Port 1025 Open, Why..?

GovernmentSecurity.org > The Archives > General Network Security

blahplok

Aug 24 2004, 04:13 AM

after install my windows (XP / 2000) port 1025 always opened,
Why..? is this port can use for remote conection such as prot 23 (telnet)? if yes, what client used for it?
can i close this port manualy?

thank's before.....

nuorder

Aug 24 2004, 04:26 AM

disable UPNP service

edit: my bad - had a brain fart, its not UPNP

digitalk2003

Aug 24 2004, 05:40 AM

There are multiple things wrong with the Microsoft's implementation of the UPNP protocol. For more information, see link.

Link: http://www.eeye.com/html/research/advisories/AD20011220.html

Ciau...

digitalk2003

prog

Aug 24 2004, 08:48 AM

I believe mirc opens this port as well

320X

Aug 24 2004, 10:01 AM

Disable SSDP Discovery in Windows Messenger (1900)

System Key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectPlayNATHelp\DPNHUPnP]
Value Name: UPnPMode
Data Type: REG_DWORD (DWORD Value)
Value Data: (2 = disable UPnP broadcasts)

talaxian

Aug 24 2004, 11:54 AM

Those articles you gave ghim refer to UPNP on UDP 1900. He didn't specify tcp or udp but TCP 1025 is used by RPC.

http://seclists.org/lists/fulldisclosure/2003/Aug/0407.html

shiz

Aug 24 2004, 12:39 PM

UPnP is port 5000, not 1025
1025 is used by svchost.exe (RCP)

blahplok

Aug 25 2004, 12:31 AM

banner scan say if port 1025 is blackjack (network blackjack) and i have been googling but never find an article explain about this port, how to close, use for what, and what service running on it.... uhhhhhh..

Terminal

Aug 25 2004, 04:39 AM

Stop RPC(Remote procedure call) services and port will be automatically closed . But RPC isalso used by many other services . Its better to let it run if u are on a network . Also this port is called DCOM port .

Note: there are some programs that can schedule eventsor even execute on ur pc through administrator account using RPC (DCOM) port.

FOr example: W32.Gaobot.gen (on a lan)puts a infected file somewhere in ur hard drive ( $ shares is one of method) and then using Dcom services execute it and voila u are infected and ur pc acts as a zombie to infect others on network .

Check out WIndows worm door cleaner attached .

h3llraz0r

Aug 25 2004, 05:07 AM

the port is open because of RPC service and if you try the tool vicky posted it will close that port for you.

Katja

Aug 25 2004, 10:44 AM

net stop Remote procedure call and the port will close but many other service need the RPC service

mfg

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.


Help - Search - Member List - Calendar Full Version: Port 1025 Open, Why..? GovernmentSecurity.org > The Archives > General Network Security blahplok Aug 24 2004, 04:13 AM after install my windows (XP / 2000) port 1025 always opened, Why..? is this port can use for remote conection such as prot 23 (telnet)? if yes, what client used for it? can i close this port manualy? thank's before..... nuorder Aug 24 2004, 04:26 AM disable UPNP service edit: my bad - had a brain fart, its not UPNP digitalk2003 Aug 24 2004, 05:40 AM There are multiple things wrong with the Microsoft's implementation of the UPNP protocol. For more information, see link. Link: http://www.eeye.com/html/research/advisories/AD20011220.html Ciau... digitalk2003 prog Aug 24 2004, 08:48 AM I believe mirc opens this port as well 320X Aug 24 2004, 10:01 AM Disable SSDP Discovery in Windows Messenger (1900) System Key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectPlayNATHelp\DPNHUPnP] Value Name: UPnPMode Data Type: REG_DWORD (DWORD Value) Value Data: (2 = disable UPnP broadcasts) talaxian Aug 24 2004, 11:54 AM Those articles you gave ghim refer to UPNP on UDP 1900. He didn't specify tcp or udp but TCP 1025 is used by RPC. http://seclists.org/lists/fulldisclosure/2003/Aug/0407.html shiz Aug 24 2004, 12:39 PM UPnP is port 5000, not 1025 1025 is used by svchost.exe (RCP) blahplok Aug 25 2004, 12:31 AM banner scan say if port 1025 is blackjack (network blackjack) and i have been googling but never find an article explain about this port, how to close, use for what, and what service running on it.... uhhhhhh.. Terminal Aug 25 2004, 04:39 AM Stop RPC(Remote procedure call) services and port will be automatically closed . But RPC isalso used by many other services . Its better to let it run if u are on a network . Also this port is called DCOM port . Note: there are some programs that can schedule eventsor even execute on ur pc through administrator account using RPC (DCOM) port. FOr example: W32.Gaobot.gen (on a lan)puts a infected file somewhere in ur hard drive ( $ shares is one of method) and then using Dcom services execute it and voila u are infected and ur pc acts as a zombie to infect others on network . Check out WIndows worm door cleaner attached . h3llraz0r Aug 25 2004, 05:07 AM the port is open because of RPC service and if you try the tool vicky posted it will close that port for you. Katja Aug 25 2004, 10:44 AM net stop Remote procedure call and the port will close but many other service need the RPC service mfg This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.