Port 554 is almost always open ...

[voyager]

I probably do not have an actual problem.
But, I find this a bit disconcerting.
I have noted the following over the last few months.

When ever I go to GRC and run Shields UP, I am completely stealth except that port 554 is almost always open.
Before doing anything else, if I run Shields UP again, port 554 is always closed making me completely stealth. I had done nothing pro-active to do this.

That coupled with the fact that I seem to have a constant background internet activity of about 1 to 1.5Kb/s makes me wonder what is going on.

I've run a number of AV and root kit scans on and off line.
Nothing found and fixed has had any affect on this.

Any idea as to what is going on?

[chandrika]

Any idea as to what is going on?

Not really, but I do know that Port 554 is usually used for RTSP (real time streaming protocol)

Apple quicktime and Windows Media both use that port for their services.

[weegillis]

If you have a firewall you can set, try closing the port globally, and then set up TCP and UDP rules for Quicktime and Media Player that allow it. If you suspect some other program is using this port, again, your firewall may keep running logs or be monitoring ports. Can you see if the port is in use, and by what process?

[deepsand]

When ever I go to GRC and run Shields UP, I am completely stealth except that port 554 is almost always open.
Before doing anything else, if I run Shields UP again, port 554 is always closed making me completely stealth.

What do you do between visits to GRC?

[NetProwler]

Go to sysinternals.com and download TCPView - an utility to see the net connectivity activity. This utility displays a list of processes, protocol used, Local address, remote address and state. You can see at a glance what process uses what port. This should give a clue to the process which keeps port 554 open.

If you are really paranoic or have reason to believe that there is some malicious activity emanating from your computer, get Wireshark to analyze.

[voyager]

chandrika @ 07-01-2010 07:18 AM

Apple quicktime and Windows Media both use that port for their services.

I don"t use quicktime and try to isolate WMP from the i-net.

weegillis @ 07-01-2010 01:38 PM

If you have a firewall you can set, try closing the port globally, and then set up TCP and UDP rules for Quicktime and Media Player that allow it. If you suspect some other program is using this port, again, your firewall may keep running logs or be monitoring ports. Can you see if the port is in use, and by what process?

I've just gone back into Services and disabled everything to do with WMP.
I have also just reinstalled my firewall, ZAP. Everything seems to be OK right now. Everything is stealth.

I'm wondering if the open port might be adaptive behavior on the part of ZAP. The second probe finding the port closed might indicate that.

deepsand @ 07-01-2010 07:06 PM

What do you do between visits to GRC?

Lot of surfing and a few downloads as well as running several apps. I have to admit that I do end up in some questionable areas on occasion. I have picked up a trojan or two, but they have been cleaned out, unless I might have picked up another along the way.

I had not visited GRC in a very long time until a couple of weeks ago when I first noticed the open port. I've been checking and rechecking every few days since then.

NetProwler @ 07-01-2010 11:46 PM

Go to sysinternals.com and download TCPView - an utility to see the net connectivity activity. This utility displays a list of processes, protocol used, Local address, remote address and state. You can see at a glance what process uses what port. This should give a clue to the process which keeps port 554 open.

If you are really paranoic or have reason to believe that there is some malicious activity emanating from your computer, get Wireshark to analyze.

Thx, I've d/l'd both of them and have taken a quick look. I do not see anything to be worried about. But then, I should learn a bit more about how to use them.

I'm really not too worried about it. I'm just wanting to understand what's going on.
I've had DSL i-net for years up until just recently. This never occurred with it. Now, I've got cable i-net. I have a feeling that it may be an artifact of the cable service. Because they meter my throughput, I've installed a bandwidth meter to keep track of my usage from my side. So far, my totals are higher than theirs. But by the time i get my bill their numbers can change.
After the changes I've made today, I'm still getting a steady 0.75 to 2.5 Kb/s traffic being shown. Supposedly, all I'm monitoring is the Ethernet adapter.
I'll continue to watch it until I figure out what it is.

[deepsand]

I'm wondering if the open port might be adaptive behavior on the part of ZAP. The second probe finding the port closed might indicate that.

Per GRC

Strange Results?
Personal firewalls are beginning to exhibit "adaptive behavior". The grid shown to the left starts off showing ports mostly closed with a few open (mostly blue with a few red cells). Then at some point it suddenly switches into "stealth mode". This can occur when a firewall "adapts" to the scanning IP and raises its defenses against just the attacker. This complicates the job of accurately checking a system's security.

Two things you can do: If you are not certain whether your firewall is adaptive, you can re-run any test here to compare the results. Differing behavior often indicates that your firewall has "learned" that it is being probed from our IP and is treating it differently. For the most accurate scan results, disable any adaptive behavior during the testing.

__________________

[chandrika]

Just in case it is relevant...Windows Media does not just refer to windows media player (WMP). Windows media covers a variety of services offered by windows, so isolating WMP will only have effect on WMP, not on all windows media services.

[voyager]

@deepsand
Shoulda shut my mouth and opened my eyes. That does describe what has been happening at GRC.

Just in case it is relevant...Windows Media does not just refer to windows media player (WMP). Windows media covers a variety of services offered by windows, so isolating WMP will only have effect on WMP, not on all windows media services.

I suspected that would be the case. But, I do not seem to use those services much. I see no loss in usage by shutting down all Windows Media Services I can find. And, I feel better about it.

I've noticed that When I "Stop All Internet Traffic" with ZAP, the background traffic still continues. But, when I shut the cable modem off it stops completely. I'm beginning to think that the background traffic is not to the internet, but is nothing more than communication between the modem and the PC. That might explain why my totals for the amount of traffic are somewhat higher than the cable company's.
The bandwidth meter monitors the Ethernet connection, even if it isn't actual i-net traffic.
Does that sound reasonable?

[deepsand]

I've noticed that When I "Stop All Internet Traffic" with ZAP, the background traffic still continues. But, when I shut the cable modem off it stops completely. I'm beginning to think that the background traffic is not to the internet, but is nothing more than communication between the modem and the PC. That might explain why my totals for the amount of traffic are somewhat higher than the cable company's.
The bandwidth meter monitors the Ethernet connection, even if it isn't actual i-net traffic.
Does that sound reasonable?

Certainly does.

There is constant keep-alive chatter between the NIC and the modem/router.