svchost.exe is creating a https connection to akamai 95.100.3.235

[hundaa]

Hi

heres the deal: When I start the computer (winxp x64) svchost.exe tries to create a http connection to: 95.100.3.235

After it creates the connection, it changes into https. It stays like that for minutes. I prevented it from connecting to that address through the firewall and I used wireshark to packet sniff what it is trying to do but it showed only a few lines of what I couldn't make up what it was.



TCPVIEW shows the following:



svchost.exe:1052 TCP localhost:1053 95.100.3.235:https ESTABLISHED



After it created the https connection, it was garbage data (encrypted ofcourse) that I saw with wireshark and couldn't make up what it was. There was not much data going but some. It goes off in some minutes.

Tcpview and DiamondCS port explorer all say the file is svchost.exe but when I try to hit "properties", I get "Unable to query properties for svchost.exe:1052".

When I look what ip that is, it says:

"Location: United Kingdom [City: ]
inetnum: 95.100.0.0 - 95.100.15.255
netname: AKAMAI-PA
descr: Akamai Technologies
role: Network Architecture Role Account
address: Akamai Technologies
address: 8 Cambridge Center
address: Cambridge, MA 02142
country: EU
"

and so on.

What could this be? Could this be some e-mail spambot or Microsoft/NSA call home feature? For example sending the current ip to the "hive server" along with some unique windows installation signature/serial so they know my current ip?

Svchost is "trusted" software in most firewalls as default so people might have this program connecting to who knows where without their knowledge if they dont check their settings.

I have done a "run: sfc /scannow" and restored all windows files to their original versions but this keeps happening.

[Cudni]

it could be anything that is setup to regularly check and download from akamai. Including Adobe software, MS, etc etc. Anything but NSA.

[hundaa]

Quote:

Originally Posted by Cudni

it could be anything that is setup to regularly check and download from akamai. Including Adobe software, MS,

etc etc. Anything but NSA.

I dont think it is like that.

Adobe uses pdapp.exe to update. I used wireshark and the http part had nothing about adobe in it. It had no recognizable text in it.

Adobe softwares use following servers (and more) to connect with:

ereg.adobe.com
wip3.adobe.com
3dns-3.adobe.com
3dns-2.adobe.com
adobe-dns.adobe.com
adobe-dns-2.adobe.com
adobe-dns-3.adobe.com
ereg.wip3.adobe.com
wwis-dubc1-vip60.adobe.com


And in the case of the updater, I just checked:

PDapp.exe:4968 TCP localhost:2609 a93-158-110-193.deploy.akamaitechnologies.com:http ESTABLISHED

It goes to akamai through its own software pdapp.exe using http. It doesn't do it secretly with windows software using https.

[Heimdall]

Microsoft uses AKAMAI for hosting and AKAMAI use a number of different IP blocks for their servers. I can easily get svchost to attempt a connection with one of the AKAMAI server blocks, just by manually running Windows update. As can be seen here:

[hundaa]

Quote:

Originally Posted by Heimdall

Microsoft uses AKAMAI for hosting and AKAMAI use a number of different IP blocks for their servers. I can easily get svchost to attempt a connection with one of the AKAMAI server blocks, just by manually running Windows update. As can be seen here:

Yea, but what info is it sending in the https data in my computer. It would be nice to know. I have automatic windows updates disabled.

[Heimdall]

Quote:

Originally Posted by hundaa

Yea, but what info is it sending in the https data in my computer. It would be nice to know. I have automatic windows updates disabled.

I would imagine the HTTPS connections are for certificate verification and authentication.

[hundaa]

Quote:

Originally Posted by Heimdall

I would imagine the HTTPS connections are for certificate verification and authentication.

But as long as no one has proof of anything, it can be anything.

[Heimdall]

Quote:

Originally Posted by hundaa

But as long as no one has proof of anything, it can be anything.

Well, I guess they didn't land on the Moon either

[hundaa]

Quote:

Originally Posted by Heimdall

Well, I guess they didn't land on the Moon either

Trojan botnet exe:s act similarly as this svchost was. They try to connect and connect to a server even continuously, you can look how they act with tcpview. This was trying to make a connection but couldn't.

If you disagree with me, please do so, but dont revoke the moonhoax or other conspiracy theory card. thanks.

[Cudni]

Quote:

Originally Posted by hundaa

Trojan botnet exe:s act similarly as this svchost was.

but that is not the case on your machine or you would have known. Instead you suspect what? For some reason nothing good

[Searching_ _ _]

If it's malicious wouldn't Process Explorer or Process Hacker be able to see if it is malicious?

[Syobon]

I highly doubt it's malware since its from akamai and https... and even if you have wu disabled microsoft windows will call home for all kind of purposes that noone knows expect microsoft itself, call it conspiracy whatever, microsoft is large corporation with a strange EULA that allow them to do nasty things.
theres a reaon that svchost.exe is whitelisted in many firewall.