SVCHOST, Windows Update, Anyone heard of "Savvis"?

Discussion in 'other security issues & news' started by zarathustra1900, Aug 17, 2005.

Thread Status:
Not open for further replies.
  1. zarathustra1900

    zarathustra1900 Registered Member

    Joined:
    Jul 28, 2005
    Posts:
    12
    Hello all:

    I have posted a related yet separate issue yesterday, here, below within this forum section.

    Upon reinstall of everything, first thing after Outpost Pro and NOD32 install I goto Windows Update. Download the upload program.

    I am reviewing packets and traffic with a fine tooth comb using Port Explorer from DiamondCS and am being signaled by ProcessGuard by what appears a genuine Windows Update.

    I have been selecting "Proceed". Until a few later...........


    I noticed originally checking "Who Is" for info on all the damn ports I am connecting to as I am concerned I may have , although I can;t believe it, some malware....


    A PACKET, several in fact, being received from a WHO IS search by Savvis telecommunications.

    Please tell me this is a Windows router or something, I think I will commit suicide otherwise.


    Anyone heard of it?

    Doing a google search revealed little.

    Please advise...I would be most appreciative!!!
    H
     
  2. zarathustra1900

    zarathustra1900 Registered Member

    Joined:
    Jul 28, 2005
    Posts:
    12
    One more note:

    I use Outpost Pro.

    Must have DNS access svchost I realize.

    But, reviewing logs I see several accepted connections from high remote ports 31xxx etc.

    I have sinced blocked everything over 2000 in and out and allow only specified dns connect with svchost.

    I block, while in learning mode, everything i can. I get many 1027 and 1026 port blips which research shows are remote Messenger spam or something.

    Related?
     
    Last edited: Aug 17, 2005
  3. zarathustra1900

    zarathustra1900 Registered Member

    Joined:
    Jul 28, 2005
    Posts:
    12
    So, I answered my own question and hopefully someone elses.

    It required quite a bit of searching (for somoen who is not "in the know")..

    ..and many other forum memebers I viewed did not seem to know and were scratching their heads?!

    But Savvis (although recently slapped in the face due to lean spam policies) is a router for Microsoft updates. H@ll if I knew......

    regards.
    Z
     
  4. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    If you wish to tighten up your Outpost configuration, you may find the Outpost forum FAQ A Guide to Producing a Secure Configuration for Outpost useful - it is aimed at advanced users though.

    You can also get Windows security updates from the Microsoft Security Bulletins page without having to use Windows Update. If you do use Windows Update then I would suggest applying updates manually and rebuilding Outpost's Component Control database afterwards (Options/Applications/Components/Shared Components/Edit List/Rebuild Database) - that way you should avoid receiving Component Control Alerts due to the update.
     
  5. secgo

    secgo Guest

    I made the same experience, Desktop Firewall warned of outgoing packet to download.windowsupdate.m.nsatc.org, which points at addresses from SAVVIS Comm. who provide security services!? The packet's remote port was 80 and remote address 208.175.188.61, where some "Footprint" Webserver is running and returning a "404 Not Found" message - really strange!
    If this is Microsoft's work it's bad security policy to connect to unknown domains for updating Windows, I'm quite sure it has nothing to do with "sniffing IP-adresses" of Windows clients ;-)
     
  6. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    A domain lookup of nsatc.org returns:

    Domain ID: D77843138-LROR
    Domain Name:NSATC.ORG
    Created On:27-Sep-2001 00:25:53 UTC
    Last Updated On:29-Sep-2005 20:14:23 UTC
    Expiration Date:27-Sep-2007 00:25:53 UTC
    Sponsoring Registrar:Register.com Inc. (R71-LROR)
    Status:CLIENT TRANSFER PROHIBITED
    Registrant ID:C19320084-RCOM
    Registrant Name:Accounts Payable
    Registrant Organization: Digital Island, Inc
    Registrant Street1:45 Fremont St, Suite 1200
    Registrant Street2:
    Registrant Street3:
    Registrant City:San Francisco
    Registrant State/Province:CA
    Registrant Postal Code:94105
    Registrant Country:US
    Registrant Phone:+1.4157384100
    Registrant Phone Ext.:
    Registrant FAX:+1.4157384141
    Registrant FAX Ext.:
    Registrant ****************@digisle.net
    Admin ID:C45899094-RCOM
    Admin Name:nsatc host
    Admin Organization:SAVVIS Communications
    Admin Street1:225 W Hillcrest Dr, Ste 250
    Admin Street2:
    Admin Street3:
    Admin City:Thousand Oaks
    Admin State/Province:CA
    Admin Postal Code:91360
    Admin Country:US
    Admin Phone:+1.8053702100
    Admin Phone Ext.:
    Admin FAX:+1.8053702101
    Admin FAX Ext.:
    Admin ****************@savvis.net
    Tech ID:C45899093-RCOM
    Tech Name:nsatc host
    Tech Organization:SAVVIS Communications
    Tech Street1:225 W Hillcrest Dr, Ste 250
    Tech Street2:
    Tech Street3:
    Tech City:Thousand Oaks
    Tech State/Province:CA
    Tech Postal Code:91360
    Tech Country:US
    Tech Phone:+1.8053702100
    Tech Phone Ext.:
    Tech FAX:+1.8053702101
    Tech FAX Ext.:
    Tech ****************@savvis.net
    Name Server: A.NS.NSATC.ORG
    Name Server: B.NS.NSATC.ORG
    Name Server: C.NS.NSATC.ORG
    Name Server: D.NS.NSATC.ORG
    Name Server: G.NS.NSATC.ORG
    Name Server: F.NS.NSATC.ORG

    This would seem legitimate - but yes, with some spyware trying to connect to "authentic sounding" update domains, it is irresponsible of MS not to use the proper WindowsUpdate domain.
     
Loading...
Thread Status:
Not open for further replies.