Constant attempts to connect to svchost.exe

cheber · December 24, 2009, 1:40am

Application: svchost.exe
Protocol: UDP
Destination Port: 56453 (always this port)

Over 170 000 connection attempts and counting, it’s practically one attempt per second. I guess it’s a botnet as the IPs are spread all over the world. What are they trying to achieve with this? Bruteforce? But what? I don’t see much in the FTP log except maybe a couple times a day and they get blocked after 5 attempts anyway. Real VNC blocks after 3 attempts.
I got utorrent (port 54000), FTP server (port 21) and Real VNC server (port 5900) running 24/7.

[attachment deleted by admin]

rolo007 · December 26, 2009, 12:47pm

wish i could help… however im getting an attempt per second…and i cant figure it out…and from the look of all the replies here it doesnt look like im going to find any direction any time soon. I think im going to go into the task manager and close processes 1 at a time to see if that might help. GOOD LUCK.

rhgtyink · December 26, 2009, 7:16pm

Looks like it has to do with uTorrent, this will cause “incoming” traffic and it will probably be or have been listening on this port that shows up in your logging.

Can you check you uTorrent network settings and see how it’s configured?
Maybe post a screenshot of it here…

cheber · December 27, 2009, 4:43pm

You might be right that it’s an old utorrent port, I don’t really remember what it was before. I changed the utorrent port because for some reason it got with conflict with TOR (though I don’t run a relay anymore). But that was weeks ago. Between that I’ve had the server offline 3-4 days, though I guess it’s possible I got the old IP adress from the DHCP server.

The utorrent settings are standard, only thing that’s changed is the port.
I did a release and renew to get a new IP address and I thought that get rid of it, but it’s still same “hammering” on port 56453. Though I guess it could yet again be an IP address I’ve already used with port 56453.

rhgtyink · December 27, 2009, 4:57pm

You can create a block rule without logging on the global rules Network Security Policy so it’ won’t log the attempts anymore but still block it.

Block
In
UDP
Source Any
Source port Any
Destination Any
Destination port = 56453

And move it all the way up to the top so it’s the very first rule on the Global Rules.

cheber · December 28, 2009, 11:05pm

Ok, I might do that. Thanks.
But I was mostly curious why it happens. I knew already that clients will try to connect to old utorrent ports, but I didn’t knew that would go on for weeks and even if you changed IP address.

rhgtyink · December 29, 2009, 10:04am

Well i have a system that’s always on, an uTorrent on a single port, and even if i don’t run uTorrent i get loads of hits on my port that’s not active, i guess depending on how much you share(d) the more you get hits to that/those port(s)…