Svchost TCP out connections

When I boot up my computer svchost connects TCP out to a IP of which it exchanges a small bit of data and then disconnects.It has always been out of a private port and since I started to notice this behavior and log it has been always to port 80.

Some of the IPs that it has connect to are:

128.242.168.241
128.242.186.247
204.245.162.51
64.208.126.27

Take a look through this thread, it may help.

NTT Ameica and Global Crossing/Level 3 Communications . . . so very unlikely to be malware related since both are content host providers.

this tool is the boss when it comes to svchost.exe and can give you a lot of insight behind the scene.

http://svchostviewer.codeplex.com/

Personally the only connections I allow with svchost is to my dns servers only. I set Windows Update to manual only and allow all connections only during the update process. Then go back and block everything but the dns servers. it is probably the weakest most exploited point in Windows.

I connect strait to the internet so no problems. All I need is the dns ,but if your on a network or have shared resources this scheme wouldn’t work.

I looked through that and it wasnt really explained how to log connections from svchost or block certain ones.

NTT Ameica and Global Crossing/Level 3 Communications . . . so very unlikely to be malware related since both are content host providers.

this tool is the boss when it comes to svchost.exe and can give you a lot of insight behind the scene.

http://svchostviewer.codeplex.com/

Personally the only connections I allow with svchost is to my dns servers only. I set Windows Update to manual only and allow all connections only during the update process. Then go back and block everything but the dns servers. it is probably the weakest most exploited point in Windows.

I connect strait to the internet so no problems. All I need is the dns ,but if your on a network or have shared resources this scheme wouldn’t work.

I am using process explorer and during hte last boot the instance of svchost had crypt service, dns cache, lanman server, and a few others but I may try this because it looks like it give a bit more info or atleast easier to read.

Whilst svchost viewer is useful, it doesn’t really provide any additional information over that supplied by process explorer. If you want to understand the nature of the traffic being sent and received from your PC/Network, you will need to use something like Wireshark

If you read through the thread I linked to, you will find it’s the same svchost instance as the one you’ve identified, which almost guarantees the data is related to the NLaSvc Re: Svchost.exe In WIN 7 Driving Me Nuts!

Thank you for being so patient, I must have logged out when I read that thread because the pictures really do help with finding out what was going on.

I’ll try Wireshark soon and post whatever I get soon.

Sorry for the delay, but here is what Wireshark got from the ip 64.211.144.163:80:

GET /pki/crl/products/tspca.crl HTTP/1.1 Cache-Control: max-age = 900 Connection: Keep-Alive Accept: */* If-Modified-Since: Mon, 26 Sep 2011 17:44:25 GMT If-None-Match: "e5f079ee737ccc1:0" User-Agent: Microsoft-CryptoAPI/6.1 Host: crl.microsoft.com

HTTP/1.1 304 Not Modified
Content-Type: application/pkix-crl
Last-Modified: Mon, 26 Sep 2011 17:44:25 GMT
ETag: “e5f079ee737ccc1:0”
Cache-Control: max-age=900
Date: Mon, 10 Oct 2011 23:02:50 GMT
Connection: keep-alive

GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: /
If-Modified-Since: Mon, 19 Sep 2011 17:28:57 GMT
If-None-Match: “1e58dd9cf176cc1:0”
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com

HTTP/1.1 304 Not Modified
Content-Type: application/pkix-crl
Last-Modified: Mon, 19 Sep 2011 17:28:57 GMT
ETag: “1e58dd9cf176cc1:0”
Cache-Control: max-age=811
Date: Mon, 10 Oct 2011 23:02:50 GMT
Connection: keep-alive

GET /pki/crl/products/CSPCA.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: /
If-Modified-Since: Mon, 13 Jun 2011 17:39:55 GMT
If-None-Match: “6d7054e8f029cc1:0”
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com

HTTP/1.1 304 Not Modified
Content-Type: application/pkix-crl
Last-Modified: Mon, 13 Jun 2011 17:39:55 GMT
ETag: “6d7054e8f029cc1:0”
Cache-Control: max-age=900
Date: Mon, 10 Oct 2011 23:02:50 GMT
Connection: keep-alive

GET /pki/crl/products/CodeSigPCA.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: /
If-Modified-Since: Mon, 19 Sep 2011 17:24:23 GMT
If-None-Match: “9132a2f9f076cc1:0”
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com

HTTP/1.1 304 Not Modified
Content-Type: application/pkix-crl
Last-Modified: Mon, 19 Sep 2011 17:24:23 GMT
ETag: “9132a2f9f076cc1:0”
Cache-Control: max-age=900
Date: Mon, 10 Oct 2011 23:02:50 GMT
Connection: keep-alive

GET /pki/crl/products/CodeSignPCA2.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: /
If-Modified-Since: Mon, 18 Jul 2011 18:06:17 GMT
If-None-Match: “acace637545cc1:0”
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com

