Unknown svchost.exe DNS port 53 network activity - Firewalls

This is a discussion on Unknown svchost.exe DNS port 53 network activity - Firewalls ; This is regarding a Windows XP Professional PC. I noticed heavy activity on my router as well as my PC LAN connection icon in the tray. After some digging appears to be a svchost process that is listening on port ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Unknown svchost.exe DNS port 53 network activity

  1. Unknown svchost.exe DNS port 53 network activity

    This is regarding a Windows XP Professional PC. I noticed heavy
    activity on my router as well as my PC LAN connection icon in the tray.
    After some digging appears to be a svchost process that is listening on
    port 53 with a remote address of my ISP's DNS server. My router is not
    set to forward DNS traffic to a specific system, and I don't run any
    DNS servers.

    I am worried about this process since there's a lot of data being
    transmitted/received and it's starting to introduce delays with my web
    connections, and seems to be affecting available bandwidth as well.

    The following have not identified any viruses or other malware:

    AntiVir antivirus
    Avast antivirus
    Spybot S&D
    Ad Aware
    AVG antispyware

    I got the following information for the related process from Port
    Explorer

    Command line: c:\windows\system32\svchost.exe -k Network Service

    Killing this process returns everything to "normal" with port 53
    traffic stopped and all other applications working fine.

    Any help explaining this activity and how to disable it would be
    greatly appreciated. Is this something normal with Windows I may have
    missed?

    Thanks,
    Raffi


  2. Re: Unknown svchost.exe DNS port 53 network activity


    "Raffi" wrote in message
    news:1166648972.302288.17030@79g2000cws.googlegrou ps.com...
    > This is regarding a Windows XP Professional PC. I noticed heavy
    > activity on my router as well as my PC LAN connection icon in the tray.
    > After some digging appears to be a svchost process that is listening on
    > port 53 with a remote address of my ISP's DNS server. My router is not
    > set to forward DNS traffic to a specific system, and I don't run any
    > DNS servers.
    >


    No traffic can come to the machine, unless you have opened the inbound port
    by using port forwarding on the router, which allows unsolicited in bound
    traffic to reach a machine . The machine may or may not be listening on the
    forwarded port. On the other hand, if a computer has made a solicitation for
    inbound traffic by sending outbound traffic to a remote IP, then solicited
    traffic is going to be let back through the router or a firewall, because
    the machine behind them made the solicitation.


    > I am worried about this process since there's a lot of data being
    > transmitted/received and it's starting to introduce delays with my web
    > connections, and seems to be affecting available bandwidth as well.


    Svchost.exe which should be running out of the Windows/System32 directory,
    otherwise it's a Trojan, does nothing on its own. It does the bidding for
    the O/S and its programs and other programs as well, it does the hosting.
    Svchost allows the communication between machines in a LAN or WAN situation.
    However, you should be aware of what Svchost is connecting to as malware can
    be hosted by Svchost.exe as well.

    I suspect the machine was just communicating with the ISP DNS servers as the
    machine with it's O/S have made the solicitation for traffic

    >
    > The following have not identified any viruses or other malware:
    >
    > AntiVir antivirus
    > Avast antivirus
    > Spybot S&D
    > Ad Aware
    > AVG antispyware


    Malware can circumvent and defeat every last bit of it.

    http://www.microsoft.com/technet/com...mt/sm0504.mspx

    >
    > I got the following information for the related process from Port
    > Explorer
    >
    > Command line: c:\windows\system32\svchost.exe -k Network Service
    >
    > Killing this process returns everything to "normal" with port 53
    > traffic stopped and all other applications working fine.
    >

    How can that be? If you cutoff the traffic on port 53, then how is any
    machine with an application running where a URL is invloved, look up the WAN
    IP that belongs to the URL, an application such as a browser accessing the
    Web site that WAN IP points to? That's what the ISP''s Domain Name Server is
    for is to take a URL that has been given on its network and convert it to
    WAN IP so that an application can use the IP to go to a site.

    It could be with a browser, that any Web page you're accessing has been
    cached on the machine and is why you're thinkng nothing is wrong.

    > Any help explaining this activity and how to disable it would be
    > greatly appreciated. Is this something normal with Windows I may have
    > missed?


    If you suspect something, then use the proper tools and look for yourself. A
    tool like Process Explorer will let you look inside any running process and
    see the exe, dll, ect, ect or processes that are being hosted by a process
    such as Svchost.exe. I suspect there is nothing wrong with communications
    between a computer and the ISP's DNS server.

    Long
    http://www.windowsecurity.com/articl...vironment.html

    Short

    http://tinyurl.com/klw1



  3. Re: Unknown svchost.exe DNS port 53 network activity

    It's probably George Saint Pierre doing it.

    Raffi wrote:

    > This is regarding a Windows XP Professional PC. I noticed heavy
    > activity on my router as well as my PC LAN connection icon in the tray.
    > After some digging appears to be a svchost process that is listening on
    > port 53 with a remote address of my ISP's DNS server. My router is not
    > set to forward DNS traffic to a specific system, and I don't run any
    > DNS servers.
    >
    > I am worried about this process since there's a lot of data being
    > transmitted/received and it's starting to introduce delays with my web
    > connections, and seems to be affecting available bandwidth as well.
    >
    > The following have not identified any viruses or other malware:
    >
    > AntiVir antivirus
    > Avast antivirus
    > Spybot S&D
    > Ad Aware
    > AVG antispyware
    >
    > I got the following information for the related process from Port
    > Explorer
    >
    > Command line: c:\windows\system32\svchost.exe -k Network Service
    >
    > Killing this process returns everything to "normal" with port 53
    > traffic stopped and all other applications working fine.
    >
    > Any help explaining this activity and how to disable it would be
    > greatly appreciated. Is this something normal with Windows I may have
    > missed?
    >
    > Thanks,
    > Raffi



  4. Re: Unknown svchost.exe DNS port 53 network activity

    Raffi wrote:
    > This is regarding a Windows XP Professional PC. I noticed heavy
    > activity on my router as well as my PC LAN connection icon in the
    > tray. After some digging appears to be a svchost process that is
    > listening on port 53 with a remote address of my ISP's DNS server. My
    > router is not set to forward DNS traffic to a specific system, and I
    > don't run any DNS servers.


    Maybe the DNScache service? It shouldn't be listening on port 53,
    though. What's the output of "netstat -anob"?

    > I am worried about this process since there's a lot of data being
    > transmitted/received and it's starting to introduce delays with my web
    > connections, and seems to be affecting available bandwidth as well.


    Usually you'd inspect the traffic with a sniffer (e.g. Wireshark [1]) to
    get an idea of what's actually transmitted.

    [...]
    > I got the following information for the related process from Port
    > Explorer
    >
    > Command line: c:\windows\system32\svchost.exe -k Network Service


    Could indeed be DNScache, but check the netstat output to make sure.

    [1] http://www.wireshark.org/

    cu
    59cobalt
    --
    "If a software developer ever believes a rootkit is a necessary part of
    their architecture they should go back and re-architect their solution."
    --Mark Russinovich

+ Reply to Thread