Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Strange Entries in ICF Log.

Status
Not open for further replies.
talon121a

talon121a

MIS
Aug 21, 2003
92
US
Anyone know how to stop these entries?

Using Windows 2003 Server Enterprise.
---

(note I just changed 68.4.111.111 for security)

2003-08-28 21:48:54 DROP TCP 127.0.0.1 68.4.111.111 38167 38879 40 R 1233664920 1233664920 0 - - -
2003-08-28 21:49:07 DROP TCP 127.0.0.1 68.4.111.111 38167 38879 40 R 1233664920 1233664920 0 - - -
2003-08-28 21:49:12 DROP TCP 127.0.0.1 68.4.111.111 38360 38879 40 R 2152980350 2152980350 0 - - -
2003-08-28 21:49:13 DROP TCP 127.0.0.1 68.4.111.111 38360 38879 40 R 2152980350 2152980350 0 - - -
2003-08-28 21:49:14 DROP TCP 127.0.0.1 68.4.111.111 38360 38879 40 R 2152980350 2152980350 0 - - -
2003-08-28 21:49:17 DROP TCP 127.0.0.1 68.4.111.111 38360 38879 40 R 2152980350 2152980350 0 - - -
2003-08-28 21:49:23 DROP TCP 127.0.0.1 68.4.111.111 38360 38879 40 R 2152980350 2152980350 0 - - -
2003-08-28 21:49:34 DROP TCP 127.0.0.1 68.4.111.111 38360 38879 40 R 2152980350 2152980350 0 - - -
2003-08-28 21:49:46 DROP TCP 127.0.0.1 68.4.111.111 38528 38879 40 R 3710561767 3710561767 0 - - -
2003-08-28 21:49:42 DROP TCP 127.0.0.1 68.4.111.111 38528 38879 40 R 3710561767 3710561767 0 - - -
2003-08-28 21:49:44 DROP TCP 127.0.0.1 68.4.111.111 38528 38879 40 R 3710561767 3710561767 0 - - -
2003-08-28 21:49:51 DROP TCP 127.0.0.1 68.4.111.111 38528 38879 40 R 3710561767 3710561767 0 - - -
2003-08-28 21:50:01 DROP TCP 127.0.0.1 68.4.111.111 38528 38879 40 R 3710561767 3710561767 0 - - -
2003-08-28 21:50:20 DROP TCP 127.0.0.1 68.4.111.111 38528 38879 40 R 3710561767 3710561767 0 - - -
2003-08-28 21:51:05 DROP TCP 127.0.0.1 192.168.0.15 39052 38879 40 AR 2960971616 870273480 0 - - -
2003-08-28 21:51:05 DROP TCP 127.0.0.1 192.168.0.15 39052 38879 102 AP 2960971554 870273480 16979 - - -
2003-08-28 21:51:42 DROP TCP 192.168.0.15 192.168.0.15 38706 38879 40 R 722818562 722818562 0 - - -
2003-08-28 21:51:48 DROP TCP 192.168.0.15 192.168.0.15 38706 38879 40 R 722818562 722818562 0 - - -
2003-08-28 21:51:44 DROP TCP 192.168.0.15 192.168.0.15 38706 38879 40 R 722818562 722818562 0 - - -
2003-08-28 21:51:56 DROP TCP 192.168.0.15 192.168.0.15 38706 38879 40 R 722818562 722818562 0 - - -


This is very strange, because I dont know anything that uses ports that high.. (on an internal nic).

- Please help!
Jason


 
Sort by date Sort by votes
Non-Windows machines will frequently use ports that high, and many scanning tools allow you to set your source port. But I am curious how any IP address was connecting to your loopback.


pansophic
 
Upvote 0 Downvote
Yes ,I think that this is very odd behavior.. I havent rebooted til now. I did stop it from occuring by stopping 'svchost.exe' now Im waiting for reboot to see what PID its associated to then ill look at the service its referring to, then possibly find the problem there. I looked up many articles, found one on Ms's site that mentioned to check the associated Winsock binding.

So I'm checking that, then my ICF logs hopefully get fixed. ;-)

I noticed that its continuing after reboot. I found the service(s) group thats doing this..

Browser, CryptSvc, dmserver, EventSystem,
helpsvc, (HidServ), lanmanserver,
lanmanworkstation, Netman, Nla, RasMan,
Schedule, seclogon, SENS, SharedAccess,
ShellHWDetection, W32Time, winmgmt,
wuauserv, WZCSVC

Just the question is, out of that list, what service do I disable?

:) The (HidServ) I changed to manual. And stopped it but that wasnt it. NLA is associated with ICF., Im sorta lost what one to shut down. do you have ideas? Or know of those services?

 
Upvote 0 Downvote
It's a bit tedious, but NETSTAT -AON will show you a list of open ports on your machine, and having the O switch will show the associated PID (process ID). You can then match this up with what's running in Task Manager to get a handle on things.
 
Upvote 0 Downvote
Is not the log: date, time, action, protocol, source ip, dest ip, source port, dest port?

In this case he is logging his own activity (127.0.0.1), and some LAN traffic (likely himself again).

The high port numbers are very typical of a Google search.
 
Upvote 0 Downvote
Well, I used the -AON to find it on SVCHOST.EXE then used 'tasklist.exe /svc' to see what services were using the ports.

Thats where I found that group of services ...

I just wish I knew what one of those bind to 127.0.0.1 etc.

Jason
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Zebad
  • Locked
  • Question
TFTP interference from another host (Windows Server , VxWorks Client)
Replies
0
Views
618
Zebad
Zebad
Vitor Fernandes-Neto
  • Locked
  • Question
Ldap authentication in classic asp, retrieving givenname, displayname etc
Replies
0
Views
651
Vitor Fernandes-Neto
Vitor Fernandes-Neto
Frink
  • Locked
  • Question
How to set 'Delete history entries older than' config setting in SNMPc Workgroup Edition 7.1.1
Replies
0
Views
88
Frink
Frink
Shashi Alabur
  • Locked
  • Question
Long delay in responding to web page request
Replies
7
Views
249
allworxguy
allworxguy
bpafc
  • Locked
  • Question
FTP login delay
Replies
2
Views
153
bpafc
bpafc

Part and Inventory Search

Sponsor

Back
Top