also @ TechSpot: Nortel's internal network "owned" by hackers for almost a decade
Welcome to the TechSpot OpenBoards. Please read the FAQ if you have any questions. Sign up or Login to participate.
Go Back   TechSpot OpenBoards > Software > Software Apps
Reload this Page ZoneAlarm messages

Begin your free trial now Pay-as-you-go options starting at $10/user/month

ZoneAlarm messages
Thread Tools Search this Thread
  #1  
Old 04-23-2009
TechSpot Member
  
Member since: Apr 2009, 31 posts
I see on my ZA log that there are a few connections, incoming and outgoing from svchost.exe. Was wondering if i could get some help in figuring out if this is an issue or not. I know they are blocked so I am safe, but what are they trying to do?


program: svchost outgoing to IP 124.40.51.144:3478 blocked


program svchost incoming from IP 124.40.51.145:3478 blocked

program svchost incoming from IP 77.67.10.134:3478 blocked

program svchost incoming from IP 69.26.190.118:3478 blocked SourceDNS: unknown.nscnap.net

program svchost incoming from IP 69.26.190.119:3478 blocked SourceDNS: unknown.nscnap.net

program svchost incoming from IP 69.26.190.127:3478 blocked SourceDNS: unknown.nscnap.net

program svchost incoming from IP 96.17.157.44:3478 blocked SourceDNS: cn1.redswoosh.akadns.net

program svchost incoming from IP 96.17.157.48:3478 blocked SourceDNS: a96-17-157-48.deploy.akamaitechnologies.com

program svchost incoming from IP 124.40.51.144:3478 blocked

program svchost incoming from IP 124.40.51.148:3478 blocked

TIA.

I have searched amnd searched and cannot find anything, anyone have any ideas?

TIA
Last edited by kimsland; 04-25-2009 at 03:03 AM.. Reason: merged recent posts
  #2  
Old 04-25-2009
captaincranky's Avatar
TechSpot Evangelist
  
Member since: Oct 2006, 7,585 posts
Dunno what the rest of them are but isn't >> akamaitechnologies << The verisign secure server (https) for banking and credit card approvals?
  #3  
Old 04-25-2009
TechSpot Member
  
Member since: Apr 2009, 31 posts
why would it be asking for a incoming connection when i am not on my bank website? i dont get it.... anyways its blocked so i guess that is good
Last edited by kimsland; 04-25-2009 at 03:04 AM.. Reason: removed not required previous message quoted text
  #4  
Old 04-25-2009
Bobbye's Avatar
Helper on the Fringe
  
Location: Florida
Member since: Mar 2007, 15,052 posts
I would be concerned about what process you have in YOUR computer that is calling Japan and waiting for answers!
Quote:
124.40.51.144:3478 Outgoing and 124.40.51.145 Incoming.

IP is in Asia Pacific Network Information Centre
OrgID: APNIC
Specifocally:
netname: ARCSTAR
descr: NTT COMMUNICATIONS CORPORATION
descr: 1-6 Uchisaiwai-cho 1-chome Chiyoda-ku,
descr: Tokyo 100-8019 Japan
country: JP
The standard STUN server listening UDP port is 3478.PSTUN is a standards-based set of methods and a network protocol used in NAT traversal for applications of real-time voice, video, messaging, and other interactive IP communications.
IF you are doing the media thing-voice, video, messanging and interactive functions, I would be concerned about this IP. More here on STUN: http://en.wikipedia.org/wiki/STUN


Your firewall is blocking both incoming and outgoing, so you're safe.

77.67.10.134>> same port Incoming
IP is in OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
Specifically:
netname: AKAMAI-TINET
descr: Akamai Technologies
country: NL

IP :96.17.157.44>> same port incoming.
OrgName: Akamai Technologies
OrgID: AKAMAI
Address: 8 Cambridge Center
City: Cambridge
StateProv: MA

The others are normal internet traffic.
  #5  
Old 04-26-2009
TechSpot Member
  
Member since: Apr 2009, 31 posts
The process that it is trying to connect to is svchost. Dunno... not sure why it is doing it
  #6  
Old 04-26-2009
Bobbye's Avatar
Helper on the Fringe
  
Location: Florida
Member since: Mar 2007, 15,052 posts
svchost.exe is usually a legitimate process and can be found in various Services. But malware can present as this also. I recommend you run the system through the Steps HERE

Attach the logs and let us review them for malware.

