Ben 2012-04-24 09:42:39
I am using “Active Ports” to monitor the access from/to my Win 2000 Pro.
I got the fallowing report – It is kind of some thing abnormal to my
Process: TCP svchost.exe
PID : 472
Local IP: 220.127.116.11
Local Port: 2572
Remote IP : 67.114.XX.XX
Remote Port: 80
State : CLOSE_WAIT
Protocol : TCP
Path : C:\WINNT\System32\svchost.exe
+What is svchost.exe for?
+In this case, what is this process doing?
+What dose the State CLOSE_WAIT mean? There must be some state was passing
before ending up with this state?
+Which request will cause the svchost.exe open the port 2572? or it is
normally open? How can the remote be able to gain this access?
It could be too much to answer, but I guess there is the main answer to
Please explain to me. It may clear my concern.
Very appreciated and thanks in advance,
David robbins 2012-04-24 09:42:47
svchost is a generic process for services run from a dll. to find out what
it was you might try to browse to the ip address that it was connected to
and see what it was. it could be something like the windows update site, an
antivirus auto update download site, or even a spy site for some malware
installed on your system… there is no way to tell from what you supplied.
this connection was made FROM your machine TO port 80 on 67.114.xx.xx which
would be a normal web server type of connection. the local port number in
this case doesn’t really mean anything, typically when making an outgoing
connection a program will request to open a connection from the tcp/ip stack
and just get assigned the next sequential free port, so you can’t really
close that port since it is a one time use only in most cases.
close_wait means that the connection is done transfering data and is just
waiting for the tcp connection to finish closing.