Re: Unknown svchost.exe DNS port 53 network activity
- From: "Duane Arnold" <Yeah-Don't-bother-@that's-right.BET>
- Date: Thu, 21 Dec 2006 01:09:35 GMT
"Raffi" <thegrizzzly@xxxxxxxxx> wrote in message
news:1166648972.302288.17030@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
This is regarding a Windows XP Professional PC. I noticed heavy
activity on my router as well as my PC LAN connection icon in the tray.
After some digging appears to be a svchost process that is listening on
port 53 with a remote address of my ISP's DNS server. My router is not
set to forward DNS traffic to a specific system, and I don't run any
DNS servers.
No traffic can come to the machine, unless you have opened the inbound port
by using port forwarding on the router, which allows unsolicited in bound
traffic to reach a machine . The machine may or may not be listening on the
forwarded port. On the other hand, if a computer has made a solicitation for
inbound traffic by sending outbound traffic to a remote IP, then solicited
traffic is going to be let back through the router or a firewall, because
the machine behind them made the solicitation.
I am worried about this process since there's a lot of data being
transmitted/received and it's starting to introduce delays with my web
connections, and seems to be affecting available bandwidth as well.
Svchost.exe which should be running out of the Windows/System32 directory,
otherwise it's a Trojan, does nothing on its own. It does the bidding for
the O/S and its programs and other programs as well, it does the hosting.
Svchost allows the communication between machines in a LAN or WAN situation.
However, you should be aware of what Svchost is connecting to as malware can
be hosted by Svchost.exe as well.
I suspect the machine was just communicating with the ISP DNS servers as the
machine with it's O/S have made the solicitation for traffic
The following have not identified any viruses or other malware:
AntiVir antivirus
Avast antivirus
Spybot S&D
Ad Aware
AVG antispyware
Malware can circumvent and defeat every last bit of it.
http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx
How can that be? If you cutoff the traffic on port 53, then how is any
I got the following information for the related process from Port
Explorer
Command line: c:\windows\system32\svchost.exe -k Network Service
Killing this process returns everything to "normal" with port 53
traffic stopped and all other applications working fine.
machine with an application running where a URL is invloved, look up the WAN
IP that belongs to the URL, an application such as a browser accessing the
Web site that WAN IP points to? That's what the ISP''s Domain Name Server is
for is to take a URL that has been given on its network and convert it to
WAN IP so that an application can use the IP to go to a site.
It could be with a browser, that any Web page you're accessing has been
cached on the machine and is why you're thinkng nothing is wrong.
Any help explaining this activity and how to disable it would be
greatly appreciated. Is this something normal with Windows I may have
missed?
If you suspect something, then use the proper tools and look for yourself. A
tool like Process Explorer will let you look inside any running process and
see the exe, dll, ect, ect or processes that are being hosted by a process
such as Svchost.exe. I suspect there is nothing wrong with communications
between a computer and the ISP's DNS server.
Long
http://www.windowsecurity.com/articles/Hidden_Backdoors_Trojan_Horses_and_Rootkit_Tools_in_a_Windows_Environment.html
Short
http://tinyurl.com/klw1
.
- References:
- Unknown svchost.exe DNS port 53 network activity
- From: Raffi
- Unknown svchost.exe DNS port 53 network activity
- Prev by Date: iptables easy to understand articles/pdf
- Next by Date: Re: Accessing and viewing logs
- Previous by thread: Unknown svchost.exe DNS port 53 network activity
- Next by thread: Re: Unknown svchost.exe DNS port 53 network activity
- Index(es):
Relevant Pages
|
