Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Strange network activity from Svchost(NetworkService)


  • Please log in to reply
34 replies to this topic

#1 HairyApricot

HairyApricot

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:12:05 PM

Posted 02 July 2016 - 01:01 PM

Hello

 

I am posting here to see if I can identify the source or reason for these connections. I have already made a post in the Virus and Malware forum here: http://www.bleepingcomputer.com/forums/t/617403/strange-connections-from-svchostnetworkservice/

 

They have declared me clean from any malware or infection. Further details can be found in that post, but to summarize:

 

When I first log in to my PC, I get connections via Svchost(NetworkService) to a few IP addresses including an addr.btopenworld, 104.16.93.188, 93.184.220.20, 93.184.220.29, comodoca.crl, apps.digsigtrust and one to securenet. The most data received seems to be from the 93.184.220.20 or 93.184.220.29.. A connection to a google registered IP also occurs. The connections also occurred when connecting to Steam and when Premiere Pro or other adobe products were transmitting usage data. It also occasionally does it while I use chrome. I used Process Explorer and the service within Network Service that was making the connections was CryptSvc.

 

My work PC makes a connection like the ones described above when it boots up, though its to akamai. My brothers computer also had many of the same connections that mine did. So now I want to actually know what is causing these checks? I am on Window 7N, my connection is BT using a TP-Link adapter and a router.

 

Any help you can give in this matter is appreciated, thank you :)

 

 



BC AdBot (Login to Remove)

 


#2 Wand3r3r

Wand3r3r

  • Members
  • 2,027 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 02 July 2016 - 01:17 PM

Sounds normal.  As services and programs load or are started by you they make connections.  There is nothing wrong with that.



#3 HairyApricot

HairyApricot
  • Topic Starter

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:12:05 PM

Posted 03 July 2016 - 06:30 AM

I get that the services themselves would, but why does NetworkService need to connect to these IP's, and why is CryptSvc the one making the connections?



#4 Trikein

Trikein

  • Members
  • 1,321 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rhode Island, US
  • Local time:07:05 AM

Posted 03 July 2016 - 09:32 AM

What ports are being used to those IP? 



#5 HairyApricot

HairyApricot
  • Topic Starter

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:12:05 PM

Posted 03 July 2016 - 01:39 PM

Off the top of my head, 80 I think



#6 HairyApricot

HairyApricot
  • Topic Starter

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:12:05 PM

Posted 04 July 2016 - 08:57 AM

Yes they are definitely port 80, just checked



#7 Wand3r3r

Wand3r3r

  • Members
  • 2,027 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 04 July 2016 - 11:20 AM

You have a concern or is this just satisfying curiosity?

 

Pretty simple to google.

http://www.bleepingcomputer.com/startups/cryptsvc.dll-25643.html



#8 HairyApricot

HairyApricot
  • Topic Starter

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:12:05 PM

Posted 05 July 2016 - 07:52 AM

I am not sure. I mean they the malware forum declared my PC clean, and nothing strange has happened on it. I would just like to know why it makes connections to these IP's, usually while reading my CrypnetURLCache. I think another one of the IP addresses was 192.35.177.64. I just want to finally know why it needs to do this is all :)



#9 HairyApricot

HairyApricot
  • Topic Starter

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:12:05 PM

Posted 07 July 2016 - 05:00 AM

So what do you think?



#10 HairyApricot

HairyApricot
  • Topic Starter

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:12:05 PM

Posted 11 July 2016 - 02:28 PM

So I understand that this behavior is normal. but why these IP's specifically? What causes the checks and why does it read the cache? Does the CDN of my IP have something to do with it? If this is not the correct forum to ask this on, please say so, that I might take this query to the right place.



#11 technonymous

technonymous

  • Members
  • 2,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:05 AM

Posted 13 July 2016 - 08:54 AM

If you want to know what program app or service is establishing a connection you can run a command..

 

Go to start run or search and type cmd right-click run as administrator. Type netstat -bano

 

Running that you should see a list of established connections the IP address, service or .exe file that is connecting & PID number. Now with the PID number you can investigate further hit ctrl+shift+esc to open task manager. Under details tab lookup running processes that match that PID. Right-click the service and you can get more options to open file location, properties to check digital signatures if it is a legit app etc.



#12 technonymous

technonymous

  • Members
  • 2,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:05 AM

Posted 13 July 2016 - 08:56 AM

Oh if you find a system service running under user then that might be a sign of something fishy going on. Especially if you see svhost running under user tab in the task manger.



#13 HairyApricot

HairyApricot
  • Topic Starter

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:12:05 PM

Posted 13 July 2016 - 12:50 PM

Hi technonymous. As I said in the post body, I know what svchost is making these connections and the service, its CryptSvc. All run under system. The malware team have assured me its nothing dodgy, so now I just want to know why its making these connections :)



#14 technonymous

technonymous

  • Members
  • 2,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:05 AM

Posted 13 July 2016 - 04:57 PM

Well CrytpSvc in particular is just a update service from Microsoft that does routine checks on many Trusted Root Certification Authority certificates in your cert manager. This is to insure that those root certificates installed on your pc are up to date and valid/signed. Many certs may only be valid for a year. Some may have been revoked because the root keys have become compromised and the update is connecting to uploading a current one. It is a important and critical service. If a root cert is compromised then your online session to banking, and web services, data etc over a encrypted Secure Socket Layer SSL/TLS 1.2 may not be safe.


Edited by technonymous, 13 July 2016 - 05:02 PM.


#15 HairyApricot

HairyApricot
  • Topic Starter

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:12:05 PM

Posted 14 July 2016 - 07:20 AM

How come the connections are as frequent as they are? Granted the data received is usually only a few bytes, though sometimes its a few kilobytes, and why does it need to read my crypneturlcache?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users