Is this IP safe to allow to connect to Svchost?

triplex · December 23, 2009, 12:36pm

This IP was trying to connect to svchost.exe

38.229.1.13

I have had attempted connections to svchost in the past, what should I do when this happens?

LeftMausKlick · December 23, 2009, 4:20pm

Use brain.exe
When you dont know the host/IP that trys to establish a connection to your PC then dont allow it.
If it´s something important, that will sooner or later not work anymore since you blocked it, you will see.

Btw: http://cqcounter.com/whois/ use this and you will find out the host of the IP.

triplex · December 24, 2009, 4:59am

I was a little vague in my post, I was up for 24 hours when I posted that, so I was a little tired. I did look it up before posting. Team Cymru is the organization that IP is connected to. Team Cymru is a specialized Internet security research firm.
networksolutions.com is apart of that as well. I am unsure if this is has ties to my Cable ISP trying to communicate with my computer. I have seen that URL before, so I am not sure what to do.
I have Brighthouse Networks, my cable ISP.

Creasy · December 24, 2009, 5:21am

You can allow it.
That’s for Windows time sync. It follows you region.(those servers can be different)
It may try to connect to port:123. That’s for the Network Time Protocol.
What we call? NTP.
But you may have a question ‘why do they do it?’.
Because that’s one of project for internet time sync.
It’s a legimate.
You can find some informations from MS.
Or visit following links and read.

http://ntpresearch.cymru.com/
http://www.team-cymru.org/
http://www.ntp.org/

Don’t worry about it. You are safe.

Kyle142 · December 24, 2009, 7:23am

kyle@kyle-desktop:~$ whois 38.229.1.13

OrgName: PSINet, Inc.
OrgID: PSI
Address: 1015 31st St NW
City: Washington
StateProv: DC
PostalCode: 20007
Country: US

ReferralServer: rwhois://rwhois.cogentco.com:4321/

NetRange: 38.0.0.0 - 38.255.255.255
CIDR: 38.0.0.0/8
NetName: PSINETA
NetHandle: NET-38-0-0-0-1
Parent:
NetType: Direct Allocation
NameServer: NS.PSI.NET
NameServer: NS2.PSI.NET
Comment: Reassignment information for this block can be found at
Comment: rwhois.cogentco.com 4321
RegDate: 1991-04-16
Updated: 2005-10-05

RTechHandle: PSI-NISC-ARIN
RTechName: IP Allocation
RTechPhone: +1-877-875-4311
RTechEmail: ipalloc@cogentco.com

OrgAbuseHandle: COGEN-ARIN
OrgAbuseName: Cogent Abuse
OrgAbusePhone: +1-877-875-4311
OrgAbuseEmail: abuse@cogentco.com

OrgNOCHandle: ZC108-ARIN
OrgNOCName: Cogent Communications
OrgNOCPhone: +1-877-875-4311
OrgNOCEmail: noc@cogentco.com

OrgTechHandle: IPALL-ARIN
OrgTechName: IP Allocation
OrgTechPhone: +1-877-875-4311
OrgTechEmail: ipalloc@cogentco.com

ARIN WHOIS database, last updated 2009-12-23 20:00

Enter ? for additional hints on searching ARIN’s WHOIS database.

Found a referral to rwhois.cogentco.com:4321.

%rwhois V-1.5:0010b0:00 rwhois.cogentco.com
38.229.1.13
network:ID:NET4-26E5000010
network:Network-Name:NET4-26E5000010
network:IP-Network:38.229.0.0/16
network:Postal-Code:60527
network:State:IL
network:City:Willowbrook
network:Street-Address:10S325 Argonne Ridge Road
10S325 Aragonne Ridge Road
network:Org-Name:Team Cymru
network:Tech-Contact:ZC108-ARIN
network:Updated:2007-09-18 19:45:35
network:Updated-by:John Knowles

%ok

Enjoy…

Scary_bear · December 24, 2009, 11:35am

svchost must be blocked

Endymion · December 24, 2009, 1:16pm

AFAIK Windows time synchronization might require svchost.exe to carry an outbound connection to port 123 of configured NTP server (eg time.windows.com). So in case of outbound svchost connections to port 123, if the destination IP is known to have a NTP server running it is likely to be a legitimate request.

On the other hand, IMHO Inbound connections to Svchost from an Internet IP (like 38.229.1.13) should be better blocked even more if the Inbound connection targets ports 135,137,138,139, 445 or some other ports opened by potentially vulnerable (and often exploited) windows services

Cymru_Dave · December 24, 2009, 6:49pm

Hi Triplex,

I’m Dave of Team Cymru. Thanks for noticing our probes =)

As user Creasy has pointed out, what you’ve seen is a visit by our NTP probe. We’re constantly working to better understand the Internet as a whole. As a result, we sometimes do sweeping assessments of the public Internet. This scan isn’t looking for anything other listening, publicly accessible NTP servers.

While our scan isn’t malicious, we certainly encourage you to follow network security best practice and only allow traffic from known hosts on the Internet.

If you have any other questions, feel free to shoot me an IM, or mail us at team-cymru[at]cymru.com

Cheers,
-Dave

Kyle142 · December 24, 2009, 10:19pm

Safest bet is to set Svchost as outbound only.

Scary_bear · December 26, 2009, 7:35am

I dont think so. Maybe only NTP and DNS (udp 53) for those who didnt disable the DNS service but no more. You can download updates for windows on their site

Creasy · January 4, 2010, 2:52pm

What’s up Dave.

triplex · January 10, 2010, 5:53pm

I guess yall like me cause last night you “scanned” me 5 times in a duration of 10 minutes scanning 4 different ports.