Am I chasing Shadows
Posted on 2011-02-23
I've got a problem with a process making regular https calls to a range of IP addresses that I don't recognise.
I am an IT guy but I do know my limitations and I seem to have reached them now so I'm asking for help - please.
Using TCPView I noticed a svchost.exe process with a continually open http connection to an IP address of 18.104.22.168
As I didn't recognise the destination, I closed the connection, it sprang back open again, this time to 22.214.171.124 - rinse and repeat as many times as you like and the connection rotates around 8 or 10 addresses in the 126.96.36.199xx range.
Being the paranoid type; I then blocked incoming and outgoing traffic on my firewall for the 77.67.10.00/24 subnet
Now; going over to Process Explorer revealed that the process with matching PID was attempting to establish a connection every few seconds - on a fresh IP in the above range each time.
The thread stack after a connection attempt looks like this:
That's me at the end of my know-how now.
The machine in question runs XP Pro and is a member of a Win SBS 2008 domain - The internet connection is via a Netgear firewall.
Does anyone recognise this IP range?
The usual searches just confirm that it's part of a block registered to Tiscali in The Netherlands.
Am I chasing shadows? If not and this is evidence of something nasty; where do I go next?
A Huge thank you in advance to anyone who takes the trouble to help with this.