Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsMicrosoft WindowsConnection attempts to a Windows service
MadEngineer

3529 posts

Uber Geek

Trusted

#150788 3-Aug-2014 12:38
Send private message

I have my firewall only accepting forwarded connections that are initiated (new) from known devices on my internal network.  Anything else, with the exception of a dst-nat (port forward) rule created for torrents is blocked.  This includes anything that creates a upnp port forward.  If you're not something I know of, you get blocked and labelled a 'spammer'.  Should a 'spammer' try any unsolicited connection a second time, they get blocked outright with no exceptions for a duration of time.

Through this I notice in the logs that every few seconds there are connection attempts being made to a UPnP created port forward entry, as follows:



Running netstat -ao shows that the service is as highlighted below:


Any ideas?




You're not on Atlantis anymore, Duncan Idaho.

Create new topic
Regs
4064 posts

Uber Geek

Trusted
Snowflake

  #1101339 3-Aug-2014 22:33
Send private message

cant quite read the text in the first image




Sales Engineer
Snowflake
www.snowflake.com

about.me/nzregs
Twitter: @nzregs

 
 
 
 

Shop MyHeritage and uncover your origins and find new relatives with a simple DNA test. (affiliate link).
yitz
1874 posts

Uber Geek


  #1101345 3-Aug-2014 22:45
Send private message

Looks like torrent related traffic to me. It is not unusual to still receive traffic from peers for hours/days even after you close your client.
Could also be Skype.

MadEngineer

3529 posts

Uber Geek

Trusted

  #1101370 4-Aug-2014 00:05
Send private message

^ no, it's not torrent traffic. the port forward was created by upnp. what created the port forward?  service with pid 972 as per my screenshot.

if you hit quote on my post you'll see the data easier.




You're not on Atlantis anymore, Duncan Idaho.



Dynamic
3583 posts

Uber Geek

ID Verified
Trusted
Lifetime subscriber

  #1101417 4-Aug-2014 07:38
Send private message

Capture a few second traffic using WireShark maybe?




“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

 

Referral links to services I use, really like, and may be rewarded if you sign up:
PocketSmith for budgeting and personal finance management.  A great Kiwi company.

MadEngineer

3529 posts

Uber Geek

Trusted

  #1101663 4-Aug-2014 12:37
Send private message

yeah the device can do this by itself to a file ... will have to when I get more time (it's only my home router :))

Just rather odd that considering that a windows service is opening up a port, then i'm getting attempts to it from random non-microsoft addresses.  my initial thoughts are something like onedrive might have a push update function, and third parties are somehow able to abuse this.

should be interesting as it could effect everyone with windows 8 seeing all domestic routers nowadays have upnp enabled and will blindly accept traffic




You're not on Atlantis anymore, Duncan Idaho.

MadEngineer

3529 posts

Uber Geek

Trusted

  #1102820 5-Aug-2014 19:33
Send private message

Not particularly human readable

[headers stripped]
Data (52 bytes)
0000 60 00 00 00 00 00 3b 15 20 01 00 00 9d 38 6a b8 `.....;. ....8j.
0010 24 f6 36 66 c5 53 f1 79 20 01 00 00 9d 38 90 d7 $.6f.S.y ....8..
0020 0c 3c 33 4d 86 9c e4 12 01 04 79 a6 23 11 04 04 .<3M......y.#...
0030 00 00 00 00 ....




You're not on Atlantis anymore, Duncan Idaho.

Regs
4064 posts

Uber Geek

Trusted
Snowflake

  #1102950 5-Aug-2014 22:16
Send private message

MadEngineer: ^ no, it's not torrent traffic. the port forward was created by upnp. what created the port forward?  service with pid 972 as per my screenshot.

if you hit quote on my post you'll see the data easier.



What about Skype?  Do you have that running?  (question asked alongside torrents above)

As for the pid972, may be the "IP Helper" or another service - perhaps an app (may well be nothing to do with windows) on your machine is calling a upnp api via that windows service




Sales Engineer
Snowflake
www.snowflake.com

about.me/nzregs
Twitter: @nzregs



MadEngineer

3529 posts

Uber Geek

Trusted

  #1103737 7-Aug-2014 00:05
Send private message

I have skype installed, but it doesn't run on startup and isn't sitting in the background.  my machine is quite clean




You're not on Atlantis anymore, Duncan Idaho.

Create new topic





News and reviews »

New Air Traffic Management Platform and Resilient Buildings a Milestone for Airways
Posted 6-Dec-2023 05:00

Logitech G Launches New Flagship Console Wireless Gaming Headset Astro A50 X
Posted 5-Dec-2023 21:00

NordVPN Helps Users Protect Themselves From Vulnerable Apps
Posted 5-Dec-2023 14:27

First-of-its-Kind Flight Trials Integrate Uncrewed Aircraft Into Controlled Airspace
Posted 5-Dec-2023 13:59

Prodigi Technology Services Announces Strategic Acquisition of Conex
Posted 4-Dec-2023 09:33

Samsung Announces Galaxy AI
Posted 28-Nov-2023 14:48

Epson Launches EH-LS650 Ultra Short Throw Smart Streaming Laser Projector
Posted 28-Nov-2023 14:38

Fitbit Charge 6 Review
Posted 27-Nov-2023 16:21

Cisco Launches New Research Highlighting Gap in Preparedness for AI
Posted 23-Nov-2023 15:50

Seagate Takes Block Storage System to New Heights Reaching 2.5 PB
Posted 23-Nov-2023 15:45

Seagate Nytro 4350 NVMe SSD Delivers Consistent Application Performance and High QoS to Data Centers
Posted 23-Nov-2023 15:38

Amazon Fire TV Stick 4k Max (2nd Generation) Review
Posted 14-Nov-2023 16:17

Over half of New Zealand adults surveyed concerned about AI shopping scams
Posted 3-Nov-2023 10:42

Super Mario Bros. Wonder Launches on Nintendo Switch
Posted 24-Oct-2023 10:56

Google Releases Nest WiFi Pro in New Zealand
Posted 24-Oct-2023 10:18








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







Pluralsight






RSS feeds
Main feed
Forums feed
Copyright
©2002-2023 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Affiliate links
Mighty Ape
Sharesies
Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright


This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.