HTTP/1.1 304 Not Modified
Content-Type: application/pkix-crl
Last-Modified: Mon, 18 Jul 2011 18:06:17 GMT
ETag: “acace637545cc1:0”
Cache-Control: max-age=900
Date: Mon, 10 Oct 2011 23:02:50 GMT
Connection: keep-alive

GET /pki/crl/products/WinPCA.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: /
If-Modified-Since: Mon, 29 Aug 2011 18:08:32 GMT
If-None-Match: “cef09aa97666cc1:0”
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com

HTTP/1.1 304 Not Modified
Content-Type: application/pkix-crl
Last-Modified: Mon, 29 Aug 2011 18:08:32 GMT
ETag: “cef09aa97666cc1:0”
Cache-Control: max-age=900
Date: Mon, 10 Oct 2011 23:02:50 GMT
Connection: keep-alive

I believe that this also happens with the 128.242.xxx.xxx IPs because it looked similar when I was testing out Wireshark but could not find how to save it. However if I did not give the relevant info please tell me so I can try again.

You can use the File/Export command to save the data as a text file.

I just have to make sure to add the .txt when I export because when I tried it it just gave me the file I named with no file type, but that was with the previous post’s information I just copied and pasted in said quote.

But is there anything you can tell me with the previous post or do I need to give more information?

The entries you’ve posted above all appear to be standard certificate revocation checks, something Windows does quite often.

So that is the reason why svchost is connecting to those IPs, why would they not be Microsoft IPs then?

Even though I am fairly the 128.242.xxx.xxx IPs did this as well I want to make sure that they are also doing this and not something else.

64.211.144.163 belongs to Level 3 Communications - formerly Global Crossing - who, amongst other things, are a CDN (Content Delivery Network). Microsoft, like most other suppliers of large amounts of content, use CDNs to distribute the load and also to provide localised resources. NTT, who own the 128 and 204 addresses you’ve listed, offer similar services.

So more than likely I have been freaking out over something that is a fairly normal occurance?

Well that makes me feel much better, though I still want to have one last look at a connection 128s but this has been fairly helpful to say the least. I’ll post when I finally get that connection going along with the data from Wireshark.

Alright here is what Wireshark got from 128.242.186.241

GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1 Cache-Control: max-age = 900 Connection: Keep-Alive Accept: */* If-Modified-Since: Mon, 19 Sep 2011 17:28:57 GMT If-None-Match: "1e58dd9cf176cc1:0" User-Agent: Microsoft-CryptoAPI/6.1 Host: crl.microsoft.com

HTTP/1.1 304 Not Modified
Content-Type: application/pkix-crl
Last-Modified: Mon, 19 Sep 2011 17:28:57 GMT
ETag: “1e58dd9cf176cc1:0”
Cache-Control: max-age=900
Date: Thu, 13 Oct 2011 21:16:49 GMT
Connection: keep-alive

GET /pki/crl/products/CSPCA.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: /
If-Modified-Since: Mon, 13 Jun 2011 17:39:55 GMT
If-None-Match: “6d7054e8f029cc1:0”
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com

HTTP/1.1 304 Not Modified
Content-Type: application/pkix-crl
Last-Modified: Mon, 13 Jun 2011 17:39:55 GMT
ETag: “6d7054e8f029cc1:0”
Cache-Control: max-age=856
Date: Thu, 13 Oct 2011 21:16:54 GMT
Connection: keep-alive

GET /pki/crl/products/CodeSigPCA.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: /
If-Modified-Since: Mon, 19 Sep 2011 17:24:23 GMT
If-None-Match: “9132a2f9f076cc1:0”
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com

HTTP/1.1 304 Not Modified
Content-Type: application/pkix-crl
Last-Modified: Mon, 19 Sep 2011 17:24:23 GMT
ETag: “9132a2f9f076cc1:0”
Cache-Control: max-age=900
Date: Thu, 13 Oct 2011 21:16:58 GMT
Connection: keep-alive

GET /pki/crl/products/CodeSignPCA2.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: /
If-Modified-Since: Mon, 18 Jul 2011 18:06:17 GMT
If-None-Match: “acace637545cc1:0”
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com

HTTP/1.1 304 Not Modified
Content-Type: application/pkix-crl
Last-Modified: Mon, 18 Jul 2011 18:06:17 GMT
ETag: “acace637545cc1:0”
Cache-Control: max-age=900
Date: Thu, 13 Oct 2011 21:17:03 GMT
Connection: keep-alive

It looks pretty similar to the the previous Wireshark data so I guess this pretty much wraps this up? If so thanks for having patience with me and helping me figure this out, if not lets hope we are close to the end.

They’re very similar and really nothing to be alarmed about. In fact it’s necessary process to make sure the certificate root store is kept up to date.

Thanks alot for taking the time explaining this and pointing me to Wireshark which helped a huge amount with finding the root of what was going on in svchost.

Again Thank you alot.