Re: svchost.exe
From: The Other Guy (nospam@this.addy)Date: 10/05/02
- Next message: Sean Higgins: "Re: iptable firewall problems"
- Previous message: Wolfgang Kueter: "Re: Help for a secure Firewall"
- In reply to: Maxx Taxx: "svchost.exe"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: The Other Guy <nospam@this.addy> Date: Fri, 04 Oct 2002 23:45:17 GMT
On Fri, 04 Oct 2002 22:05:05 GMT, while waiting for Some Guy to show
up and say something, The Other Guy responded to a post from "Maxx
Taxx" <matsqq@hotmail.com> who wrote in comp.security.firewalls:
-->
-->My firewall was so quite and nice until I made some pathetic idiot
angry.
-->
-->Maybe he was a hacker and managed to do something to my computer
because now
-->I get outbound tcp and UDP connection attempts every 10 minutes
from
-->svchost.exe.
-->
-->Maybe you think I'm dreaming but my log was completely clean until
that
-->moment and now I get those connection attempts every 10 minutes.
-->
-->Any advice on what to do ?
-->
-->Sometimes the adress is different but mostly
-->
-->1,[04/Oct/2002 03:26:40] Rule '195.54.111.69': Blocked: Out TCP,
-->localhost:3317->195.54.111.69:80, Owner:
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
-->1,[04/Oct/2002 03:26:40] Rule '195.54.111.69': Blocked: Out TCP,
-->localhost:3318->195.54.111.69:80, Owner:
<snip other examples>
Svchost.exe means that you have services running from dynamic-link
libraries (DLLs). The Svchost.exe file is located in the
%SystemRoot%\System32 folder, as shown in your Owner identification.
At startup, Svchost.exe checks the services portion of the registry to
construct a list of services that it needs to load. There can be
multiple instances of Svchost.exe running at the same time.
Each Svchost.exe session can contain a grouping of services, so that
separate services can be run depending on how and where Svchost.exe is
started.
If you go to Start --> Run and type command, you can find out what the
svchost.exe files correspond to. Follow one of the methods below,
depending on your O/S.
(Windows XP) Once you have the command line up, type Tasklist /SVC.
(Windows 2K) Use Tlist.exe from the Windows 2000 CD-ROM; the syntax is
tlist -s at the command prompt.
For a list of associated files, and such see.
http://www.igknighttec.com/Windows/WindowsXP/svchost_exe.php
See also the microsoft site, for the registry key groups
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q250320 (W2K)
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q314056 (XP)
See also
http://lists.insecure.org/firewall-wizards/2001/Sep/0029.html
Svchost.exe is tied in with RPC somehow and win2k needs it.
When the RPC service is disabled, so are some functions in win2k,
If you did a netstat -an in the DOS command prompt, and check what
ports are open, you should expect to see Poet 135. Port 135 is
assigned to DCE[1] (aka RPC - Remote Procedure Call) endpoint
resolution, but when rpc is disabled the svchost.exe is no longer in
the process list and port 135 is closed and it no longer shows up on
netstat.
I know people have found a lot of computers infected with a
trojaned copy of svchost.exe . The trojaned copy is bigger (about
550KB) then the original (about 8KB) and is located in C:\winnt\
instead of c:\winnt\system32\ . The trojan was listening on port
878/tcp and was used to exchange illegal software, movies and music.
<much of the above was taken from my reply to an earlier posts/thread
on the same subject, so I just copied/pasted>
Therefore, it is difficult to determine what may be causing the
problem because svchost.exe is normal.
1) do a netstat -an and check what active connections you open.
2) check which services are using the srvchost by one of the methods
shown, based on what O/S you have.
3) Run an up-to-date Antivirus software to check for any trojans on
your system. Bugbear worm is pretty popular right now and may be
making RPCs. Have you opened any strange attachments in the last few
days.
4) Check for the possible trojaned copy by looking for the fake one as
described above.
5) Don't disable the real version of svchost, i.e., don't use regedit
to set it to anything but Automatic because other functions may stop
working.
Anyway, I hope that's enough to provide you with some further
analysis.
Regards,
T.O.G.
[1]
From
http://www.finallysoftware.com/finally/products.htm?referrer=GoogleDCE
The Distributed Computing Environment (DCE) is an industry-standard,
vendor-neutral set of distributed computing technologies. DCE is
deployed in critical business environments by a large number of
enterprises worldwide. It is a mature product with and is the only
middleware system with a comprehensive security model.
DCE - provides a complete Distributed Computing Environment
infrastructure. It provides security services to protect and control
access to data, name services that make it easy to find distributed
resources, and a highly scalable model for organising widely scattered
users, services, and data. DCE runs on all major computing platforms
and is designed to support distributed applications in heterogeneous
hardware and software environments. DCE is a key technology in three
of today's most important areas of computing: security, the World Wide
Web, and distributed objects.
-- ./ Not this guy or that guy, The Other Guy."I love Mankind, it's people I can't stand." - Linus from Charlie Brown
"To know me is to love me!" - (also) Linus from Charlie Brown
- Next message: Sean Higgins: "Re: iptable firewall problems"
- Previous message: Wolfgang Kueter: "Re: Help for a secure Firewall"
- In reply to: Maxx Taxx: "svchost.exe"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
