Suspect SVCHOST Activity on Port 80.

Discussion in 'other security issues & news' started by Brummig, Mar 18, 2005.

Thread Status:
Not open for further replies.
  1. Brummig

    Brummig Guest

    I made a post over at WindowsBBS for help with this problem, and I was recommended to post here too. The post and full details are at http://www.windowsbbs.com/showthread.php?p=228795#post228795.

    To summarise, when I try to open any file (even local files) on my XP machine, SVCHOST.EXE sometimes makes requests on Port 80 to the NT machine on my LAN. Both machines are equipped with Sygate, so the copy of Sygate on the NT machine rejects the unsolicited request. Meanwhile back on the XP machine, I have to twiddle my thumbs for ten seconds whilst the request times out. Alternatively, I can run netstat -oa to get the PID of the instance of SVCHOST.EXE causing the problem. Using sysinternal's Process Explorer I can see this is loaded by SERVICES.EXE, so nothing suspect there. However, it would appear that it has loaded some dodgy-looking services - WebClient, UPnP discovery, and RemoteRegistry (which sounds from the description like something I need to remove completely from my system).

    Scans with AVG and AdAware have revealed nothing. Following the advice on another post on this forum, I've run AutoStart Viewer on the XP machine, but I don't know what's OK and what's suspect in the output. It's rather long, so I wont post it unless someone asks (you may know the answer without seeing it). Can anyone help me please?
     
  2. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    If the connection attempt is from one machine in your LAN to another, it is less likely to be malware related (aside from a worm trying to spread itself). This could be Windows networking related traffic (especially if your NT machine is a Master Browser - see Description of the Microsoft Computer Browser Service for more details on this though most of such traffic uses ports 137-139 rather than 80). The services you describe are actually part of Windows XP and while there are good security reasons for disabling unneeded ones (see BlackViper's site for suggestions), they are not malware in and of themselves.

    I would suggest that you do shut down unneeded services and see if this traffic continues. I suspect that the WebClient service is the culprit here.
     
  3. Alec

    Alec Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    355
    Location:
    Dallas, TX
    Just disable the WebClient service, most people have no need for this service. It's for accessing files via Web Distributed Authoring and Versioning (WebDAV). WebDAV isn't currently used that much by most people, especially outside of a corporate environment utilizing something like Microsoft SharePoint. While you are at it, I would go ahead and disable Remote Registry and SSDP Discovery Service as you intuitively noted... they are largely unnecessary for 95+% of the population as well. I believe the following Microsoft Knowledge Base article covers your problem if you would like further detail:

    You experience a delay when you use your Windows XP computer to log on to a domain or to connect to a network resource
     
  4. Brummig

    Brummig Guest

    Ahhh ... that's interesting. I had noticed recently that sometimes one or both of these two machines gave a single beep each time I fired them up in the morning. A quick check of the event viewer revealed that they were slogging it out over who was the master broswer. I decided at the time to leave them to it and put it out of my mind. The onset of beeping may have co-incided with the onset of the SVCHOST pb, so given what you say, maybe there's a connection here. As you say though, port 80 is an odd port for it to use. I'll try what you suggest and turn off any of those services that aren't needed and see what happens.
     
  5. Brummig

    Brummig Guest

  6. Close_Hauled

    Close_Hauled Registered Member

    Joined:
    Apr 24, 2004
    Posts:
    1,015
    Location:
    California
    Good to hear that you are getting this issue resolved. You will find that this forum is one of the best out there. As I said on WindowsBBS, Wilders people are pretty sharp. I used to post here a lot, but then got too busy at work.
     
  7. Alec

    Alec Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    355
    Location:
    Dallas, TX
    Good to hear! :)
    No, it really shouldn't have anything to do with the Computer Browser service. The Browser service only makes use of the NetBIOS ports (137-139). Rather, you probably have mapped a network share on the NT server. If you have the WebClient service enabled, then apparently even when you are trying to simply use a UNC named share (ie, \\servername\sharename), the network redirector still attempts to forward the request through WebClient as a WebDAV share request. Don't ask me why... I have no earthly idea! From the article I linked to earlier:
     
  8. Brummig

    Brummig Guest

    OK, and thanks for your help. I do have a mapped network share, but it's been that way for ages. I can't figure out what has suddenly given me a problem. Just before I killed WebClnt I did check the "order of network providers", as described in that link you gave and that was OK. I suspect this is one mystery I'll never get to the bottom of.

    BTW, I caught one of the machines beeping this morning. It was just AVG telling me it had updated OK (this appears to run as a service, and AVG7 beeps where AVG6 didn't, explaining the onset of beeping).
     
Loading...
Thread Status:
Not open for further replies.