Port inspection steps - 7680 port analysis - Dosvc service

Introduction: Find the main process for the process started through the service, and there are a large number of intranet connections on port 7680. Baidu cannot find the port information. It needs to be proved that it is a system service, otherwise it is a worm.
1. Confirm the process PID corresponding to the port
netstat -ano

Port 7680 corresponds to pid: 6128

2. Find the process corresponding to pid
tasklist | find "6128"

The corresponding process is svchost.exe, a system service process, which is the general host process name of the service running from the dynamic link library (DLL). Many services are started by injecting into the program, so there will be manyprocess of this file.Indicates that the process is started from a service, and finds the corresponding service.

3. Find the service name corresponding to pid 6128 through tasklist /svc:

The service name is: DoSvc, enter "Services" to find the service, but you may not be able to find the service, because the above is "Service name", and the management tool"Services" shows "display name", as shown below

4. You can use the command to find the corresponding "display name"
wmic service where name = "dosvc" get displayname

Got "Display Name": Delivery Optimization

5. Microsoft's query to get Delivery Optimization is a mode of Windows 10 patch update called "delivery optimization". The intranet host can download the patch from the downloaded host, and it also occupies the network speed of your host.

Close this port: "Update"-"Advanced Options"-"Delivery Optimization"-"Turn off allow downloads from other computers"

Many backdoors also use "services" to load processes, making it impossible to directly view the main process name in the process