Full Disclosure mailing list archives
RE: svchost.exe try to send http outside
From: howard.lee () guoco com
Date: Thu, 18 Aug 2005 12:03:36 +0800
Thanks.
I've check all the IP which the process generate. Part of them can be
confirmed as Microsoft IP.
I'm now contacting Microsft for the remaing IP list and asking them the
details about automatic update.
I think it is a valid windows update.
Microsoft
207.46.19.93
207.46.244.219
207.46.244.253
207.46.157.61
HKNET
218.213.254.30
218.213.255.30
218.213.255.29
Akamai
80.15.249.169
80.15.249.158
80.15.249.167
Quest communication
63.150.131.9
63.150.131.10
63.150.131.24
63.150.131.26
Regards,
Howard
"#YU KUAN#"
<yukuan () pmail ntu To: <howard.lee () guoco com>
.edu.sg> cc:
Subject: RE: [Full-disclosure] svchost.exe try to send http
18/08/2005 11:02 outside
From the dll list you provide, I think it's windows automatic update
service.
This is because there is the dll - wuauserv.dll - which is used for windows
update.
You can see the same name (wuauserv) in the registry:
HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/wuauserv
Another evidence is that when you stop the automaic update service, the
process stop.
So I think it's a valid process, not a worm.
-----Original Message-----
From: howard.lee () guoco com [mailto:howard.lee () guoco com]
Sent: 星期四, 18 八月, 2005 AM 9:24
To: #YU KUAN#
Cc: full-disclosure-bounces () lists grok org uk
Subject: RE: [Full-disclosure] svchost.exe try to send http outside
Hi,
Yes, I've already use a tool to get all related dll running. The svchost
change the IP syn_sent every 5sec.
It return a list of dll, and according the list, we try stop the services
one by one.
When stop the automatic update, the "worm" like svchost http syn_sent stop.
Below is the dll list,
ntdll.dll, kernel32.dll, ADVAPI32.dll,
RPCRT4.dll, NTMARTA.DLL, msvcrt.dll,
ole32.dll, GDI32.dll, USER32.dll,
SAMLIB.dll, WLDAP32.dll, IMM32.DLL,
LPK.DLL, USP10.dll, xpsp2res.dll,
wzcsvc.dll, rtutils.dll, WMI.dll,
DHCPCSVC.DLL, DNSAPI.dll, WS2_32.dll,
WS2HELP.dll, iphlpapi.dll, PSAPI.DLL,
Secur32.dll, OLEAUT32.dll, CRYPT32.dll,
MSASN1.dll, WTSAPI32.dll, WINSTA.dll,
NETAPI32.dll, SHLWAPI.dll, ESENT.dll,
ATL.DLL, rsaenh.dll, rastls.dll,
CRYPTUI.dll, VERSION.dll, WINTRUST.dll,
imagehlp.dll, MPRAPI.dll, ACTIVEDS.dll,
adsldpc.dll, credui.dll, SHELL32.dll,
SETUPAPI.dll, RASAPI32.dll, rasman.dll,
TAPI32.dll, WINMM.dll, WinSCard.dll,
COMCTL32.dll, Comctl32.dll, shsvcs.dll,
CLBCatQ.DLL, COMRes.dll, raschap.dll,
schedsvc.dll, NTDSAPI.dll, AUTHZ.dll,
USERENV.dll, MSIDLE.DLL, audiosrv.dll,
wkssvc.dll, wiarpc.dll, aelupsvc.dll,
apphelp.dll, cryptsvc.dll, certcli.dll,
sfc.dll, sfc_os.dll, VSSAPI.DLL,
MPR.dll,
dmserver.dll, es.dll, pchsvc.dll,
srvsvc.dll, HNETCFG.DLL, sens.dll,
seclogon.dll, SXS.DLL, comsvcs.dll,
trkwks.dll, wmisvc.dll, wuauserv.dll,
wuaueng.dll, ADVPACK.dll, Cabinet.dll,
mspatcha.dll, SHFOLDER.dll, WINHTTP.dll,
WINSPOOL.DRV, browser.dll, mswsock.dll,
wshtcpip.dll, winrnr.dll, rasadhlp.dll,
NETRAP.dll, wbemcore.dll, esscli.dll,
msvcp60.dll, wbemcomn.dll, FastProx.dll,
wmiutils.dll, repdrvfs.dll,
wmiprvsd.dll,
NCObjAPI.DLL, wbemess.dll, netman.dll,
netshell.dll, CLUSAPI.dll, WININET.dll,
WZCSAPI.DLL, wbemsvc.dll, msi.dll,
RASDLG.dll, ncprov.dll, wbemcons.dll
"#YU KUAN#"
<yukuan () pmail ntu To:
<howard.lee () guoco com>
.edu.sg> cc:
Subject: RE:
[Full-disclosure] svchost.exe try to send http
17/08/2005 20:20 outside
You can use a tool called IceSword.
