lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <OFE26B5BD7.339FFAE8-ON48257060.003C48C7@guoco.com>
Date: Wed Aug 17 12:01:45 2005
From: howard.lee at guoco.com (howard.lee@...co.com)
Subject: svchost.exe try to send http outside


The svchost.exe will stop to run when I stop the automatic update.

But I'm sure the IP tried to connect by the svchost is NOT MS related site.

218.213.255.29
80.15.249.167

Regards,
Howard




                                                                                                             
                      "Mike"                                                                                 
                      <mjcarter@...g.co        To:       <howard.lee@...co.com>,                             
                      .nz>                      <full-disclosure@...ts.grok.org.uk>                          
                                               cc:                                                           
                      17/08/2005 18:46         Subject:  RE: [Full-disclosure] svchost.exe try to send http  
                                                outside                                                      
                                                                                                             




Hi Howard,

Very hard to say without having a sample or knowing what service your
server
performs. svchost.exe is a valid Windows process and also commonly used
by/with many many malware.

Regards
Mike
www.infosec.co.nz

-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of
howard.lee@...co.com
Sent: Wednesday, August 17, 2005 10:12 PM
To: full-disclosure@...ts.grok.org.uk
Subject: [Full-disclosure] svchost.exe try to send http outside

Dear all,

I discovered that an "svchost.exe" start when the server start.
This svchost.exe try to sync_sent to random http host when I view from
netstat, active port, and pviewer.

However, does anyone know which worms/torjon/normal process causes the
svchost do such job? and how to stop this?
Is this a normal prcoess?

My Server is a fully patched windows 2003 server. net.
The svchost.exe is microsoft verifid and located at c:\windows\system32

Regards,
Howard


This e-mail (and any attachment (s)) is confidential and for use only by
intended recipient (s). Access by others is unauthorised. Its content
should not be relied upon and no liability or responsibility is accepted by
us, without our subsequent written confirmation of its content. If you are
not an intended recipient, please notify us promptly and delete all copies
and note that any disclosure, copying, distribution or any action taken or
omitted to be taken in reliance on the information it contains is
prohibited and may be unlawful. Further information on Guoco Group is
available from http://www.guoco.com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/





This e-mail (and any attachment (s)) is confidential and for use only by
intended recipient (s). Access by others is unauthorised. Its content
should not be relied upon and no liability or responsibility is accepted by
us, without our subsequent written confirmation of its content. If you are
not an intended recipient, please notify us promptly and delete all copies
and note that any disclosure, copying, distribution or any action taken or
omitted to be taken in reliance on the information it contains is
prohibited and may be unlawful. Further information on Guoco Group is
available from http://www.guoco.com



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