Full Disclosure mailing list archives
RE: svchost.exe try to send http outside
From: howard.lee () guoco com
Date: Thu, 18 Aug 2005 12:03:36 +0800
Thanks. I've check all the IP which the process generate. Part of them can be confirmed as Microsoft IP. I'm now contacting Microsft for the remaing IP list and asking them the details about automatic update. I think it is a valid windows update. Microsoft 207.46.19.93 207.46.244.219 207.46.244.253 207.46.157.61 HKNET 218.213.254.30 218.213.255.30 218.213.255.29 Akamai 80.15.249.169 80.15.249.158 80.15.249.167 Quest communication 63.150.131.9 63.150.131.10 63.150.131.24 63.150.131.26 Regards, Howard "#YU KUAN#" <yukuan () pmail ntu To: <howard.lee () guoco com> .edu.sg> cc: Subject: RE: [Full-disclosure] svchost.exe try to send http 18/08/2005 11:02 outside From the dll list you provide, I think it's windows automatic update service. This is because there is the dll - wuauserv.dll - which is used for windows update. You can see the same name (wuauserv) in the registry: HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/wuauserv Another evidence is that when you stop the automaic update service, the process stop. So I think it's a valid process, not a worm. -----Original Message----- From: howard.lee () guoco com [mailto:howard.lee () guoco com] Sent: 星期四, 18 八月, 2005 AM 9:24 To: #YU KUAN# Cc: full-disclosure-bounces () lists grok org uk Subject: RE: [Full-disclosure] svchost.exe try to send http outside Hi, Yes, I've already use a tool to get all related dll running. The svchost change the IP syn_sent every 5sec. It return a list of dll, and according the list, we try stop the services one by one. When stop the automatic update, the "worm" like svchost http syn_sent stop. Below is the dll list, ntdll.dll, kernel32.dll, ADVAPI32.dll, RPCRT4.dll, NTMARTA.DLL, msvcrt.dll, ole32.dll, GDI32.dll, USER32.dll, SAMLIB.dll, WLDAP32.dll, IMM32.DLL, LPK.DLL, USP10.dll, xpsp2res.dll, wzcsvc.dll, rtutils.dll, WMI.dll, DHCPCSVC.DLL, DNSAPI.dll, WS2_32.dll, WS2HELP.dll, iphlpapi.dll, PSAPI.DLL, Secur32.dll, OLEAUT32.dll, CRYPT32.dll, MSASN1.dll, WTSAPI32.dll, WINSTA.dll, NETAPI32.dll, SHLWAPI.dll, ESENT.dll, ATL.DLL, rsaenh.dll, rastls.dll, CRYPTUI.dll, VERSION.dll, WINTRUST.dll, imagehlp.dll, MPRAPI.dll, ACTIVEDS.dll, adsldpc.dll, credui.dll, SHELL32.dll, SETUPAPI.dll, RASAPI32.dll, rasman.dll, TAPI32.dll, WINMM.dll, WinSCard.dll, COMCTL32.dll, Comctl32.dll, shsvcs.dll, CLBCatQ.DLL, COMRes.dll, raschap.dll, schedsvc.dll, NTDSAPI.dll, AUTHZ.dll, USERENV.dll, MSIDLE.DLL, audiosrv.dll, wkssvc.dll, wiarpc.dll, aelupsvc.dll, apphelp.dll, cryptsvc.dll, certcli.dll, sfc.dll, sfc_os.dll, VSSAPI.DLL, MPR.dll, dmserver.dll, es.dll, pchsvc.dll, srvsvc.dll, HNETCFG.DLL, sens.dll, seclogon.dll, SXS.DLL, comsvcs.dll, trkwks.dll, wmisvc.dll, wuauserv.dll, wuaueng.dll, ADVPACK.dll, Cabinet.dll, mspatcha.dll, SHFOLDER.dll, WINHTTP.dll, WINSPOOL.DRV, browser.dll, mswsock.dll, wshtcpip.dll, winrnr.dll, rasadhlp.dll, NETRAP.dll, wbemcore.dll, esscli.dll, msvcp60.dll, wbemcomn.dll, FastProx.dll, wmiutils.dll, repdrvfs.dll, wmiprvsd.dll, NCObjAPI.DLL, wbemess.dll, netman.dll, netshell.dll, CLUSAPI.dll, WININET.dll, WZCSAPI.DLL, wbemsvc.dll, msi.dll, RASDLG.dll, ncprov.dll, wbemcons.dll "#YU KUAN#" <yukuan () pmail ntu To: <howard.lee () guoco com> .edu.sg> cc: Subject: RE: [Full-disclosure] svchost.exe try to send http 17/08/2005 20:20 outside You can use a tool called IceSword. It can be used to find what program (a dll file) the svchost.exe is running. -----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk]On Behalf Of howard.lee () guoco com Sent: 星期三, 17 八月, 2005 PM 6:12 To: full-disclosure () lists grok org uk Subject: [Full-disclosure] svchost.exe