Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: Svchost: Internet request from loopback???

  1. #1
    drsnafu Guest

    Default Svchost: Internet request from loopback???

    The strangest thing happened to me when I started up my laptop today. After zonealarm loaded, it gave me an alert that svchost.exe was asking permission to access the internet.

    Description Generic Host Process for Win32 Services requested permission to access the internet.
    Rating High
    Date / Time 2008/08/29 04:47:10-5:00 GMT
    Type Repeat Server Program
    Program C:\WINDOWS\system32\svchost.exe
    Source IP 0.0.0.0:135
    Destination IP
    Direction Incoming (listen)
    Action Taken Blocked (once)
    Count 1
    Source DNS
    Destination DNS

    (I checked the file, it's the proper one in the system32 dir. Also used Process explorer to make sure nothing out of place was running. Plus this was after I'd done a complete scan with KAV, Spybot S&D and Ad-Aware the previous session, lol) Now, I had the permissions for svchost.exe in zonealarm set up for internet and trusted access, and trusted server. Internet server was set to ?, either from default or because I wanted to keep an eye on it. Up until now, nothing had popped up like this. I found from research that 0.0.0.0 was an internal address, much like the loopback. Then why did svchost want to connect to the net to talk to it? Strange... When my mom turned her computer on another strange thing happened. I got a request from her!

    Description Generic Host Process for Win32 Services requested permission to access the internet.
    Rating High
    Date / Time 2008/08/29 09:14:14-5:00 GMT
    Type Repeat Server Program
    Program C:\WINDOWS\system32\svchost.exe
    Source IP 158.14.183.193:1046
    Destination IP
    Direction Incoming (accept)
    Action Taken Blocked
    Count 1
    Source DNS
    Destination DNS

    (Yes, this is an internal router based network. I just had the weird idea of making the internal IPs... different. It's her computer's IP.) She received an identical alert to the one got when starting up my computer. Internet request from svchost. As a test, I restarted my laptop and sure enough, I received the same request from 0.0.0.0:135, and she got one from me at 158.14.183.192:1033 (My IP address, but with a different port.) They both only started doing this today. I've looked and can't find anything to link them. No suspicious services running, no other strange happenings. Is it some service that decided to start pinging everyone on the network? I'm not quite sure what to make of it.

    I was hoping for some insight from people like Oldsod, from my research he's the most competent I've seen when it comes to internet in/outs. Tho any help at all would be appreciated.

    +Windows XP Home SP2
    +Kaspersky antivirus 7.0
    +ZA Pro 7.0.483.000
    +Spybot S&D
    +Lavasoft Ad-aware

    Operating System:Windows XP Home Edition
    Software Version:7.0
    Product Name:ZoneAlarm Pro

  2. #2
    minorman Guest

    Default Re: Svchost: Internet request from loopback???

    I am also getting the message for svchost.exe listening on IP 0.0.0.0:135 after I start Windows XP.
    I
    would also like to know WHY!
    It has only been happening recently.

  3. #3
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Svchost: Internet request from loopback???


    <blockquote><hr>minorman wrote:
    I am also getting the message for svchost.exe listening on IP 0.0.0.0:135 after I start Windows XP.
    I
    would also like to know WHY!
    It has only been happening recently.

    <hr></blockquote>


    Seems normal and safe - not unusual for the windows services to be listening on the zero octet (or also known as the non routeable) address.

    The 0.0.0.0 address goes no further than the windows itself and the local area network.

    Oldsod.
    Best regards.
    oldsod

  4. #4
    drsnafu Guest

    Default Re: Svchost: Internet request from loopback???

    Ah, so my worries were unfounded. Still, it's a great relief to hear it from you. =) It's odd that I've left that unblocked since... July was it? And it decides to get chatty now. Heh, oh well. I guess I'll just leave the internet zone server setting on 'block' as per your recommendation.

    Thanks again, we all appreciate the hard work you do for the online security community. Stay well. (Has a doozy of a cold himself. xD)

    EDIT: So the requests coming from the other computer on my network are the same thing?

    Message Edited by DrSNAFU on 08-29-2008 03:13 PM

  5. #5
    minorman Guest

    Default Re: Svchost: Internet request from loopback???

    Thanx Oldsod.
    But, you say &quot;The 0.0.0.0 address goes no further than the
    ...
    the local area network&quot;.
    Since my home LAN's IP address space is 192.168.123.1xx , 0.0.0.0 is not included. I can agree that it
    appies to this Host computer -- but that's about it.
    It's also interesting that
    the alert
    SUDDENLY is happening now on this computer , on startup, (It also happened for the first time when my wife started up Win Xp on her computer today.) COULD
    this alert
    be due to a recent auto
    UPDATE to ZoneAlarm? NOTE:

    Port 135 is for

    DCE endpoint resolution (epmap) which I see is shown to be listening in the Current Ports applet. Furthermore, epmap has always been in the listening state way before this alert occurred. This re-inforces my hunch that the alert is due to
    my recent ZoneAlarm auto-update.

