In and Out

korben · February 4, 2010, 11:53am

On startup of my computer I noticed that Returnil and svchost keep using my broadband connection.

does the screen look ok to you? anything suspicious that should be blocked? I got rusty over the last few months…
greatly appreciated O0

Citizen_K · February 4, 2010, 11:57pm

I did a little check with Whois - IP Address - Domain Name Lookup .

Returnil connects to an IP address that belongs to an ISP from Kieiv. Svhost.exe connects to Microsoft and Neustar/Ultra DNS. Comodo DNS uses Neustar/Ultra DNS.

korben · February 5, 2010, 8:03am

Nice, mate, real nice and sorry for the wrong section.

So… any suggestions? are the connections legitimate? should I keep them or block them? I mean Returnil needs to stay as it is but the rest?

this thingie…svchost - I have updates turned OFF permanently so why is it communicating with MS?

awaiting yr suggestions!

Citizen_K · February 5, 2010, 6:06pm

The connections to the DNS servers by svchost you want to keep otherwise you can’t surf the web properly.

It may be communicating to Microsoft for updates. Not sure what exactly gets communicated by Windows with Microsoft.

korben · February 6, 2010, 6:39am

Is there a way to determine which connections should stay and which not?
svchost connects every time I start my laptop and keeps connecting in and out… would you say it’s suspicious?

Maxxwire · February 6, 2010, 7:18am

Svchost also connects out whenever I start my computer and continues to connect with Microsoft throughout the day and I see computer Certificate Validations whenever I run a certain registry cleaner which I believe to be a result of these outbound svchost contacts.

~Maxx~

korben · February 6, 2010, 7:25am

just restarted my rig… got even more:

is it abnormal? is it wicked? am I paranoid android?

system · February 6, 2010, 10:32am

Are you running Vista or Seven? If so these are all normal.

The 156.154.70.22 entries are standard DNS queries.
The 224.0.0.252 entries are LLMNR, kind of local DNS queries (Link-Local Multicast Name Resolution - Wikipedia
The 255.255.255.255 entry is DHCP
The 239.255.255.250: 3702 is WSD (WS-Discovery - Wikipedia)
The 239.255.255.250:1900 is UPnP

All of these may be disabled via simple svchost rules.

If I remember correctly the default svchost rule it allows everything out by…

korben · February 6, 2010, 10:48am

That’s pretty informative, thanks mate!
kudos!

‘‘All of these may be disabled via simple svchost rules.’’

instruct me PLEASE

system · February 6, 2010, 11:09am

Leave the DNS and DHCP otherwise you will have problems.

Add the following under svchost:

Block UDP OUT (don’t log)
Source Address = ANY
Destination Address = 225.0.0.252
Source Port = ANY
Destination Port = 5355

Block UDP OUT (don’t log)
Source Address = ANY
Destination Address = 239.255.255.250
Source Port = ANY
Destination Port = 3702

Block UDP OUT (don’t log)
Source Address = ANY
Destination Address = 239,255,255,250
Source Port = ANY
Destination Port = 1900

A few things to note:

The source address (169.254.75.171) in your screen shot is from the APIPA (Automatic Private IP Address) range. IP addresses issued from the range 169.254.0.1 through 169.254.255.254 are allocated dynamically in the absence of a DHCP server, so you might want to look into that. You’ll probably find and entry for this address space in your Network Zones.

You also have the address 192.168.1.7, which I assume was issued by your router, this will be your standard local address.

As for UPnP, if you don’t use this, you can disable the service

Hope that helps.

korben · February 7, 2010, 10:06am

yes, I’m on it yet a slight obstacle on my way…is this the settings panel I’m supposed to use?

system · February 7, 2010, 10:42am

is this the settings panel I'm supposed to use?

For modifying svchost by applying the rules outlined above, it’s the right place. To disable UPnP you need to open services.msc and disable the service there.

As I mentioned in my earlier post, these connections are all standard issue on Vista and Seven and you can simply leave them alone. For most people, where controlling both inbound and outbound connections, is unimportant, simply leave the default rules.

Personally, I like to have control, so I always delete all the default rules as well and anything trusted, and do my own thing. I don’t, however, recommend this approach, without understanding the consequences of these actions.

korben · February 7, 2010, 11:39am

Got it!
Well put mate
thanks again for this valuable lesson!

Scary_bear · February 7, 2010, 11:53am

oh my god. System is listening 5357 :'(. Services is listening too. It is… It seems like a lot of back- and even frontdoors

korben · February 7, 2010, 12:00pm

Scary_bear - your suggestions, please?

system · February 7, 2010, 12:05pm

This is not an issue, ports 5357 and 3702 are used by WSDAPI (Web Services on Devices API) and WSD (Web Services Dynamic Discovery) respectively, on Vista and later MS Operating
Systems.

As I mentioned in my earlier post, these ports can be closed via firewall rules, but for most users it’s unnecessary and in some cases may cause problems.

Scary_bear · February 7, 2010, 12:31pm

these ports can be closed via firewall rules

This is important suggestion

What about services listening random port?

system · February 7, 2010, 12:59pm

Any given service listens on one or more specific ports, they are not random. The client, when attempting a connection to a given service may use a randomised port for the connection.

For example, when a web browser attempts to connect to a web server, via HTTP, the client uses a random port typically between 1024 and 5000 (the ephemeral ports) and sends a request to port 80 on the web server, unless instructed otherwise instructed.

korben · February 7, 2010, 1:37pm

to sum-up, I’m good, aren’t I?

system · February 7, 2010, 1:42pm

Indeed