svchost.exe is creating a https connection to akamai 95.100.3.235

Discussion in 'privacy general' started by hundaa, Feb 13, 2011.

Thread Status:
Not open for further replies.
  1. hundaa
    Offline

    hundaa Registered Member

    Hi

    heres the deal: When I start the computer (winxp x64) svchost.exe tries to create a http connection to: 95.100.3.235

    After it creates the connection, it changes into https. It stays like that for minutes. I prevented it from connecting to that address through the firewall and I used wireshark to packet sniff what it is trying to do but it showed only a few lines of what I couldn't make up what it was.



    TCPVIEW shows the following:



    svchost.exe:1052 TCP localhost:1053 95.100.3.235:https ESTABLISHED



    After it created the https connection, it was garbage data (encrypted ofcourse) that I saw with wireshark and couldn't make up what it was. There was not much data going but some. It goes off in some minutes.

    Tcpview and DiamondCS port explorer all say the file is svchost.exe but when I try to hit "properties", I get "Unable to query properties for svchost.exe:1052".

    When I look what ip that is, it says:

    "Location: United Kingdom [City: ]
    inetnum: 95.100.0.0 - 95.100.15.255
    netname: AKAMAI-PA
    descr: Akamai Technologies
    role: Network Architecture Role Account
    address: Akamai Technologies
    address: 8 Cambridge Center
    address: Cambridge, MA 02142
    country: EU
    "

    and so on.

    What could this be? Could this be some e-mail spambot or Microsoft/NSA call home feature? For example sending the current ip to the "hive server" along with some unique windows installation signature/serial so they know my current ip?

    Svchost is "trusted" software in most firewalls as default so people might have this program connecting to who knows where without their knowledge if they dont check their settings.

    I have done a "run: sfc /scannow" and restored all windows files to their original versions but this keeps happening.
    Last edited: Feb 13, 2011
  2. Cudni
    Offline

    Cudni Global Moderator

    it could be anything that is setup to regularly check and download from akamai. Including Adobe software, MS, etc etc. Anything but NSA.
  3. hundaa
    Offline

    hundaa Registered Member

    I dont think it is like that.

    Adobe uses pdapp.exe to update. I used wireshark and the http part had nothing about adobe in it. It had no recognizable text in it.

    Adobe softwares use following servers (and more) to connect with:

    ereg.adobe.com
    wip3.adobe.com
    3dns-3.adobe.com
    3dns-2.adobe.com
    adobe-dns.adobe.com
    adobe-dns-2.adobe.com
    adobe-dns-3.adobe.com
    ereg.wip3.adobe.com
    wwis-dubc1-vip60.adobe.com


    And in the case of the updater, I just checked:

    PDapp.exe:4968 TCP localhost:2609 a93-158-110-193.deploy.akamaitechnologies.com:http ESTABLISHED

    It goes to akamai through its own software pdapp.exe using http. It doesn't do it secretly with windows software using https.
  4. Heimdall
    Offline

    Heimdall Registered Member

    Microsoft uses AKAMAI for hosting and AKAMAI use a number of different IP blocks for their servers. I can easily get svchost to attempt a connection with one of the AKAMAI server blocks, just by manually running Windows update. As can be seen here:

    Attached Files:

  5. hundaa
    Offline

    hundaa Registered Member

    Yea, but what info is it sending in the https data in my computer. It would be nice to know. I have automatic windows updates disabled.
  6. Heimdall
    Offline

    Heimdall Registered Member

    I would imagine the HTTPS connections are for certificate verification and authentication.
  7. hundaa
    Offline

    hundaa Registered Member


    But as long as no one has proof of anything, it can be anything.
  8. Heimdall
    Offline

    Heimdall Registered Member

    Well, I guess they didn't land on the Moon either :cool:
  9. hundaa
    Offline

    hundaa Registered Member


    Trojan botnet exe:s act similarly as this svchost was. They try to connect and connect to a server even continuously, you can look how they act with tcpview. This was trying to make a connection but couldn't.

    If you disagree with me, please do so, but dont revoke the moonhoax or other conspiracy theory card. :cool: thanks.
  10. Cudni
    Offline

    Cudni Global Moderator

    but that is not the case on your machine or you would have known. Instead you suspect what? For some reason nothing good
  11. Searching_ _ _
    Offline

    Searching_ _ _ Registered Member

    If it's malicious wouldn't Process Explorer or Process Hacker be able to see if it is malicious?
  12. Syobon
    Offline

    Syobon Registered Member

    I highly doubt it's malware since its from akamai and https... and even if you have wu disabled microsoft windows will call home for all kind of purposes that noone knows expect microsoft itself, call it conspiracy whatever, microsoft is large corporation with a strange EULA that allow them to do nasty things. :)
    theres a reaon that svchost.exe is whitelisted in many firewall.
Thread Status:
Not open for further replies.