ironclaw Posted February 8, 2007 Share Posted February 8, 2007 Can anyone tell me which service/program is opening these ports?Ports 49152, 49153, 49154, 49155, 49156, 49157.The PID for each of these translates to a system process.Thanks! Link to comment Share on other sites More sharing options...
cluberti Posted February 8, 2007 Share Posted February 8, 2007 Those are private, or ephemeral, ports in that range (49152 - 65535). They could be anything requiring an ephemeral port (applications, kernel drivers, etc). You say that netstat -o tells you that the PID is 4? That would mean something running in the SYSTEM process (representative of threads running in kernel directly) has opened those ports. Who is the foreign address - where do those connections go? Link to comment Share on other sites More sharing options...
ironclaw Posted February 8, 2007 Author Share Posted February 8, 2007 (edited) None of the PIDs appear to be 4, and each PID is different. However, all six of them translate to either wininit.exe, svchost.exe, lsass.exe, or services.exe.This is basically what it looks like:Local Foreign0.0.0.0:49152 0.0.0.0:00.0.0.0:49153 0.0.0.0:00.0.0.0:49154 0.0.0.0:00.0.0.0:49155 0.0.0.0:00.0.0.0:49156 0.0.0.0:00.0.0.0:49157 0.0.0.0:0[::]:49152 [::]:0[::]:49153 [::]:0[::]:49154 [::]:0[::]:49155 [::]:0[::]:49156 [::]:0[::]:49157 [::]:0 Edited February 8, 2007 by ironclaw Link to comment Share on other sites More sharing options...
TheTOM_SK Posted February 8, 2007 Share Posted February 8, 2007 (edited) I do not know, what are those ports related to, but I was able to close them (screen) by disabling services, policies, so I woould not need a firewall. WWDC helped me to close ports: 49152, 49153, 49154 by disabling NetBIOS, strange but it works. As for one 135 (RPC service), it can not be closed, but it only listens locally (screen), so it does not matter. IE uses ports 49150 and above as loopback instead of 1024-5000. Edited February 8, 2007 by TheTOM_SK Link to comment Share on other sites More sharing options...
ironclaw Posted February 8, 2007 Author Share Posted February 8, 2007 I do not know, what are those ports related to, but I was able to close them (screen) by disabling services, policies, so I woould not need a firewall. WWDC helped me to close ports: 49152, 49153, 49154 by disabling NetBIOS, strange but it works. As for one 135 (RPC service), it can not be closed, but it only listens locally (screen), so it does not matter. IE uses ports 49150 and above as loopback instead of 1024-5000.That IS strange, because I have NetBIOS totally disabled.As for port 135, you can try this:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OleLook on the right-hand panel for a value named EnableDCOM. By default it should be set at Y, change this to N. This will disable DCOM.Next, navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RpcLook on the right-hand panel for a value named DCOM Protocols. Do not modify the entire value, but instead only remove ncacn_ip_tcp from the DCOM Protocols value, and leave everything else untouched. Link to comment Share on other sites More sharing options...
TheTOM_SK Posted February 8, 2007 Share Posted February 8, 2007 Yeah I tried those 2, but it did not work. 135 is still open.But since 135 is stealthed from outside, it does not matter. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now