1

I am working on an ASP.NET application and, as usually, tried to deploy it on IIS Express from Visual Studio. This time, IIS error occured. The error was caused by the application port being occupied by another application (which was pretty strange).

This made me check ports with netstat and what I found was that over 2500 established connections were related to 5KPlayer (which I installed long time ago), and another ~2700 to mDNSResponser. Some of the connections are on the screenshot below:

enter image description here

I immediately killed the 5KPlayer.exe process and connections were also killed. I am wondering if this is something which I should bother about? Could this be some kind of an attack attempt? Is there any way I can check what was happening during these connections?

PJDev
  • 165
  • 5
  • what is 'platform' in your environment? – schroeder Aug 20 '17 at 17:57
  • after a quick review of the 5kplayer site, it says it connects out to act as a remote media player – schroeder Aug 20 '17 at 18:01
  • Thanks for the answer. To be honest, I have no idea what 'platform' might be. It doesn't seem to be anything that I set manually. Hosts file doesn't have such entry and `ping` command states that the host doesn't exist. The strange thing is that it never happened before and that's why I am suspicious about it. – PJDev Aug 20 '17 at 18:10
  • 1
    It might be that computer. All in all, it's not looking suspicious. – schroeder Aug 20 '17 at 18:12

1 Answers1

2

Note that the local address for each connection is on '127.0.0.1', aka localhost. Because this is a virtual interface, sockets/connections on localhost can only talk to localhost itself. It looks like 5KPlayer is making a bunch of mDNS queries and leaking the sockets (e.g., not closing the connection when it's finished). This is almost certainly a bug in 5KPlayer, but not one that indicates an attack or is going to leave you open to security issues. It's essentially the networking equivalent of a memory leak -- irritating, but not threatening.

David
  • 15,814
  • 3
  • 48
  • 73
  • I'm glad to hear that this wasn't any security disclosure. Thank you for the explanation! – PJDev Aug 20 '17 at 18:25