It can be used to find what program (a dll file) the svchost.exe is
running.
-----Original Message-----
From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk]On Behalf Of
howard.lee () guoco com
Sent: 星期三, 17 八月, 2005 PM 6:12
To: full-disclosure () lists grok org uk
Subject: [Full-disclosure] svchost.exe try to send http outside
Dear all,
I discovered that an "svchost.exe" start when the server start.
This svchost.exe try to sync_sent to random http host when I view from
netstat, active port, and pviewer.
However, does anyone know which worms/torjon/normal process causes the
svchost do such job? and how to stop this?
Is this a normal prcoess?
My Server is a fully patched windows 2003 server. net.
The svchost.exe is microsoft verifid and located at c:\windows\system32
Regards,
Howard
This e-mail (and any attachment (s)) is confidential and for use only by
intended recipient (s). Access by others is unauthorised. Its content
should not be relied upon and no liability or responsibility is accepted by
us, without our subsequent written confirmation of its content. If you are
not an intended recipient, please notify us promptly and delete all copies
and note that any disclosure, copying, distribution or any action taken or
omitted to be taken in reliance on the information it contains is
prohibited and may be unlawful. Further information on Guoco Group is
available from http://www.guoco.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
This e-mail (and any attachment (s)) is confidential and for use only by
intended recipient (s). Access by others is unauthorised. Its content
should not be relied upon and no liability or responsibility is accepted by
us, without our subsequent written confirmation of its content. If you are
not an intended recipient, please notify us promptly and delete all copies
and note that any disclosure, copying, distribution or any action taken or
omitted to be taken in reliance on the information it contains is
prohibited and may be unlawful. Further information on Guoco Group is
available from http://www.guoco.com
This e-mail (and any attachment (s)) is confidential and for use only by
intended recipient (s). Access by others is unauthorised. Its content
should not be relied upon and no liability or responsibility is accepted by
us, without our subsequent written confirmation of its content. If you are
not an intended recipient, please notify us promptly and delete all copies
and note that any disclosure, copying, distribution or any action taken or
omitted to be taken in reliance on the information it contains is
prohibited and may be unlawful. Further information on Guoco Group is
available from http://www.guoco.com
This e-mail (and any attachment (s)) is confidential and for use only by
intended recipient (s). Access by others is unauthorised. Its content
should not be relied upon and no liability or responsibility is accepted by
us, without our subsequent written confirmation of its content. If you are
not an intended recipient, please notify us promptly and delete all copies
and note that any disclosure, copying, distribution or any action taken or
omitted to be taken in reliance on the information it contains is
prohibited and may be unlawful. Further information on Guoco Group is
available from http://www.guoco.com
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- svchost.exe try to send http outside howard . lee (Aug 17)
- Re: svchost.exe try to send http outside Josh Zlatin-Amishav (Aug 17)
- Re: svchost.exe try to send http outside Dave Korn (Aug 17)
- RE: svchost.exe try to send http outside Mike (Aug 17)
- RE: svchost.exe try to send http outside Aditya Deshmukh (Aug 17)
- Re: svchost.exe try to send http outside Paul Schmehl (Aug 17)
- RE: svchost.exe try to send http outside CIRT.DK Mailinglists (Aug 17)
- <Possible follow-ups>
- RE: svchost.exe try to send http outside howard . lee (Aug 17)
- Re: svchost.exe try to send http outside Mark (Aug 17)
- Re: svchost.exe try to send http outside Simon Richter (Aug 17)
- RE: svchost.exe try to send http outside howard . lee (Aug 17)
- Re: svchost.exe try to send http outside Josh Zlatin-Amishav (Aug 17)