Although you firewall has blocked the out and in attempts, it would be wise to follow up with what is on your system, making the out attempt.
  #7  
Old 04-26-2009
TechSpot Member
  
Member since: Apr 2009, 31 posts
here are the logs you requested.



Quote:
Originally Posted by Bobbye View Post
Although you firewall has blocked the out and in attempts, it would be wise to follow up with what is on your system, making the out attempt.

How would I go about doing that exactly? Some are trying to make an outgoing connection, and then I am also getting something that is incoming wanting to access it.
Attached Files
File Type: txt mbam-log-2009-04-26 (10-07-32).txt (842 Bytes, 1 views)
File Type: log SUPERAntiSpyware Scan Log - 04-26-2009 - 10-29-04.log (465 Bytes, 1 views)
File Type: log hijackthis.log (4.7 KB, 1 views)
  #8  
Old 04-26-2009
Bobbye's Avatar
Helper on the Fringe
  
Location: Florida
Member since: Mar 2007, 15,052 posts
No malware seen on these logs. the only 2 entries I see that MIGHT be calling Japan are:
PokerStarsUpdate.exe
Windows Messenger

There is also an online scanner running in the background:
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab

To stop the scanner: Open IE> Tools> Manage add-ons? look for an highlight the f-secure online scanner> Disable.

You can remove the cleaning tools:

Download OTCleanIt HERE & save it to your desktop.
Quote:
Double click on OTCleanIt.exe.
Click on CleanUp!.
It will go thorough the list and remove all of the tools it finds and then delete itself (requiring a reboot).
You will receive a prompt that it needs to restart the computer to remove the files>
Click Yes.
It will restart your computer automatically. If it doesn't, please restart your computer manually.
Stay clean. Let the firewall do it's job. Enjoy your computing!
  #9  
Old 04-26-2009
jobeard's Avatar
TechSpot Ambassador
  
Location: Southern Calif.
Member since: Apr 2005, 10,835 posts
if I may offer my $0.02 ---

https://www.speedguide.net/port.php?port=3478 shows port 3478 being used for
firewall traversal -- that ought to scare the A%$&^# out of everyone!

Code:
3478  	tcp,udp  	stun  	Simple Traversal of UDP Through NAT (STUN) port. It operates on port 3478 tcp/udp. It is usually supported by newer VoIP devices.  	SG
3478 	tcp,udp 	stun 	Session Traversal Utilities for NAT (STUN) port [RFC5389] 	IANA
3478,3479,3074,3075 	udp 	applications 	Call of Duty - World at War 	Portforward
3478-3479,3658 	udp 	applications 	PlayStation Network 	Portforward
3478,3479,3658 	udp 	applications 	PS3 NAT Type 3 to 2
http://www.voip-info.org/wiki-STUN has some details.

If you have the CoD game, PS2/3 device, then this should be expected.

the comments re akamaitechnologies are correct and the Unix/Linux WHOIS sees
all of these IPs being associated with distributed akamaitechnologies servers --
even the ones in Japan.
Quote:
Stay clean. Let the firewall do it's job. Enjoy your computing!
YEP! Things are good -- perhaps set NO LOGGING to avoid the need for further analysis
  #10  
Old 04-27-2009
TechSpot Member
  
Member since: Apr 2009, 31 posts
Thanks all!! Good to know!
Closed Thread

Similar Topics
Topic Replies Forum
Zonealarm messages re various temp files 1 Virus and Malware Removal
ZoneAlarm help 3 Software Apps
Zonealarm and a DI-604 4 Virus and Malware Removal
ZoneAlarm 2 Virus and Malware Removal
zonealarm 4 Software Apps

Thread Tools Search this Thread
Search this Thread:

Advanced Search
All times are GMT -4. The time now is 10:35 PM.