Incidents
System Idle Process making TCP connections Jul 07 2006 08:21PM
John Davison (johndavison compasseng com) (1 replies)
Re: System Idle Process making TCP connections Jul 07 2006 11:47PM
lee e rian census gov (1 replies)
Does TCPView ever show the System Idle Process with any connections in the
LISTENING or ESTABLISHED state?

All of the System Idle Process connections listed are in the TIME_WAIT
state - which most probably means that some other process created the
connection and closed it. ( I'd guess something trying to talk to
spoolsv.exe since it's listening on port 6160 )

> Has anyone seen anything like this before?

No, not that many connections in a timed wait state. But whenever a
connection is closed it moves to the TIME_WAIT state and TCPView says it's
owned by [System Process]:0 on my windoze machine.

HTH,
Lee

John Davison <johndavison (at) compasseng (dot) com [email concealed]> wrote on 07/07/2006 04:21:50 PM:

> I've never seen anything like this before. After experiencing some
really
> strange behavior from various applications and lot of looking around, I
> downloaded TCPView from System Internals and found that the System Idle
> Process (id 0) is making connections to itself, from source port 6160 to
a
> series of local ports and keeps incrementing.
>
> Has anyone seen anything like this before?
>
> Here's a TCPView dump.
>
> lsass.exe:676 TCP 0.0.0.0:1043 0.0.0.0:0 LISTENING
> RSLINX.EXE:516 TCP 0.0.0.0:2222 0.0.0.0:0 LISTENING
> RSLINX.EXE:516 TCP 0.0.0.0:44818 0.0.0.0:0 LISTENING
> spoolsv.exe:1272 TCP 0.0.0.0:6160 0.0.0.0:0 LISTENING
> svchost.exe:440 TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING
> svchost.exe:960 TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
> System:4 TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
> System:4 TCP 10.1.1.150:139 0.0.0.0:0 LISTENING
> System:4 TCP 10.1.1.150:4017 10.1.1.1:139 ESTABLISHED
> [System Process]:0 TCP 10.1.1.150:3475 10.1.1.12:445 TIME_WAIT
> RSLINX.EXE:516 TCP 10.1.1.150:1071 10.1.1.99:2222 ESTABLISHED
> svchost.exe:440 TCP 10.1.1.150:3389 10.1.1.121:1989 ESTABLISHED

> svchost.exe:440 TCP 10.1.1.150:3389 10.1.1.134:45843 ESTABLISHED

> [System Process]:0 TCP 10.1.1.150:6160 10.1.1.150:3421 TIME_WAIT

> [System Process]:0 TCP 10.1.1.150:6160 10.1.1.150:3422 TIME_WAIT

> [System Process]:0 TCP 10.1.1.150:6160 10.1.1.150:3423 TIME_WAIT

> [System Process]:0 TCP 10.1.1.150:6160 10.1.1.150:3424 TIME_WAIT

<.. snip ..>

------------------------------------------------------------------------
------
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas.
World renowned security experts reveal tomorrow's threats today. Free of
vendor pitches, the Briefings are designed to be pragmatic regardless of your
security environment. Featuring 36 hands-on training courses and 10 conference
tracks, networking opportunities with over 2,500 delegates from 40+ nations.

http://www.blackhat.com
------------------------------------------------------------------------
------

[ reply ]
Re: System Idle Process making TCP connections Jul 08 2006 01:58AM
John Davison (johndavison compasseng com)


 

Privacy Statement
Copyright 2010, SecurityFocus