ncacn_http/1.0 running on port 1034

[RichWhit]

I have a Windows Server 2003 Active Directory Domain Controller that has port
1034 open. When you telnet to port 1034 ncacn_http/1.0 is displayed. I have
McAfee running on the server and have run other scans but virus is detected.
This is the only server in my organization that has this port open.

Does anyone know how to remove this open port?

 

[Bill Sanderson]

I think that you need better help than we can offer here.

Since this is a security issue, you could call Microsoft's PSS
1-866-pcsafety, but I suspect that work on servers is not covered by their
free offering.

I would recommend that you post in a server-oriented group, or a specialized
malware cleaning group or forum.

I'm not sure that this is malware-related, but there's a good chance of
that, I suspect, and a server is too valuable an asset to take chances with.
I don't see this port open on my servers.

Have you done any investigation with, say, netstat (netstat -bn) to see if
you can see what executable is opening the port?

 

[Anonymous Bob]

I have a Windows Server 2003 Active Directory Domain Controller that has port
1034 open. When you telnet to port 1034 ncacn_http/1.0 is displayed. I have
McAfee running on the server and have run other scans but virus is detected.
This is the only server in my organization that has this port open.

Does anyone know how to remove this open port?

Is this any help?
http://archives.neohapsis.com/archives/incidents/2002-03/0037.html

 

[Bill Sanderson]

That and some similar threads were what leads me to think this needs more
professional help than we are likely to manage here, and quickly.

It isn't conclusive--this is a port running a protocol which enables
traversal of firewalls--which could be innocent, or not...

As far as I can tell this is not a standard feature of Server 2003, but
there's more under the sun than I know about in that regard--I only have
about half a dozen Server 2003's of various variants that I can look at, and
I haven't looked at all of them.

I'd run a variety of rootkit detection apps, I think. I just spent a couple
of days doing that on a workstation in one of my domains because the user
complained that it was unresponsive and I was seeing high CPU usage with no
obvious reason--other nearby workstations with slower CPUs and the same
software load were more responsive.

In the end, I found the problem was an HP printer driver process for a
Laserjet 1022.

Each of the rootkit tools I tried alarmed in various ways, but none of it
panned out--they all had innocent causes. This stuff is NOT ready for the
average user to work with--it is pretty easy to go off the deep end and
think something is wrong when it is not.

I'd recommend Castlecops, bleepingcomputer.com, wilderssecurity--someplace
with experienced folks that know what to look for on a hijackthis log, I
think.