Security Incidents mailing list archives

Re: System Idle Process making TCP connections

From: lee.e.rian () census gov
Date: Fri, 7 Jul 2006 19:47:19 -0400

Does TCPView ever show the System Idle Process with any connections in the
LISTENING or ESTABLISHED state?

All of the System Idle Process connections listed are in the TIME_WAIT
state - which most probably means that some other process created the
connection and closed it.  ( I'd guess something trying to talk to
spoolsv.exe since it's listening on port 6160 )

Has anyone seen anything like this before?


No, not that many connections in a timed wait state.  But whenever a
connection is closed it moves to the TIME_WAIT state and TCPView says it's
owned by [System Process]:0 on my windoze machine.

HTH,
Lee



John Davison <johndavison () compasseng com> wrote on 07/07/2006 04:21:50 PM:

I've never seen anything like this before.  After experiencing some

really

strange behavior from various applications and lot of looking around, I
downloaded TCPView from System Internals and found that the System Idle
Process (id 0) is making connections to itself, from source port 6160 to

series of local ports and keeps incrementing.

Has anyone seen anything like this before?

Here's a TCPView dump.

lsass.exe:676   TCP   0.0.0.0:1043   0.0.0.0:0   LISTENING
RSLINX.EXE:516   TCP   0.0.0.0:2222   0.0.0.0:0   LISTENING
RSLINX.EXE:516   TCP   0.0.0.0:44818   0.0.0.0:0   LISTENING
spoolsv.exe:1272   TCP   0.0.0.0:6160   0.0.0.0:0   LISTENING
svchost.exe:440   TCP   0.0.0.0:3389   0.0.0.0:0   LISTENING
svchost.exe:960   TCP   0.0.0.0:135   0.0.0.0:0   LISTENING
System:4   TCP   0.0.0.0:445   0.0.0.0:0   LISTENING
System:4   TCP   10.1.1.150:139   0.0.0.0:0   LISTENING
System:4   TCP   10.1.1.150:4017   10.1.1.1:139   ESTABLISHED
[System Process]:0   TCP   10.1.1.150:3475   10.1.1.12:445   TIME_WAIT
RSLINX.EXE:516   TCP   10.1.1.150:1071   10.1.1.99:2222   ESTABLISHED
svchost.exe:440   TCP   10.1.1.150:3389   10.1.1.121:1989   ESTABLISHED

svchost.exe:440   TCP   10.1.1.150:3389   10.1.1.134:45843   ESTABLISHED

[System Process]:0   TCP   10.1.1.150:6160   10.1.1.150:3421   TIME_WAIT

[System Process]:0   TCP   10.1.1.150:6160   10.1.1.150:3422   TIME_WAIT

[System Process]:0   TCP   10.1.1.150:6160   10.1.1.150:3423   TIME_WAIT

[System Process]:0   TCP   10.1.1.150:6160   10.1.1.150:3424   TIME_WAIT


   <.. snip ..>


------------------------------------------------------------------------------
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas. 
World renowned security experts reveal tomorrow's threats today. Free of 
vendor pitches, the Briefings are designed to be pragmatic regardless of your 
security environment. Featuring 36 hands-on training courses and 10 conference 
tracks, networking opportunities with over 2,500 delegates from 40+ nations. 

http://www.blackhat.com
------------------------------------------------------------------------------

Current thread:

System Idle Process making TCP connections John Davison (Jul 07)
- Re: System Idle Process making TCP connections lee . e . rian (Jul 07)
  - Re: System Idle Process making TCP connections John Davison (Jul 07)