Svchost attack or paranoia

Learn about Computer Security Leak Testing/Attacks/Vulnerability Research
#1

First of all I want to commend the ease of registration for this forum. Very professional! (:CLP)

I have a question concerning svchost.exe

Before anyone starts, I have already used the search engine to look for this topic here in the forums and also on Yahoo.
It appears that svchost is trying to recieve a connection from the internet (is that inbound or outbound?). Approximately 300 times in the last 24 hours. I ran a IP trace on the addresses and found most to be coming from coxcable and roadrunner, but a few were coming from somewhere in China(??). All of them were trying to access port 1026 which I recognize as a having to do with the calender.
I have realized that since I blocked these requests, I have not received any windows update notifications,
but like they say, I don’t want to have a nuke proof door, but leave it unlocked.
I have run all different kinds of antivirus/antispyware, etc…(AVG, AVGantispy, Spybot, AdAware, AdWatch, CCleaner)
Everyone comes up clean and is up to date.
I have also tried a command prompt to look at all processes and PIDs, seems OK.
Each IP, when I run a traceroute, comes with a long list of what looks to be hops or bounces around the world.
California, Canada, China, Honolulu, etc…
Is it possible that someone is using these IPs as proxies to attack me? Or am I just being paranoid?
Any help would be much appreciated!

Thanks,
Juice

#2

Hi,

I’m NOT an expert, but I know that this can happen if you use some kind of P2P (torrent, eMule…). Some peers/trackers will try to connect to you after you close the program (they are looking if you are avaiable for downloading…), and this could last long (a week or even 2). And China has a lot of them…

To avoid this (or to be sure of) simply bind one single port to your program for all in/out connections (Azureus can do this, others I don’t know). Then, looking at the blocked connections you will be able to distinguish by the port number… (another thing that you can “google-for-it” is to disable DHT, PEX, DDB… - if using torrents, ok?)

Good luck!

#3

Greetings!

If it’s trying to recieve a connection, that’s inbound. Svchost.exe does NOT need to make inbound connections, only outgoing (for DNS and DHCP). You should add a rule for svchost.exe in FirewallAdvancedNetwork Security Policy that blocks all incoming IP-traffic (with logging unchecked, so it won’t flood your event log for the firewall).

Cheers,
Ragwing