PDA

View Full Version : explorer.exe



Betazep
05-27-2002, 04:15 PM
Can somebody find or does somebody know why explorer.exe would hold a port open? I have checked extensively for trojans with updated virus software, trojan removers and more.

This is the info...

Checked C:\WINDOWS\EXPLORER.EXE (PID=4294588673)
Found UDP port 1058 bound at 127.0.0.1 by C:\WINDOWS\EXPLORER.EXE (PID=4294588673) [UDP client]

I think it is posible that this is normal as 127.0.0.1 is the loopback. I would be terribly concerned if it said 0.0.0.0 and if I didn't have a firewall.

So does anyone know if this is a normal activity for explorer.exe?

Thanks,

Betazep

jinx
05-27-2002, 04:20 PM
If you are running Millenium or later vs. of windoze, don't fret, I remember reading about this and it being so interwoven with IE that it always is running odd ports and yours using a udp protocol, it really wouldn't concern me.

Betazep
05-27-2002, 04:32 PM
Yeah... I assumed as such. Only the UDP port is shown in that particular software. netstat -a reveals a listening TCP port on that port.

And it is win98. I will do some more research and let you guys know what I can find out. I have a freshly installed win98 partition on my computer. I will go into that one and see if the instance exists...

Oh... and I extracted a new explorer.exe file from the cabs on the win98 disk and overwrote the old one. The open port went away until reboot. Then I checked my entire registry for all run commands on startup or otherwise. Nothing seemed out of the ordinary. I am probably over-killing this, but my security is looking pretty tight (other than this possible issue). ;)

novacain
05-27-2002, 10:38 PM
Have you checked your ports on GRC.com to see their state?
Bit of a sniff, scan and probe?
(Is free and has some good info even if he does go on a bit about the raw sockets in XP)

Betazep
05-27-2002, 10:46 PM
Yeah... I use Steve Gibson's site regularly. Doesn't look for that port.

My other installation of windows 98 does not have explorer.exe holding a port open. I am going to slowly add programs (like norton antivirus with pop & smtp protection) to see if one of the programs is utilizing explorer.exe to keep a listening port to the loopback.

This is really ........ing me off. I wish somebody just had the answer... somewhere. I have emailed countless friends and professionals, and they don't know... short of a trojan... how this can happen. Like I said though, my antivirus files are solid and I deleted the orig explorer.exe from the hard disk and wrote in a new copy.

This is going to take some serious work to figure out. Now I am angry, but I am still intrigued. I could just reinstall... but that would be to admit failure. (Besides that... it doesn't seem to be doing anything bad...) ;):D

novacain
05-28-2002, 02:37 AM
Some RAT's (trojans) impersonate a registered program to get by your firewall.

Try re-nameing windows/explorer.exe and see if there is still one holding open the port.

Betazep
05-28-2002, 12:32 PM
Well... I sent an email to grc.com and got the "we don't have the time to help you, but there are some sites that may..." answer.

I spoke with a friend of mine, and he stated that since the port is bound to 127.0.0.1, that it is only available to my computer. (I thought this was a possibility...)

He asked me if I have file and printer sharing enabled and a myriad of other questions. I do not have fps enabled so there has to be something else that is utilizing the port.

I have a sneaking suspicion that it is my norton antivirus that is holding the port open, but why it would use explorer.exe to do it is beyond my understanding at this time.

Betazep
05-28-2002, 01:26 PM
You might have seen something like this when running inzider:
Checked C:\Program Files\Internet Explorer\IEXPLORE.EXE (PID=1244)
- Found UDP port 1056 bound at 127.0.0.1 [UDP client]
This line refers to a UDP socket allocated by IE. It is bound at the
loopback address 127.0.0.1 and at a dynamically allocated port in the range
1024-5000. As the note at the end of the line says, this is a UDP client,
and so one naturally asks "where is the server?". I have received a few
mails from people who were worried that this might be a way for Microsoft to
collect information from their computers while they browse the web with IE.
But in fact the server is not located at Microsoft, but in your own
computer - in IE itself. IE simply sends UDP packets from this port, through
the loopback address, and back to the same port. The packets never go out on
the Internet, and the port is not visible from the outside since it is only
bound at the loopback address. IE sends one byte large packets to itself
this way more or less constantly while you browse, and the purpose is most likely some kind of diagnostics.



But the thing is that it isn't iexplore.exe that is in the loopback. It is explorer.exe and my firewall is showing that explorer.exe is accessing the web when I browse. If I do not allow explorer.exe to pass the firewall, then I am unable to browse.

novacain
05-28-2002, 09:52 PM
Wierd.

Will check my WIN98 machine at home for similar. Use a wingate here.

You could get a packetsniffer and find where explorer.exe is sending.

Is there a way to trace the app by its PID?

Betazep
05-29-2002, 01:55 AM
I am still working it. This situation isn't on my other win98 OS, as I stated. I am going to upgrade to IE 5.5 and install some programs to see if I can duplicate it....

Betazep
05-29-2002, 02:08 AM
http://www.cs.berkeley.edu/~nweaver/0wn2.html

check it.... the sobs

novacain
05-29-2002, 03:23 AM
So it is KaZaA checking for updates and pretending to be explorer.exe to bypass your firewall?

How did you track it down?

It was hidden in the KaZaA contract you signed to install. Not that hiding a security hole in the 'we are liable for nothing' warranties and terms of use is not just willfully wrong but hopefully voids their disclaimers.

Try using Netscape (ect) and blocking the explorer.exe. Can you still browse?

Betazep
05-29-2002, 03:36 AM
I figured it out finally. Seemed too obvious now. I did have some BDE trojans from kazaa, but that didn't fit the description of the problem as the kazaa trojans are only for their updates with apropriate (possibly exploitable) signatures.

iexplore.exe wasn't accessing the internet. explorer.exe was.... hmmm... I repaired the IE installation and it must have overwrote the appropriate files to make it work correctly. Now IE accesses the internet and no explorer.exe bound ports.

HOOOORRRAAAAAAY! God that sucked.

If you would like to see if you have BDE or other trojans, the only trojan removal kit I found that finds these types of trojans can be downloaded here...

http://www.moosoft.com/index.php

Now to keep everything updated so my IIS server doesn't get exploited. Ahhhh... it never ends.

Thanks for all of your help, everybody, and for following me along my journey for the mysterious (still unknown as to why, but solved) listening-port-extravaganza. :D