ZoneAlarm messages

Status
Not open for further replies.
D

DeathsDesign

Posts: 31   +0
I see on my ZA log that there are a few connections, incoming and outgoing from svchost.exe. Was wondering if i could get some help in figuring out if this is an issue or not. I know they are blocked so I am safe, but what are they trying to do?


program: svchost outgoing to IP 124.40.51.144:3478 blocked


program svchost incoming from IP 124.40.51.145:3478 blocked

program svchost incoming from IP 77.67.10.134:3478 blocked

program svchost incoming from IP 69.26.190.118:3478 blocked SourceDNS: unknown.nscnap.net

program svchost incoming from IP 69.26.190.119:3478 blocked SourceDNS: unknown.nscnap.net

program svchost incoming from IP 69.26.190.127:3478 blocked SourceDNS: unknown.nscnap.net

program svchost incoming from IP 96.17.157.44:3478 blocked SourceDNS: cn1.redswoosh.akadns.net

program svchost incoming from IP 96.17.157.48:3478 blocked SourceDNS: a96-17-157-48.deploy.akamaitechnologies.com

program svchost incoming from IP 124.40.51.144:3478 blocked

program svchost incoming from IP 124.40.51.148:3478 blocked

TIA.

I have searched amnd searched and cannot find anything, anyone have any ideas?

TIA
 
Dunno what the rest of them are but isn't >> akamaitechnologies << The verisign secure server (https) for banking and credit card approvals?
 
why would it be asking for a incoming connection when i am not on my bank website? i dont get it.... anyways its blocked so i guess that is good
 
I would be concerned about what process you have in YOUR computer that is calling Japan and waiting for answers!
124.40.51.144:3478 Outgoing and 124.40.51.145 Incoming.

IP is in Asia Pacific Network Information Centre
OrgID: APNIC
Specifocally:
netname: ARCSTAR
descr: NTT COMMUNICATIONS CORPORATION
descr: 1-6 Uchisaiwai-cho 1-chome Chiyoda-ku,
descr: Tokyo 100-8019 Japan
country: JP
The standard STUN server listening UDP port is 3478.PSTUN is a standards-based set of methods and a network protocol used in NAT traversal for applications of real-time voice, video, messaging, and other interactive IP communications.
Click to expand...
IF you are doing the media thing-voice, video, messanging and interactive functions, I would be concerned about this IP. More here on STUN: http://en.wikipedia.org/wiki/STUN


Your firewall is blocking both incoming and outgoing, so you're safe.

77.67.10.134>> same port Incoming
IP is in OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
Specifically:
netname: AKAMAI-TINET
descr: Akamai Technologies
country: NL

IP :96.17.157.44>> same port incoming.
OrgName: Akamai Technologies
OrgID: AKAMAI
Address: 8 Cambridge Center
City: Cambridge
StateProv: MA

The others are normal internet traffic.
 
svchost.exe is usually a legitimate process and can be found in various Services. But malware can present as this also. I recommend you run the system through the Steps HERE

Attach the logs and let us review them for malware.

Although you firewall has blocked the out and in attempts, it would be wise to follow up with what is on your system, making the out attempt.
 
here are the logs you requested.



Bobbye said:
Although you firewall has blocked the out and in attempts, it would be wise to follow up with what is on your system, making the out attempt.
Click to expand...


How would I go about doing that exactly? Some are trying to make an outgoing connection, and then I am also getting something that is incoming wanting to access it.
 
No malware seen on these logs. the only 2 entries I see that MIGHT be calling Japan are:
PokerStarsUpdate.exe
Windows Messenger

There is also an online scanner running in the background:
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab

To stop the scanner: Open IE> Tools> Manage add-ons? look for an highlight the f-secure online scanner> Disable.

You can remove the cleaning tools:

Download OTCleanIt HERE & save it to your desktop.
Double click on OTCleanIt.exe.
Click on CleanUp!.
It will go thorough the list and remove all of the tools it finds and then delete itself (requiring a reboot).
You will receive a prompt that it needs to restart the computer to remove the files>
Click Yes.
It will restart your computer automatically. If it doesn't, please restart your computer manually.
Click to expand...
Stay clean. Let the firewall do it's job. Enjoy your computing!
 
if I may offer my $0.02 ---

https://www.speedguide.net/port.php?port=3478 shows port 3478 being used for
firewall traversal -- that ought to scare the A%$&^# out of everyone!

Code: 
3478  	tcp,udp  	stun  	Simple Traversal of UDP Through NAT (STUN) port. It operates on port 3478 tcp/udp. It is usually supported by newer VoIP devices.  	SG
3478 	tcp,udp 	stun 	Session Traversal Utilities for NAT (STUN) port [RFC5389] 	IANA
3478,3479,3074,3075 	udp 	applications 	Call of Duty - World at War 	Portforward
3478-3479,3658 	udp 	applications 	PlayStation Network 	Portforward
3478,3479,3658 	udp 	applications 	PS3 NAT Type 3 to 2

http://www.voip-info.org/wiki-STUN has some details.

If you have the CoD game, PS2/3 device, then this should be expected.

the comments re akamaitechnologies are correct and the Unix/Linux WHOIS sees
all of these IPs being associated with distributed akamaitechnologies servers --
even the ones in Japan.
Stay clean. Let the firewall do it's job. Enjoy your computing!
Click to expand...
YEP! Things are good -- perhaps set NO LOGGING to avoid the need for further analysis :)
 
Status
Not open for further replies.

Latest posts

Back