4

I have a case where One vulnerability detected in server(dusxxxiweb2) saying Port 8081 is opened.I got the port number through netstat -a -n -o | find "8081" command, I found out that the port "8081" is being used by system process with PID 4

enter image description here

I want to know which system process using this service.IIS is not installed in this server.But i can access one login page(.Net application) as below.I don't know how it is possible without IIS http://dusxxxiweb2:8081/login

I want to block this port for fixing vulnerability issue.What can i do in this scenario ?

vmb
  • 2,878
  • 15
  • 60
  • 90
  • If IIS is not even installed, this issue then has nothing to do with IIS. HTTP service (http.sys) is a Windows component, and any application can hook to it and perform HTTP communication (for .NET apps, self hosting is enough). It is not trivial to debug which application it is, but things like reserved URLs might help https://docs.jexusmanager.com/tutorials/https-binding.html#reserved-urls You can easily block such by adding rules in Windows Firewall. – Lex Li Dec 11 '18 at 14:03
  • @Lex Li ..so you saying all http connection using 8081 port...How can I change the port to different one for http service. Does it cause any impact to any system service ? – vmb Dec 12 '18 at 04:42
  • Clearly I didn't say what you typed. It is just some application that hooks to that port and processes HTTP requests. You cannot change the port unless this application gives you a setting to change. It of course has impact (CPU usage, memory usage for example) on Windows, and in turn on other system service, but I am not sure what you are asking for. It is too broad to discuss such, especially when it is not programming related, but more of a networking/configuration/security issue. Your actual goals (like security concerns) matter a lot here, as that determines what you might do next. – Lex Li Dec 12 '18 at 05:00

1 Answers1

12

Run the command;

netsh http show servicestate view=requestq

This will give snapshot of all the HTTP listeners. Find the "Registered URL" containing the port number you are looking for and the PID of the controlling process will be a few lines above it, like my own rogue process here;

Request queue name: Request queue is unnamed.
    Version: 2.0
    State: Active
    Request queue 503 verbosity level: Basic
    Max requests: 1000
    Number of active processes attached: 1
--> Process IDs:
        14035
    URL groups:
    URL group ID: F80000014000004F
        State: Active
        Request queue name: Request queue is unnamed.
        Properties:
            Max bandwidth: inherited
            Max connections: inherited
            Timeouts:
                Timeout values inherited
            Number of registered URLs: 1
-->         Registered URLs:
              HTTP://+:8081/ROGUESERVICE/
        Server session ID: F70000011000012D
            Version: 2.0
            State: Active
            Properties:
                Max bandwidth: 4294967295
                Timeouts:
                    Entity body timeout (secs): 120
                    Drain entity body timeout (secs): 120
                    Request queue timeout (secs): 120
                    Idle connection timeout (secs): 120
                    Header wait timeout (secs): 120
                    Minimum send rate (bytes/sec): 150
L1ttl3J1m
  • 385
  • 5
  • 8