  6. #6
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Svchost: Internet request from loopback???

    0.0.0.0 is used for the localhost (along with the usual loopback of 127.0.0.1) and for the initial pings and broadcasts (following the initial arp connections) when the computer has yet not received an IP from the dhcp server.

    Just remember when the computer as not yet received an assigned IP from the dhcp server, it must use some sort of IP to use for the pings and broadcasts and the initial "hello" connections to the dhcp it will always use the 0.0.0.0 IP. And it can not use the 127.0.0.1 address for these connections.

    It will continue to use the 0.0.0.0 when there are other further connections to be made to the local area network. Even if there are no need to or it is not required.
    But a listening state on the 0.0.0.0 is not an open port or a threat by any means.



    Try netstat -anob in the command and see what comes up for the 0.0.0.0:135.
    More than likely the svchost and some rpc service will show, along with others.

    However, many windows applications (and others) will listen and connect on the 0.0.0.0 and accept servers from the loopback address (127.0.0.1). And visa versa.

    ZA has always traditionally been a little "jumpy" or "jittery" about the 0.0.0.0 and has always declared any 0.0.0.0 connections as "internet".
    When in fact this is not tghe case.
    Usually or almost always the 0.0.0.0 is simply just used internally OR to connect windows to the dhcp and other lan devices.

    The only time windows will use 0.0.0.0 (or any application for that matter) to connect to the internet is IF there is a VPN involved and then the second lan suddenly becomes part of the computers owns lan (with all of the new dhcp, dns, file sharing, etc added in).

    Another consideration is that the 0.0.0.0 is used for the initial connections to the dhcp. So if the computer does not have a local area network gateway and instead uses the dhcp of the internet provider, then in some cases the user may consider the dhcp still internet and not trusted (which is actually incorrect but some people do see things this way).

    Oldsod.
    Best regards.
    oldsod

  7. #7
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Svchost: Internet request from loopback???

    Yes is okay.
    Perhaps the new install changed certain features of protection or the new install was clean and the settings of the ZA are fresh.
    Myself I let this go and be allowed, as windows does use this port on my own desktop (on the 0.0.0.0. address).

    Hmm more than likely the two computers saw each other and tried to connect to get friendly or get a little "feely".
    Really not unusual for lan computers and devices to do this, even if the owners frown upon this fraternizing.

    Oldsod.
    Best regards.
    oldsod

  8. #8
    minorman Guest

    Default Re: Svchost: Internet request from loopback???

    Oldsod,
    Thanx for
    the comprehensive info on the use for 0:0:0:0.
    netstat -anob reveals the following connection for 0:0:0:0 that is in the LISTENING state:
    TCP 0:0:0:0:445 (Port 445 is microsoft-ds)
    There are other
    ports listed for 0:0:0:0
    , but they
    have no state. They are all UDP protocol. The &quot;Current Ports&quot; aplet also lists port 135 as LISTENING, whereas the netstat command does not.(Port 135 is used for DCOM services; thus port 135 should be LISTENING)
    It will be interesting
    to see if I get a ZA alert box when
    I fire up my Win XP computer that uses a STATIC ip instead of DHCP. (I have disabled the DHCP client service on that computer; but DCOM is running.)


  9. #9
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Svchost: Internet request from loopback???

    Once the dhcp client service is disabled and the windows is locked in to a static IP, the windows and the network is still constantly receiving/sending arp, broadcasts/multicasts and pings.
    The 0.0.0.0 activity will still be present.
    This is normal

    On the other hand, listening on the 0.0.0.0 is an internal issue of windows not a networking issue - 445 is for the specific ms service and it is at a ready state.
    This is very harmless.
    Not a real security issue by any means.

    For "extreme" measures, see:

    http://www.hsc.fr/ressources/breves/...win.en.html.fr

    But this advice from hsc.fr can and will break something on windows.
    So you now have been for-warned if you break or hinder your own network/internet connections.
    Or break something in windows itself.
    And so can this following advice from ms also can have unwanted repercussions:

    in no particular order.....

    TCP/IP and NBT configuration parameters for Windows XP
    http://support.microsoft.com/?kbid=314053



    Chapter 9: Implementing TCP/IP Security
    http://www.microsoft.com/mspress/boo...chap/6418.aspx



    Microsoft Windows NT 4.0 and Windows 98 Threat Mitigation Guide
    http://technet.microsoft.com/en-us/l.../cc750828.aspx


    Also, keep in mind the previous advisements are slanted towards a server situation and not a home computer behind a gateway/router. These are two completely seperate situations and should never be mixed in together or assumed to be the same.

    Oldsod.

    Message Edited by Oldsod on 08-30-2008 06:41 AM
    Best regards.
    oldsod

  10. #10
    drestifo Guest

    Default Re: Svchost: Internet request from loopback???

    Ok, please clarify then. .. what should be done for this situation? I'm getting similar alerts on two computers on a wireless network. Thank you.

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •