I’m new to the forum, nice to meet you all.
I have this issue and I hope this question was not already asked somewhere but I don’t know where or how to look, so forgive me if I did a double post.
Anyway sometimes Comodo ask me for some application requesting to connect to this IP: 220.127.116.11. The problem is the applications who request this IP are not online application.
I’m 100% sure they don’t have socket capabilities since many times I received a request from my own application (in C++ with no external libraries apart STD, both MinGW and Visual Studio ones).
I did a whois of this IP and they seems to be a server of OpenDNS: infact I do use OpenDNS. The problem is who do this requests?
I suspect two things: a Windows process who try to create this request and then, if I allow them, vehiculate more traffic from that process. Or a virus who use the same behaviour.
I’m not saying Windows is a virus… but act like that.
I always block this requests but why they do appear? How can I lookup the original process who create them?
■■■■: today I had to block cc1plus and it crashed for some reason, I had to start over a 2 hours compilation.
Various and randomly. Games, the audio service (not Windows one, an additional service of my audio card), notepad… well anything can generate that request.
I forgot to mention: the request is always at port 41.
As I’ve wrote I’m a developer and sometimes those request are fired from my own application (and ■■■■: I did not wrote any socket function in my programs recently).
A my co-worker suggested to use ProcessXP and Netstat -o to try to recover the PID of the application firing this request, I’ll try next time.
I’ll try Wireshark too, I want to know what is going on in my computer.
If you’re trying to identify a process to Net activity, then I would recommend Microsoft’s Network Monitor over Wireshark. Mainly since NM displays the activity by process, where as Wireshark is packet orientated.
Yes, of course, Kail. I meant I’ll use wireshark for try to understand what kind of traffic is going on.
Anyway I had this request again and I tried to use ProcessXP and netstat but the problem is, correct me if I’m not wrong, since Comodo block the request before it can complete netstat have no knowledge of it and, infact, netstat couldn’t list this request.
But tell me, is it possible it’s a driver or a system service that hide, somehow, this request at kernel level?
As far as I know many process are child of svchost and many requests pass through it, isn’t it?
I don’t like this behaviour. I don’t like Windows but I’m forced to use it right now.
Yes. This is especially true for outbound connections.
Possibly, but unlikely (it would be tricky & attract attention). A driver/service like this would more likely use an intermediate system process for that and probably the correct/legitimate one (SVCHOST) to not attract attention.
Yes, SVCHOST is, in effect, the Services Internet provider and there are usually multiple SVCHOSTs being used by multiple Services at any given point.
Please confirm the actual connection that you are seeing. Your topic says DNS, but you mention port 41 later. Is it port 41 or 53 (DNS)… or both? TCP or UDP? What’s the outbound (destination) IP? Thanks.
I thought port 41 was for DNS.
Strange: when the popup appear Comodo say it’s port 41, I didn’t pay attention if it’s TCP or UDP (does the standard popup give that informations? I did never pay attention to this detail).
Since it’s randomly I don’t know how to reproduce.
I was looking though Comodo’s logs (Firewall Events) and it just say it’s a IPv6 request and give no port (while in the other IPv4 log entries tell which port).
Looking in ProcessXP I saw two common process which popup with this request: audiodg.exe which is child of svchost.exe, chilf of services.exe, child of wininit.exe. So this should be a service and I think it’s the audio card control panel.
But also one request oftenly came from VVVVVV.exe which is a nice game, child of Steam.exe, child of explorer.exe.
Once I’ve got this request from cc1plus.exe (the C++ compiler of GCC). So this request is not done by these executables but somewhere else and it’s random (audiodg.exe and VVVVVV.exe are always open in my sessions and they are always opened first of anything else so I think they popup often for these reasons).
By the way thank you for helping me figuring where this request came.
IPv6? I guess that might be IPv6 Protocol 41 then, rather than Port 41.
Does your ISP/router/modem/whatever actually allow/use IPv6 do you know? If not, it might be either simple LAN traffic between Windows systems (or possibly a router/printer) or something called Teredo Tunneling (basically enables IPv6 over IPv4) on Windows (usually enabled by default).
Do you have a IPv6 Destination IP logged in CIS? What OS do you have?
PS Since this is probably IPv6, I guess the posted IP (18.104.22.168) might be something else then?
Sorry, I didn’t explain well.
When the request appears in the Remote address (of Comodo) i just have this string:
22.214.171.124 - 41
I couldn’t take a screenshot.
But in the log, that request, appears as IPv6.
I attached a screenshot of my log events.
My router is not configured for IPv6. Here in Italy I don’t know a single provider who use IPv6.
By the way the DNS of my router are different of the one in my machine. I always use OpenDNS.
My OS is Windows 7 Home Premium 64bit.
This happen both on my ethernet at home and the wireless net at work so I don’t think it’s related to my network or any particular network.