Somebody Know This, Please Explain!

B

Ben

Hi,
I am using "Active Ports" to monitor the access from/to my Win 2000 Pro.
I got the fallowing report - It is kind of some thing abnormal to my
computer:

Process: TCP svchost.exe
PID : 472
Local IP: 192.167.1.5
Local Port: 2572
Remote IP : 67.114.XX.XX
Remote Port: 80
State : CLOSE_WAIT
Protocol : TCP
Path : C:\WINNT\System32\svchost.exe

+What is svchost.exe for?
+In this case, what is this process doing?
+What dose the State CLOSE_WAIT mean? There must be some state was passing
before ending up with this state?
+Which request will cause the svchost.exe open the port 2572? or it is
normally open? How can the remote be able to gain this access?

It could be too much to answer, but I guess there is the main answer to
these question.
Please explain to me. It may clear my concern.

Very appreciated and thanks in advance,

Ben
 
D

David Robbins

svchost is a generic process for services run from a dll. to find out what
it was you might try to browse to the ip address that it was connected to
and see what it was. it could be something like the windows update site, an
antivirus auto update download site, or even a spy site for some malware
installed on your system... there is no way to tell from what you supplied.

this connection was made FROM your machine TO port 80 on 67.114.xx.xx which
would be a normal web server type of connection. the local port number in
this case doesn't really mean anything, typically when making an outgoing
connection a program will request to open a connection from the tcp/ip stack
and just get assigned the next sequential free port, so you can't really
close that port since it is a one time use only in most cases.

close_wait means that the connection is done transfering data and is just
waiting for the tcp connection to finish closing.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top