I have 2 Windows XP computers on a small LAN sharing files in a Workgroup. They use IP addresses 192.168.1.50 and 192.168.1.99. Intermittently I lose connection between the two. Kaspersky Internet Security 2010 on 192.168.1.50 is logging a Network Attack from 192.168.1.99 and closing all incoming connections from that computer.
TCP from 192.168.1.99 to local port 445
While digging into why Kaspersky thinks .99 is attacking .50 I discovered via netstat that the svchost.exe process on .99 is also making TCP port 80 calls to 126.96.36.199. Arin points that IP address to ISC, but it's a large netblock so there's not much other info about the owner. When I pull up the IP address in a browser it looks like a default Apache webpage: "It Works!"
I've pulled .99 off of the Internet for now.
Is there a legitimate reason why svchost.exe would call 188.8.131.52 on port 80?
Seems that the calls out to 184.108.40.206 may be related to the buffer-overflow exploit attempt; am I reading too much into it?