Windows 2003 - svchost.exe trying to access the Internet

[fishtail]

the IP Addresses that it tries to connect are:

209.221.135.134
209.221.135.136
199.93.55.123

Does anybody know what these IP addresses are? I can't find any info
for these hosts.

Thanks...

 

[Anteaus]

"fishtail" wrote:

> 209.221.135.134

Semaphore Corporation SEMA-CIDR-1 (NET-209-221-128-0-1)
209.221.128.0 - 209.221.191.255
Akamai Technologies AKAMAI-SBLK1 (NET-209-221-135-128-1)
209.221.135.128 - 209.221.135.159

> 209.221.135.136

Semaphore Corporation SEMA-CIDR-1 (NET-209-221-128-0-1)
209.221.128.0 - 209.221.191.255
Akamai Technologies AKAMAI-SBLK1 (NET-209-221-135-128-1)
209.221.135.128 - 209.221.135.159
> 199.93.55.123

OrgName: Level 3 Communications, Inc.
OrgID: LVLT
Address: 1025 Eldorado Blvd.
City: Broomfield
StateProv: CO
PostalCode: 80021
Country: US

Akamai are a website-mirroring company, hence it tells you nothing about who
the owner of the content is. Could even be Microsoft!

LVLT: http://en.wikipedia.org/wiki/Level_3_Communications

 

[jwgoerlich@gmail.com]

What child process in Svchost.exe is making this connection? If you
find that the process is Windows Updates, for example, then you will
have an answer.

J Wolfgang Goerlich

On Dec 20, 2:16 am, fishtail <copenh...@gmail.com> wrote:
> the IP Addresses that it tries to connect are:
>
> 209.221.135.134
> 209.221.135.136
> 199.93.55.123
>
> Does anybody know what these IP addresses are? I can't find any info
> for these hosts.
>
> Thanks...

 

[Volodymyr Shcherbyna]

This could be a fake svchost.exe process. This is a usual technique for
viruses and other staff - to use names like rundll32.exe, winlogon.exe,
svchost.exe and simular.

However, you can process
explorer(http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx) to
look at process path. You can also search for all svchost.exe on your
computer. Usual place for svchost.exe is C:\Windows\System32\svchost.exe if
you have any copy of svchost.exe in another folder which is running, than
this should be strange.

--
Volodymyr
"fishtail" <copenhaus@gmail.com> wrote in message
news:58d57890-8240-4b24-b3f8-c3de77501cc9@s12g2000prg.googlegroups.com...
> the IP Addresses that it tries to connect are:
>
> 209.221.135.134
> 209.221.135.136
> 199.93.55.123
>
> Does anybody know what these IP addresses are? I can't find any info
> for these hosts.
>
> Thanks...

 

[fishtail]

On Dec 20, 5:46 am, "Volodymyr Shcherbyna"
<v_scherb...@online.mvps.org> wrote:
> This could be a fake svchost.exe process. This is a usual technique for
> viruses and other staff - to use names like rundll32.exe, winlogon.exe,
> svchost.exe and simular.
>
> However, you can process
> explorer(http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx) to
> look at process path. You can also search for all svchost.exe on your
> computer. Usual place for svchost.exe is C:\Windows\System32\svchost.exe if
> you have any copy of svchost.exe in another folder which is running, than
> this should be strange.
>
> --
> Volodymyr"fishtail" <copenh...@gmail.com> wrote in message
>
> news:58d57890-8240-4b24-b3f8-c3de77501cc9@s12g2000prg.googlegroups.com...
>
>
>
> > the IP Addresses that it tries to connect are:
>
> > 209.221.135.134
> > 209.221.135.136
> > 199.93.55.123
>
> > Does anybody know what these IP addresses are?  I can't find any info
> > for these hosts.
>
> > Thanks...- Hide quoted text -
>
> - Show quoted text -

Hi:

Thanks for the suggestions. One of them calls McAfee Product Manager
(which is fine), the others don't give me any clues...no child
processes...

I am also using WSUS, so it shouldn't be going to to the Internet to
look for updates...(not that frequent anyway)

Any other thoughts?

Thanks...

 

[Volodymyr Shcherbyna]

Another hint - look at the list of mapped DLL's into the address space of
suspicious svchost.exe. Among standard dlls (windows like - kernel32.dll,
advapi32.dll, and other) do you see any suspicious DLL? The problem is,
third party DLL can be injected into svchost.exe process, and make any
network connections, hiding by environment of windows svchost.exe process.

--
Volodymyr
NG tips:
http://msmvps.com/blogs/v_scherbina/pages/microsoft-newsgroups-tips.aspx

"fishtail" <copenhaus@gmail.com> wrote in message
news:c8c789da-d7f5-461a-9ce4-9ce72c46d360@s19g2000prg.googlegroups.com...
On Dec 20, 5:46 am, "Volodymyr Shcherbyna"
<v_scherb...@online.mvps.org> wrote:
> This could be a fake svchost.exe process. This is a usual technique for
> viruses and other staff - to use names like rundll32.exe, winlogon.exe,
> svchost.exe and simular.
>
> However, you can process
> explorer(http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx) to
> look at process path. You can also search for all svchost.exe on your
> computer. Usual place for svchost.exe is C:\Windows\System32\svchost.exe
> if
> you have any copy of svchost.exe in another folder which is running, than
> this should be strange.
>
> --
> Volodymyr"fishtail" <copenh...@gmail.com> wrote in message
>
> news:58d57890-8240-4b24-b3f8-c3de77501cc9@s12g2000prg.googlegroups.com...
>
>
>
> > the IP Addresses that it tries to connect are:
>
> > 209.221.135.134
> > 209.221.135.136
> > 199.93.55.123
>
> > Does anybody know what these IP addresses are? I can't find any info
> > for these hosts.
>
> > Thanks...- Hide quoted text -
>
> - Show quoted text -

Hi:

Thanks for the suggestions. One of them calls McAfee Product Manager
(which is fine), the others don't give me any clues...no child
processes...

I am also using WSUS, so it shouldn't be going to to the Internet to
look for updates...(not that frequent anyway)

Any other thoughts?

Thanks...