Odd Connection on firewall

Discussion in 'other firewalls' started by Pfipps, Jun 30, 2008.

Thread Status:
Not open for further replies.
  1. Pfipps

    Pfipps Registered Member

    Joined:
    May 15, 2007
    Posts:
    181
    I use Comodo Firewall pro and was looking at the active connections window when I saw svchost.exe making an odd connection to an IP address. After looking it up, it came from Parsonline in Iran. I'm in the dark on this one.
     
  2. Fajo

    Fajo Registered Member

    Joined:
    Jun 13, 2008
    Posts:
    1,812
    Have no idea if this will help but I came across this on the web and thought it might.

    Each instance of svchost.exe process seen in the Task Manager hosts a group of services. To see the list of services hosted by each instance of svchost.exe, you may use the Tasklist.exe console utility available in Windows XP Professional Edition.

    *

    Click Start, Run and type CMD.EXE
    *

    Type tasklist /svc >c:\taskList.txt

    The taskList.txt will contain the list of Processes, their Process IDs and the Services running under each Process



    at least it will show you what is using SVhost and you could prob go from there.
     
  3. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Hello.

    I agree with Fajo, you would need to narrow down your search. As an alternative, you can also use Sysinternal's Process Explorer to locate the exact svchost that is making the connection (dclick on svchost -> TCP/IP tab). You should look for any networking service that is being hosted by the isolated svchost. This will help locate the exact Windows "feature" that is making the connection.

    Cheers,
     
  4. Pfipps

    Pfipps Registered Member

    Joined:
    May 15, 2007
    Posts:
    181
    ...I feel very dopey right now...
    When I entered the address into the RIPE whois search, I entered it as 91.99.***.***, which gives the parsonline.

    Since I couldn't cut and paste from the Comodo "active connections, I typed it in, but it should have been 91.(1)99.***.***

    I know this because I checked the "active connections" when I was updating and recognized my mistake.

    That "1" made the difference between parsonline and Comodo...
    But thank you for your help! So it was actually happening when I checked for updates for comodo...and so it couldn't have been svchost.exe....
    :oops:
     
  5. Fajo

    Fajo Registered Member

    Joined:
    Jun 13, 2008
    Posts:
    1,812
    don't feel bad at least it was not anything bad :D that's always good news over it being something bad.
     
  6. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Please don't, no reason. It is always good to check and doublecheck your concerns.

    Ir is very easy to make a wrong trace or to draw the wrong conclusions from a correct one...

    Cheers,
     
Loading...
Thread Status:
Not open for further replies.