Solved

SVCHOST:1136 Connected to Akamai

Posted on 2003-10-26
11
883 Views
Last Modified: 2013-12-14
I'm using an IP tool that shows me my PC's IP connections.

It has revealed the IP address 207.126.99.151:80 has established a TCP connection to SVCHOST.EXE:1136
and also
65.65.163.19:443 to SVCHOST.EXE:1136

I looked up both of these IP addresses and they are owned by Akamai. It appears that this company hosts services for hundreds of other companies including Microsoft and many other "big" names.

I'm somewhat suspicious, but have run the lastest version of Ad-Aware and it did not flag this.

Any ideas as to what these connections might be doing?

Note: I'll need a concise and precise answer to award the full points. No guesses please.

0
Comment
Question by:dgwilson
  • 5
  • 3
  • 2
  • +1
11 Comments
 
LVL 49

Expert Comment

by:sunray_2003
ID: 9624069
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 9624072
You are nothing to worry . But you are still not convinced check for spywares and adwares using these

********************

Spyware/Adware removal tools:
------------------------------

SpyBot-S&D : http://www.webattack.com/download/dlspybot.shtml

Ad-aware : http://www.webattack.com/download/dladaware.shtml

Trojan Remover :http://www.simplysup.com/

HijackThis : http://www.webattack.com/download/dlhijackthis.shtml

KL-Detector  :http://www.webattack.com/download/dlkldetector.shtml

X-Cleaner Free  :http://www.webattack.com/download/dlxcleaner.shtml

SpywareBlaster  :http://www.webattack.com/download/dlspywareblaster.shtml

SpywareGuard :http://www.webattack.com/download/dlspywareguard.shtml

SpySites  :http://www.webattack.com/download/dlspysites.shtml

Keylogger Hunter :http://www.webattack.com/download/dlklhunter.shtml

Spycop: http://www.spycop.com/

Goodbye Spy http://www.topshareware.com/GoodBye-Spy-download-2012.htm

*****************************

You may also want to update your virus definitions and check for viruses

Update your windows

Also have a firewall

Sunray
0
 

Author Comment

by:dgwilson
ID: 9624080
ALL your suggestions are already implemented. See note at end of question.

DGW
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 9624308
DGW,

I was giving you a suggestion of what svchost.exe means by that links

Actually it looks like akamai is connected to windows update .

If you have windows update enabled this will happen

http://www.smh.com.au/articles/2003/09/02/1062403496716.html

It is connecting to akamai servers

Sunray
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 9624311
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:dgwilson
ID: 9624635
Thanks but I already know what svchost does and that Microsoft uses them, but as your EE link says "...Akamai is a well-known host for advertising services..." so I'm wondering if I can tell exactly WHO is using this connection on my PC.

I'm assuming your statement of "akamai is connected to windows update" is just a guess. Please refer to NOTE in original question.

None of the information you've provided gives me the method for discovering who owns this link.

dgw
0
 
LVL 49

Accepted Solution

by:
sunray_2003 earned 400 total points
ID: 9624658
dgw,

I am sorry i am not able to help you exactly but I do remember your last statement of your question that I should not give any guesses

The link that i had given 2 links back states that windows users wanting updates are connected to akamai server


>> None of the information you've provided gives me the method for discovering who owns this link.

if you are the only person using the pc , disable windows update and all services.Then run that tool which you are using to
check if you still see svchost and that same IP address.

Sunray
0
 
LVL 5

Assisted Solution

by:mapledrums
mapledrums earned 80 total points
ID: 9636501
From what I gather from www.akamai.com, this company is in the ebusiness industry. First off, in this case, their customer could potentially be anyone. Second off, I know of web sites that spawn off pop-up ads using akamai's infrastructure.

I also found a link that states that Norton Live Update is using akamai's servers: http://www.itcompany.com/spystop.htm (search for akamai in the web page)

Peer-to-peer file sharing programs could be another potential source.

I believe that it might be impossible to trace all your connections to these "questionable" servers. Probably a better alternative would be to install a decent popup blocker/cookie cleaner like pop-up stopper (www.panicware.com), having a decent antivirus s/w with the latest virus signature updates, an adware cleaner. I believe the last two you've already installed.

