[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <OFE26B5BD7.339FFAE8-ON48257060.003C48C7@guoco.com>
Date: Wed Aug 17 12:01:45 2005
From: howard.lee at guoco.com (howard.lee@...co.com)
Subject: svchost.exe try to send http outside
The svchost.exe will stop to run when I stop the automatic update.
But I'm sure the IP tried to connect by the svchost is NOT MS related site.
218.213.255.29
80.15.249.167
Regards,
Howard
"Mike"
<mjcarter@...g.co To: <howard.lee@...co.com>,
.nz> <full-disclosure@...ts.grok.org.uk>
cc:
17/08/2005 18:46 Subject: RE: [Full-disclosure] svchost.exe try to send http
outside
Hi Howard,
Very hard to say without having a sample or knowing what service your
server
performs. svchost.exe is a valid Windows process and also commonly used
by/with many many malware.
Regards
Mike
www.infosec.co.nz
-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of
howard.lee@...co.com
Sent: Wednesday, August 17, 2005 10:12 PM
To: full-disclosure@...ts.grok.org.uk
Subject: [Full-disclosure] svchost.exe try to send http outside
Dear all,
I discovered that an "svchost.exe" start when the server start.
This svchost.exe try to sync_sent to random http host when I view from
netstat, active port, and pviewer.
However, does anyone know which worms/torjon/normal process causes the
svchost do such job? and how to stop this?
Is this a normal prcoess?
My Server is a fully patched windows 2003 server. net.
The svchost.exe is microsoft verifid and located at c:\windows\system32
Regards,
Howard
This e-mail (and any attachment (s)) is confidential and for use only by
intended recipient (s). Access by others is unauthorised. Its content
should not be relied upon and no liability or responsibility is accepted by
us, without our subsequent written confirmation of its content. If you are
not an intended recipient, please notify us promptly and delete all copies
and note that any disclosure, copying, distribution or any action taken or
omitted to be taken in reliance on the information it contains is
prohibited and may be unlawful. Further information on Guoco Group is
available from http://www.guoco.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
This e-mail (and any attachment (s)) is confidential and for use only by
intended recipient (s). Access by others is unauthorised. Its content
should not be relied upon and no liability or responsibility is accepted by
us, without our subsequent written confirmation of its content. If you are
not an intended recipient, please notify us promptly and delete all copies
and note that any disclosure, copying, distribution or any action taken or
omitted to be taken in reliance on the information it contains is
prohibited and may be unlawful. Further information on Guoco Group is
available from http://www.guoco.com
Powered by blists - more mailing lists