systemprocess locks port 21

TheMSsForum.com: The Microsoft Software Forum

Hi, everyone,

I have to following problem: After starting the remotedesktopserver on
an win2000-system the port 21 ist locked by process System:8 (found
with tcpview.)

The IIS runs on that machine, but the FTP-component is not installed.

There is no suspicious process (other then windows) running, there is
no traffic on port 21 and a telnet-login on port 21 is not possible.

Any idea?

Thanks in progress.
Top

Re: systemprocess locks port 21 by Steven

Steven
Wed May 17 11:40:55 CDT 2006

Offhand I don't know the answer but I would use Process Explorer to find
more information about the process including the publisher and looking in
it's properties for tcp/ip and services to see what is found. --- Steve


"Kai" <khinkelmann@e-h.de> wrote in message
news:1147853370.587902.249600@j33g2000cwa.googlegroups.com...
> Hi, everyone,
>
> I have to following problem: After starting the remotedesktopserver on
> an win2000-system the port 21 ist locked by process System:8 (found
> with tcpview.)
>
> The IIS runs on that machine, but the FTP-component is not installed.
>
> There is no suspicious process (other then windows) running, there is
> no traffic on port 21 and a telnet-login on port 21 is not possible.
>
> Any idea?
>
> Thanks in progress.
>


Top

Re: systemprocess locks port 21 by Karl

Karl
Wed May 17 13:55:40 CDT 2006

Just in case it might be malware hidden by a Windows root kit, you might
want to download and run RKDETECT found via www.google.com, and/or the
rootkit tool from www.sysinternals.com, and/or the beta version of
blacklight from www.f-secure.com/blacklight You might also be able to scan
the computer's hard drive outside of the current running version of Windows
across the network, via a drive mapped to the troubled computer's hard
drive.


"Kai" <khinkelmann@e-h.de> wrote in message
news:1147853370.587902.249600@j33g2000cwa.googlegroups.com...
> Hi, everyone,
>
> I have to following problem: After starting the remotedesktopserver on
> an win2000-system the port 21 ist locked by process System:8 (found
> with tcpview.)
>
> The IIS runs on that machine, but the FTP-component is not installed.
>
> There is no suspicious process (other then windows) running, there is
> no traffic on port 21 and a telnet-login on port 21 is not possible.
>
> Any idea?
>
> Thanks in progress.
>


Top

Re: systemprocess locks port 21 by Roger

Roger
Thu May 18 00:29:23 CDT 2006

Karl,

Is not the last suggest, scan via a mapped drive, not an effective means,
as this is still using the binaries on the source (suspect) machine to do
the filesystem enumeration, but just getting rerouted by the redirector
to the remote machine.

Roger

"Karl Levinson" <levinson_k@securityadmin.info> wrote in message
news:%23jC6NOeeGHA.3588@TK2MSFTNGP02.phx.gbl...
> Just in case it might be malware hidden by a Windows root kit, you might
> want to download and run RKDETECT found via www.google.com, and/or the
> rootkit tool from www.sysinternals.com, and/or the beta version of
> blacklight from www.f-secure.com/blacklight You might also be able to
> scan the computer's hard drive outside of the current running version of
> Windows across the network, via a drive mapped to the troubled computer's
> hard drive.
>
>
> "Kai" <khinkelmann@e-h.de> wrote in message
> news:1147853370.587902.249600@j33g2000cwa.googlegroups.com...
>> Hi, everyone,
>>
>> I have to following problem: After starting the remotedesktopserver on
>> an win2000-system the port 21 ist locked by process System:8 (found
>> with tcpview.)
>>
>> The IIS runs on that machine, but the FTP-component is not installed.
>>
>> There is no suspicious process (other then windows) running, there is
>> no traffic on port 21 and a telnet-login on port 21 is not possible.
>>
>> Any idea?
>>
>> Thanks in progress.
>>
>
>


Top

Re: systemprocess locks port 21 by Roger

Roger
Thu May 18 00:30:56 CDT 2006

Hi Kai,

I am with Karl and Steve.
This is suspect and if you cannot find anything with tools as Steve
suggested then certainly follow-up per Karl's comments.

Roger

"Kai" <khinkelmann@e-h.de> wrote in message
news:1147853370.587902.249600@j33g2000cwa.googlegroups.com...
> Hi, everyone,
>
> I have to following problem: After starting the remotedesktopserver on
> an win2000-system the port 21 ist locked by process System:8 (found
> with tcpview.)
>
> The IIS runs on that machine, but the FTP-component is not installed.
>
> There is no suspicious process (other then windows) running, there is
> no traffic on port 21 and a telnet-login on port 21 is not possible.
>
> Any idea?
>
> Thanks in progress.
>


Top

Re: systemprocess locks port 21 by Zoned

Zoned
Thu May 18 02:24:36 CDT 2006

Some detectors are signature based and mightnt find a newer rootkit.

There are more Rootkit detectors at http://www.antirootkit.com

regards

Zoned

Top

Re: systemprocess locks port 21 by Karl

Karl
Thu May 18 12:34:31 CDT 2006

I don't know about future root kits, but for the past few years I believe it
has been true that scanning across a network share from a known clean
computer detects and defeats root kits. I would assume that remote network
scanning must not use local user-mode API calls to enumerate, and that's
what API-hooking Windows root kits monitor to evade detection.

I think scanning the local computer from kernel mode also often works, since
as far as I know most root kits hide in user mode only, though I don't see
why a root kit wouldn't be able to hide from kernel mode if it saw some
reason to do so. And using non-API enumeration methods like walking and
parsing the raw data on the disk should work, until there's a root kit that
learns how to predict and evade that behavior. RKDetect uses the first
method of detection, and the sysinternals root kit detection tool uses the
second method. If it was possible for root kits to hide themselves from
both user mode AND kernel mode, i would think they would be doing it by now.


"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
news:umoqMwjeGHA.3572@TK2MSFTNGP03.phx.gbl...
> Karl,
>
> Is not the last suggest, scan via a mapped drive, not an effective means,
> as this is still using the binaries on the source (suspect) machine to do
> the filesystem enumeration, but just getting rerouted by the redirector
> to the remote machine.
>
> Roger
>
> "Karl Levinson" <levinson_k@securityadmin.info> wrote in message
> news:%23jC6NOeeGHA.3588@TK2MSFTNGP02.phx.gbl...
>> Just in case it might be malware hidden by a Windows root kit, you might
>> want to download and run RKDETECT found via www.google.com, and/or the
>> rootkit tool from www.sysinternals.com, and/or the beta version of
>> blacklight from www.f-secure.com/blacklight You might also be able to
>> scan the computer's hard drive outside of the current running version of
>> Windows across the network, via a drive mapped to the troubled computer's
>> hard drive.
>>
>>
>> "Kai" <khinkelmann@e-h.de> wrote in message
>> news:1147853370.587902.249600@j33g2000cwa.googlegroups.com...
>>> Hi, everyone,
>>>
>>> I have to following problem: After starting the remotedesktopserver on
>>> an win2000-system the port 21 ist locked by process System:8 (found
>>> with tcpview.)
>>>
>>> The IIS runs on that machine, but the FTP-component is not installed.
>>>
>>> There is no suspicious process (other then windows) running, there is
>>> no traffic on port 21 and a telnet-login on port 21 is not possible.
>>>
>>> Any idea?
>>>
>>> Thanks in progress.
>>>
>>
>>
>
>


Top