Besides, from the connections that I see which you have, they're connected at ports 80 & 443, basically a web server & SSL connection. Something which I consider passive connections, as it has to be initiated from your client end to the server. As such, any suspicious activity which you detect could probably terminate such connections, if needed.

True, you or all your preventive software may not be able to capture all unauthorised/intrusive measures, but I believe in keeping yourself informed with the latest Internet "trends", and using a bit of common sense, the usual stuff: don't run suspicious attachments (even though it may seem to be from a trusted source), don't use pirated software, don't visit crack/hack, etc. web sites, make sure you have a decent firewall installed (hardware ones are the best), backup your critical data often, etc.

Finally, just keep an open mind about the Internet. The best or most secured place doesn't always mean it's the safest. No point worrying too much about things that is out of our control. If you're really curious about what transpires between your client & other servers or the Internet in general, install a protocol analyser and see/learn what is exchanged through your network. A lot of people I know have captured hidden/unknown (till it was captured) traffic through such tools. Ethereal (www.ethereal.com) is one such good tool to start from.

Have Fun & Good Luck.
0
 
LVL 16

Assisted Solution

by:The--Captain
The--Captain earned 20 total points
ID: 9661145
Did you even run "tasklist /svc" like the article suggested?  It's all well and good to say "I will only accept exact answers", but we need some additional info from you in order to provide one, since it is impossible to determine the problem without your participation.

*My* exact answer is:

If you wanted an OS that puts everything out in the open where you can see it, then you shouldn't be running XP.  Mickeysoft design philosophy is directly at odds with this idea, if you haven't noticed already.  Familiarize yourself with every process running on your XP box, and then you will be able to answer your own question.  If you are unwilling/unable to do that, then just accept the fact that XP itself (and other software you probably installed) rely on Akamai services to locate critical hosts (for updates, notifications, etc) and get over it already.

Do you even know what akamai is?  It is simply an optimized redundant DNS/server farm solution for companies (like Microsoft, Symantec, etc) that have a lot of users.  Akamai is just a bunch of DNS servers that resolve your DNS request to a server that should be fast and or close to you.  You connect to akamai hosted machines all the time, but you never see it or know it because it's not as regular and persistent as those update processes you are running that like to poll for updates and notifications constantly.

>None of the information you've provided gives me the method for discovering who owns this link

What are you talking about?  Once again, did you even bother to run "tasklist /svc"?

You are hopeless - "windows update" is only a guess until you disable it on your machine and then post back here saying it did or did not remove one of your outbound connections from svchost...

Read this:

http://www.experts-exchange.com/Miscellaneous/Lounge/Q_20768606.html

and humble yourself

Cheers,
-Jon



0
 

Author Comment

by:dgwilson
ID: 9662110
Jon,

>What are you talking about?  Once again, did you even bother to run "tasklist /svc"?

Yes, I did and it only confirmed what the IP tool I used had told me, that SOMETHING had

>You are hopeless - "windows update" is only a guess until you ... blah, blah, blah

Who put a bee in YOUR bonnet? You way in here a week later with all your righteous indignation and superiority.

Well, since you OBVIOUSLY know more than all the rest of us combined, you OBVIOUSLY deserve ALL the points. But I'm going to give sunray and mapledrum some of them. Sunray for sticking in there and mapledrum for being the most verbose.

Thanks for all your help folks even though I never got a specific answer!

dgw
0
 
LVL 5

Expert Comment

by:mapledrums
ID: 9662175
Thanks for the points.

If you're asking how to trace who owns an IP address, do a "nslookup <IP address>" to obtain the domain name which the IP belongs to. Then you need to do a whois on the domain name. You can do a whois from this web site: http://www.internic.net/whois.html.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Cable Modem Provisioning from DPoE compliant server  This Article is to support CMTS administrators to provide an overview of DOCSIS compliance configuration file, and to provision a cable modem located at customer place from a Back office serve…
Sometimes you have to pull out old tricks to get a new firewall to work… While we were installing a new Sonicwall at a customers site we found that sites they were able to visit before were not working.  It seemed random and we could not understa…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now