Like everyday when i turn on my pc i check on COMODO for the active connections to see what’s goin’ on and what’s normal.
Then, i always see connections to IPs from my internet providor, some of them is just 66b. I don’t understand why this happens so i end the connections anyway.
But today without any program that can use the internet, i see an incoming connection from svchost.exe with this IP (220.127.116.11) that i’ve never seen before.
So i checked on ip-adress.com to see who’s that.
It said that was from a index of “/” and the IP was from belgium. ???
I entered the adress on my browser and i ended on a index page indeed. Full of files from apache or something like that. The first file was one from akamai and at the bottom of the page “Apache OS” was written.
So, what’s this?! I’m going crazy someday trying to understand svchost.exe connections and it actions.
On my Windows XP laptop this never happens. I’m using Windows 7 Ultimate x64 Service Pack 1.
Microsoft host the windows updates on akamai or something? Because after i checked, the windows alerted me about a update.
Somebody knows something about this?
Weird incoming svchost.exe connection from the ip 18.104.22.168
No one? ???
The 22.214.171.124 address belongs to Verizon Business and Apache is a server application. You’ll find information on Verizon Business services here Customer Support Belgium | Verizon
Check if you (or your employer?) didn’t subscribe to their cloud for example.
No, i didn’t subscribed anything with verizon.
It only appeared with a connection from svchost.exe with 66b. I ended the connection, 'cause i didn’t know what that was doing.
It sounds like you are directly connecting to the web with no router in between.
See if you have NETBIOS enabled. If so please disable it following http://www.petri.co.il/disable_netbios_in_w2k_xp_2003.htm .
Could you show screenshots of the logs and of your global rules?
Actualy i’m using a wifi router. This IP(126.96.36.199) only appeared once. My global rules you mean my firewall configs? I don’t have screenshots of the logs now, it happened once when i turned my PC on. When i turn my pc on it always appears an IP from my internet provider, sometimes a IP from Argentina. Here, it’s a screenshot of what usually happens when i turn my pc on. It’s totally weird. (my COMODO is in portuguese(brazil))
I use windows 7. This “NetBIOS disable tutorial” works on 7?
Do you think it’s NetBIOS that are causing the svchost.exe connections with my provider?
It’s always the IP 188.8.131.52, 184.108.40.206 or then 220.127.116.11. Sometimes it’s the ip 18.104.22.168 that is from my internet provider. I don’t know why this happens… :-[
[attachment deleted by admin]
Here’s two more screenshots for you to see what i see everyday when i turn my pc on. Please, tell me why this happens, i MUST know.
[attachment deleted by admin]
When looking at the logs I noticed that the traffic that you highlighted is actually outgoing traffic and not incoming traffic. Since you are behind a router you can forget my remark about NETBIOS.
One of the hightlighted processes I think may be Windows Live ID Service. By its self it is not strange it connects to the outside world. Other connections are by the servicehost process with one and the same Process ID (952).
Are you running a tool from your ISP that monitors your connection? That could be a source for the traffic by svchost.exe.
To really know what process is behind svchost.exe we need to use another tool to learn more about a specific service host process. There are two programs that can do this Svchostviewer and Svchost Process analyzer. You need the PID of the running svchost process that you want to learn about. I think the PID may be different for each Windows session.
“Are you running a tool from your ISP that monitors your connection? That could be a source for the traffic by svchost.exe.”
No, i’m not running any tool.
I just turned my pc on again now and the same ip appeared. It stays on the log for some time then disappears.
Various programs connects to this IP. I don’t know the cause. Even my firefox does. As you can see in this screenshot.
[attachment deleted by admin]
The traffic in FF connects on port 443 which is for a secure, https, connection.
I am not sure how to analyze this. I will ask the other mods to come and take a look.
One of those resolves as www-slb-11-01-ash2.facebook.com.
So for some reason FF is checking something that has to do with Facebook, do you have any plugin that might check facebook?
Also this one
An other is 22.214.171.124.user.ajato.com.br. according to the SSL certs loaded on that server it’s part of akamai
Same for this one
This one relates to google 126.96.36.199 probably used to update the FF attack sites and forgeries updates.
If you want to know what names are used to connect open a command-box after startup and type
This will show you all the DNS names your system has queried after startup and will also show you the IP’s it’s used.
If you really want to know what data is transferred here you need to install a packet sniffer like wireshark to make a capture.
I have written a how-to here
It can be used for this also, if your done please PM me so I can analyze the data.
Wow, that was a lot of useful information. Thank you, EricJH and Ronny. You guys are awesome. I always wondered if there is a way to see what is being transferred online. It was really helpful indeed! Don’t close this topic yet please. I’ll do my tests here, even if that info has been helpful already with my questions.
You guys from Comodo are great. I never knew a team of moderators who acted that way so professional and really help with the questions of the user.
I’m really glad that i changed my firewall to Comodo.
Your welcome, and just to be clear we (Moderators) are just ‘Volunteers’ not Comodo staff.
This is even cooler.
This IP (188.8.131.52) appeared and its the same page as the 184.108.40.206. (a incoming connection) Why is this happening? Microsoft have something to do with?
That’s blunt, they allow directory browsing on that ???
But in this case it explains what it is, since the Flame discovery Microsoft hardened several things in it’s OS which also contains a feature to check for revoked Certificates every day.
This server is full of .crl files which are ‘Certificate Revocation Lists’. Nothing to worry about.
And what about this IP? 220.127.116.11
It appeared a connection in the active connections log. It was the msnmsgr.exe with this connection. A incoming connection i think.
Rule of thumb:
ONLY use outgoing permissions.
USUALLY (99,9%) a program does not need to get unrequested traffic from the internet.
The firewall is there to safe you from worries and un-necessary decisions. Its not there to show you an ip and you have to look it up. If a connection can be made unrequested, its allready to late!
Use the stealth port wizard setting 3.
Or create a rule in global rules: Block IP (protocoll) ingoing any any.
If you need permissions for ingoing traffic from computers IN your own network, make very tight exception rules for these computers, and put them on top of the general block rule.
AVOID INgoing permissions. Comodo is a statefull firewall. That means:
“Allow x program OUTgoing only” will be enough to play games, get updates, do everything.
ONLY if you want to run a real server, or when you want to fully run a p2p network, you should make tight exceptions from the general rule:
You can tighten up the outgoing principle too.
I just want to give you the idea.
To add to clockwork you may also need to allow incoming traffic (server rights) when you have photos you share with a messenger program. In that case you need to allow incoming traffic on your messenger application.