also @ TechSpot: Facebook headhunts Apple engineers for 3rd smartphone attempt

TechSpot

ZoneAlarm messages

Discussion in 'Software Apps' started by DeathsDesign, Apr 23, 2009.

Thread Status:
Not open for further replies.

  1. DeathsDesign Newcomer, in training

    I see on my ZA log that there are a few connections, incoming and outgoing from svchost.exe. Was wondering if i could get some help in figuring out if this is an issue or not. I know they are blocked so I am safe, but what are they trying to do?


    program: svchost outgoing to IP 124.40.51.144:3478 blocked


    program svchost incoming from IP 124.40.51.145:3478 blocked

    program svchost incoming from IP 77.67.10.134:3478 blocked

    program svchost incoming from IP 69.26.190.118:3478 blocked SourceDNS: unknown.nscnap.net

    program svchost incoming from IP 69.26.190.119:3478 blocked SourceDNS: unknown.nscnap.net

    program svchost incoming from IP 69.26.190.127:3478 blocked SourceDNS: unknown.nscnap.net

    program svchost incoming from IP 96.17.157.44:3478 blocked SourceDNS: cn1.redswoosh.akadns.net

    program svchost incoming from IP 96.17.157.48:3478 blocked SourceDNS: a96-17-157-48.deploy.akamaitechnologies.com

    program svchost incoming from IP 124.40.51.144:3478 blocked

    program svchost incoming from IP 124.40.51.148:3478 blocked

    TIA.

    I have searched amnd searched and cannot find anything, anyone have any ideas?

    TIA
    DeathsDesign, Apr 23, 2009
    #1

  2. captaincranky TechSpot Addict

    Dunno what the rest of them are but isn't >> akamaitechnologies << The verisign secure server (https) for banking and credit card approvals?
    captaincranky, Apr 25, 2009
    #2

  3. DeathsDesign Newcomer, in training

    why would it be asking for a incoming connection when i am not on my bank website? i dont get it.... anyways its blocked so i guess that is good
    DeathsDesign, Apr 25, 2009
    #3

  4. Bobbye Helper on the Fringe

    I would be concerned about what process you have in YOUR computer that is calling Japan and waiting for answers!
    IF you are doing the media thing-voice, video, messanging and interactive functions, I would be concerned about this IP. More here on STUN: http://en.wikipedia.org/wiki/STUN


    Your firewall is blocking both incoming and outgoing, so you're safe.

    77.67.10.134>> same port Incoming
    IP is in OrgName: RIPE Network Coordination Centre
    OrgID: RIPE
    Address: P.O. Box 10096
    City: Amsterdam
    Specifically:
    netname: AKAMAI-TINET
    descr: Akamai Technologies
    country: NL

    IP :96.17.157.44>> same port incoming.
    OrgName: Akamai Technologies
    OrgID: AKAMAI
    Address: 8 Cambridge Center
    City: Cambridge
    StateProv: MA

    The others are normal internet traffic.
    Bobbye, Apr 25, 2009
    #4

  5. DeathsDesign Newcomer, in training

    The process that it is trying to connect to is svchost. Dunno... not sure why it is doing it
    DeathsDesign, Apr 26, 2009
    #5

  6. Bobbye Helper on the Fringe

    svchost.exe is usually a legitimate process and can be found in various Services. But malware can present as this also. I recommend you run the system through the Steps HERE

    Attach the logs and let us review them for malware.

    Although you firewall has blocked the out and in attempts, it would be wise to follow up with what is on your system, making the out attempt.
    Bobbye, Apr 26, 2009
    #6

  7. DeathsDesign Newcomer, in training

    here are the logs you requested.




    How would I go about doing that exactly? Some are trying to make an outgoing connection, and then I am also getting something that is incoming wanting to access it.
    DeathsDesign, Apr 26, 2009
    #7

  8. Bobbye Helper on the Fringe

    No malware seen on these logs. the only 2 entries I see that MIGHT be calling Japan are:
    PokerStarsUpdate.exe
    Windows Messenger

    There is also an online scanner running in the background:
    O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab

    To stop the scanner: Open IE> Tools> Manage add-ons? look for an highlight the f-secure online scanner> Disable.

    You can remove the cleaning tools:

    Download OTCleanIt HERE & save it to your desktop.
    Stay clean. Let the firewall do it's job. Enjoy your computing!
    Bobbye, Apr 26, 2009
    #8

  9. jobeard TechSpot Ambassador

    if I may offer my $0.02 ---

    https://www.speedguide.net/port.php?port=3478 shows port 3478 being used for
    firewall traversal -- that ought to scare the A%$&^# out of everyone!

    Code:
    3478  	tcp,udp  	stun  	Simple Traversal of UDP Through NAT (STUN) port. It operates on port 3478 tcp/udp. It is usually supported by newer VoIP devices.  	SG
3478 	tcp,udp 	stun 	Session Traversal Utilities for NAT (STUN) port [RFC5389] 	IANA
3478,3479,3074,3075 	udp 	applications 	Call of Duty - World at War 	Portforward
3478-3479,3658 	udp 	applications 	PlayStation Network 	Portforward
3478,3479,3658 	udp 	applications 	PS3 NAT Type 3 to 2
    http://www.voip-info.org/wiki-STUN has some details.

    If you have the CoD game, PS2/3 device, then this should be expected.

    the comments re akamaitechnologies are correct and the Unix/Linux WHOIS sees
    all of these IPs being associated with distributed akamaitechnologies servers --
    even the ones in Japan.
    YEP! Things are good -- perhaps set NO LOGGING to avoid the need for further analysis :)
    jobeard, Apr 26, 2009
    #9

  10. DeathsDesign Newcomer, in training

    Thanks all!! Good to know!
    DeathsDesign, Apr 27, 2009
    #10
Thread Status:
Not open for further replies.