try to send http outside Dear all, I discovered that an "svchost.exe" start when the server start. This svchost.exe try to sync_sent to random http host when I view from netstat, active port, and pviewer. However, does anyone know which worms/torjon/normal process causes the svchost do such job? and how to stop this? Is this a normal prcoess? My Server is a fully patched windows 2003 server. net. The svchost.exe is microsoft verifid and located at c:\windows\system32 Regards, Howard This e-mail (and any attachment (s)) is confidential and for use only by intended recipient (s). Access by others is unauthorised. Its content should not be relied upon and no liability or responsibility is accepted by us, without our subsequent written confirmation of its content. If you are not an intended recipient, please notify us promptly and delete all copies and note that any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on the information it contains is prohibited and may be unlawful. Further information on Guoco Group is available from http://www.guoco.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ This e-mail (and any attachment (s)) is confidential and for use only by intended recipient (s). Access by others is unauthorised. Its content should not be relied upon and no liability or responsibility is accepted by us, without our subsequent written confirmation of its content. If you are not an intended recipient, please notify us promptly and delete all copies and note that any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on the information it contains is prohibited and may be unlawful. Further information on Guoco Group is available from http://www.guoco.com This e-mail (and any attachment (s)) is confidential and for use only by intended recipient (s). Access by others is unauthorised. Its content should not be relied upon and no liability or responsibility is accepted by us, without our subsequent written confirmation of its content. If you are not an intended recipient, please notify us promptly and delete all copies and note that any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on the information it contains is prohibited and may be unlawful. Further information on Guoco Group is available from http://www.guoco.com This e-mail (and any attachment (s)) is confidential and for use only by intended recipient (s). Access by others is unauthorised. Its content should not be relied upon and no liability or responsibility is accepted by us, without our subsequent written confirmation of its content. If you are not an intended recipient, please notify us promptly and delete all copies and note that any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on the information it contains is prohibited and may be unlawful. Further information on Guoco Group is available from http://www.guoco.com
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- svchost.exe try to send http outside howard . lee (Aug 17)
- Re: svchost.exe try to send http outside Josh Zlatin-Amishav (Aug 17)
- Re: svchost.exe try to send http outside Dave Korn (Aug 17)
- RE: svchost.exe try to send http outside Mike (Aug 17)
- RE: svchost.exe try to send http outside Aditya Deshmukh (Aug 17)
- Re: svchost.exe try to send http outside Paul Schmehl (Aug 17)
- RE: svchost.exe try to send http outside CIRT.DK Mailinglists (Aug 17)
- <Possible follow-ups>
- RE: svchost.exe try to send http outside howard . lee (Aug 17)
- Re: svchost.exe try to send http outside Mark (Aug 17)
- Re: svchost.exe try to send http outside Simon Richter (Aug 17)
- RE: svchost.exe try to send http outside howard . lee (Aug 17)
- Re: svchost.exe try to send http outside Josh Zlatin-Amishav (Aug 17)