Fleet Admiral Q"
> <Star_Fleet_Admiral_Q(NO-SPAM)@(FORGET-SPAM)hotmail.com> wrote in
> message news:%(E-Mail Removed)...
>> Question - if task scheduler is using port 1025, then why are you
>> telling everyone to block all the other ports 1024 and 1026-65535?
>> They may have other important applications running on those ports

> and
>> what you've told them just broke them - and yes, most people on

> these
>> groups are not "tech savey" so next there will be a post "My
>> such-n-such all of sudden quit working" - be mindful of your

> audience
>> when suggesting.
>>
>> --
>>
>> Star Fleet Admiral Q @ your service
>> --------------------------------------------------------
>> "Erwin Michiels" <(E-Mail Removed)> wrote in
>> message news:(E-Mail Removed)...
>>> Many people seem to have noticed heavy traffic on port 1025. This

>> traffic is caused by the task scheduler service hosted by

> svchost.exe.
>> This service opens port 1025 by default. There are two ways to block
>> this traffic:
>>>
>>> 1) disable task scheduler service and reboot; be aware it is

>> possible that prefetch, system restore and bootvis won't work

> properly
>> anymore;
>>>
>>> 2) deny inbound traffic for svchost.exe using TCP on the local

> ports
>> 1024-65535; you can use a firewall like Agnitum Outpost 1.0

> (freeware)
>> to configure your system this way (
>> http://www.agnitum.com/download/outpost1.html ).
>>>
>>> To exploit task scheduler listening on port 1025, you can even

>> download a tool from the net: remoxec from
>> http://www.securityfriday.com/tools/Remoxec.html . This explains
>> probably the amount of scans of port 1025.
>>
>>

>
>

 
Reply With Quote
 
 
 
Reply

Thread Tools
Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Port 1025 is getting lotsa traffic Fox Microsoft Windows 2000 Security 2 16th Apr 2004 09:51 AM
port 1025 MAP Windows XP Help 0 18th Feb 2004 11:01 PM
XP Port 1025 Wes H Windows XP Security 1 5th Dec 2003 10:40 AM
port 1025 Pierre Windows XP Security 2 17th Nov 2003 08:06 PM
Port 1025 status Mewan Windows XP Security 0 14th Aug 2003 04:21 AM


Features
 

Advertising
 

Newsgroups
 


All times are GMT +1. The time now is 10:37 PM.