I'm not familiar with PASV FTP but I do know that using XP and a dial up ISP
port 1025 will show listening and is required to be able to connect to the
Internet.
dlc said:
Yes, that is the exact reason why I am researching and readign this board.
Which by the way is a wealth of knowledge. Yes, port Generic Host services
is listening on port 1025, 3031 and 3032. I have seen this in Zone Alarm for
a week now. I do not know what to do about it. I do not see any FTP but I do
see alot of srvhost processes using random ports and also msmger. I
installed a program called active ports and it gives you realtime port
connections. It also allows you to terminate them. Which when I do, I just
see those processes come back under another port . I am perplexed !1025. On this port svchost.exe is listening (TCP). These attackers manage
somehow to establish an incoming connection on this port using PASV FTP.
Luckely I deny inbound traffic for svchost.exe if it's using PASV FTP. In my
firewall log I can see these attackers have rather exotic ip's as
220.168.167.245 (CHINANET HUNAN PROVINCE NETWORK) and 219.145.23.169
(CHINANET SHANXI PROVINCE NETWORK). I suggest if someone notices similar
inbound traffic on local port 1025 to report it here. It could be that
there's someone outthere exploiting a system vulnurability.