Repeated inbound to access svchost.exe

Repeated inbound to access svchost.exe
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Networking Firewalls    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Repeated inbound to access svchost.exe MS 02-04-2005
Posted by MS on February 4, 2005, 1:26 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi,

Norton Internet Security (firewall) keeps displaying the following info.
dialog:

----------------------------------
Threat Level Low Risk
At [datetime stamp] the following communication was detected:

Application: c:\winnt\system32\svchost.exe
Protocol: TCP (inbound)
Remote Address: 82.35.78.249:1627
Local Address: STAN (XX.MY.IP.XX): epmap(135)
This file is not infected with a virus. Autoconfiguration
data exists for this application using this type of
communication. This application is in the windows folder
and is from a known company (Microsoft Corporation).
This application does not have a digital signature
or the digital signature is invalid.

The same info. but from a different IP address, among many others:
82.140.27.81:1835
82.35.75.99:3480
----------------------------------

The 'recommended' action is to allow the connection?!

I have no idea whether, or indeed why, I should allow these connections. I
just installed Norton Internet Security yesterday before that I was using
a different firewall.

The same info dialog pops up regularly (with varying IP addresses) and I
am unsure what to do -- up to now I've been blocking them all.

Thanks,

MS


Posted by Jason Edwards on February 4, 2005, 1:43 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
> Hi,
>
> Norton Internet Security (firewall) keeps displaying the following info.
> dialog:

That's because it wants to look useful so you'll buy the upgrades.

>
> ----------------------------------
> Threat Level Low Risk
> At [datetime stamp] the following communication was detected:
>
> Application: c:\winnt\system32\svchost.exe
> Protocol: TCP (inbound)
> Remote Address: 82.35.78.249:1627
> Local Address: STAN (XX.MY.IP.XX): epmap(135)

The headers of your post show your IP address as 82.35.73.70
This is not an issue it just means that replacing it with xx doesn't hide
it.

> This file is not infected with a virus.

Reassuring but potentially untrue if the virus was written yesterday.

> Autoconfiguration
> data exists for this application using this type of
> communication. This application is in the windows folder
> and is from a known company (Microsoft Corporation).
> This application does not have a digital signature
> or the digital signature is invalid.
>
> The same info. but from a different IP address, among many others:
> 82.140.27.81:1835
> 82.35.75.99:3480
> ----------------------------------
>
> The 'recommended' action is to allow the connection?!
>
> I have no idea whether, or indeed why, I should allow these connections. I
> just installed Norton Internet Security yesterday before that I was using
> a different firewall.

I'd remove it if I were you and get yourself an external piece of hardware
to block this kind of thing.
For example
http://www.draytek.co.uk/products/vigor2100v.html
There are many others.
A virus scanner is also essential, such as
http://free.grisoft.com/freeweb.php/doc/2/

>
> The same info dialog pops up regularly (with varying IP addresses) and I
> am unsure what to do -- up to now I've been blocking them all.

See above.
Since you don't understand what your firewall is doing it's likely that a
tool such as this
http://www.spychecker.com/program/hijackthis.html
Together with an analysis done by this site
http://www.hijackthis.de/
Will be far more beneficial than any software firewall.

Jason

>
> Thanks,
>
> MS




Similar ThreadsPosted
Repeated access attempts from my machine to 0.0.12.0:137 February 8, 2005, 10:05 pm
Repeated connection request July 24, 2004, 10:15 am
Repeated attempts to 4662 tcp/udp March 22, 2005, 11:12 pm
Barrage of repeated requests for large files on my server from bots... what to do? May 6, 2008, 10:48 pm
inbound PIX Traffic March 19, 2006, 2:14 pm
Inbound Passive FTP using IPNAT February 18, 2008, 8:51 am
https inbound policy NS-25? June 5, 2008, 12:43 am
Unidentified inbound packets in Sunbelt Kerio PF December 13, 2006, 2:08 pm
Cisco ASA5500 unable to pass inbound TCP traffic... August 24, 2007, 2:56 pm
Inbound Mail Server Connect and Reject by Firewall December 8, 2007, 3:11 am

The site map in XML format XML site map

Contact Us | Privacy Policy