Strange Firewall Activity

[Alley Cat]

I did a clean install of the OS, two weeks ago.  When I boot up my laptop, my firewall reports a crazy amount of blocked connections.  The IP address may belong to Microsoft, called "Microsoft bingbot"

City:    Redmond, Washington
Postal Code:    98052

 

Rapidly, over the course of 92 seconds, my ports are scanned, from TCP port to 55000 to 60000.  After the burst of scanning, the speed slows down, typically one port being tested at a time (usually once every 9 seconds)

Netstat reports the Processes requesting the ports is SVCHOST.EXE and SNTLKEYSSRVR.EXE

I also identified two lookups, one belongs to Microsoft, and one unknown.

 

I do not understand why is the happening.  Can anyone make sense of this ?

This is a recurring event, even when I boot up with WiFI disabled.

[xendrome]

SNTLKEYSSRVR.EXE  is for some type of hardware dongle for some piece of hardware/software you have installed.

[+BudMan MVC]

Sounds like your talking OUTBOUND traffic.. this is NOT port scanning... This software you have installed and the OS is looking to contact something, and your blocking it.. So its trying other ports.

 

Why do you block outbound traffic in the first place??  like you said it was a clean install - what is there you do not trust?

 

You know what is strange - is people running blocking outbound traffic without knowing why, from software they trust.  I have yet to get a straight answer from anyone on this board for a legit reason that they block outbound traffic..  Are you behind a nat router, if you were your firewall would never see inbound traffic that was not requested by you... Unless you have forwarded ports or put your box in the dmz of your router?  Or is this laptop plugged directly into the public net?  What else is on your local network that is hostile?

 

You are causing yourself nothing but worry and grief trying to watch what your box does outbound...   You should only run software on your machine you trust, so what is the reason to block its from talking?  You do understand that bad software that you ran, would most likely just disable your firewall - or the latest trend just encrypt your machine and than ask for money..

 

Quick google shows that exe most likely is "Sentinel key" by Safenet inc.  Now Gemalto http://www.safenet-inc.com/ 

 

svchost.exe runs lots of different services under its umbrella

 

C:\>tasklist /svc /fi "imagename eq svchost.exe"

Image Name                     PID Services
========================= ======== ============================================
svchost.exe                    728 DcomLaunch, PlugPlay, Power
svchost.exe                    876 RpcEptMapper, RpcSs
svchost.exe                    220 AudioSrv, Dhcp, eventlog, lmhosts, wscsvc
svchost.exe                    172 AudioEndpointBuilder, hidserv, Netman,
                                   PcaSvc, TrkWks, UmRdpService, UxSms,
                                   Wlansvc, WPDBusEnum, wudfsvc
svchost.exe                    580 EventSystem, fdPHost, FontCache, netprofm,
                                   nsi, WdiServiceHost
svchost.exe                    532 AeLookupSvc, Appinfo, BITS, CertPropSvc,
                                   EapHost, IKEEXT, LanmanServer, ProfSvc,
                                   Schedule, SENS, SessionEnv,
                                   ShellHWDetection, Themes, Winmgmt, wuauserv
svchost.exe                   1168 gpsvc
svchost.exe                   1256 CryptSvc, Dnscache, LanmanWorkstation,
                                   NlaSvc, TermService
svchost.exe                   1576 BFE, DPS, MpsSvc
svchost.exe                   2392 DiagTrack
svchost.exe                   3684 stisvc
svchost.exe                   5448 PolicyAgent

 

 

What firewall software are you running?

 

 

[Alley Cat]

This laptop is almost entirely used to assist with network rendering (LuxRender), along playing older games.

 

So firewall is set up to block Bogon addresses along with malware networks.  In recent years, I had Serious Organized Crime Agency Ransomware and other Ransomware and Malware popping up on my browser, when I go about installing security software, the minute I go online after reformatting and clean install of Windows. In response, I try to run a very strong firewall.

 

Firewall software: Bot Revolt

Sites I use to download to security software: download.com and sourgeforge.net

Edited January 15, 2016 by Alley Cat
more info

[+BudMan MVC]

"In response, I try to run a very strong firewall."

 

Without a clue to what it means it seems... Blocking bogon -- do you even know what a bogon is?  This is an address that shouldn't even route, since it is unassigned space ... So exactly how are you seeing or going to those addresses?

 

I have never seen hit one on my firewall for any bogon or even martian..  I would love to see these logs showing your seeing traffic from or even too these sorts of addresses..

 

As to ransomware - this is something that was installed, or possible drive by..  I would adjust your browsing habit as best defense against this, use ad blockers, block known bad ip ranges and dns..  Not allowing bogon isn't going to stop that sort of thing.

 

Behind even your typical nat router there is NO allowed inbound traffic to your machine, unless you requested it!!  What have forwarded to your machine?  Have you put it in a dmz? that has all ports open to it?

 

"and one unknown"

 

What is the IP you have a question on??  You do understand a machine running windows is going to talk to MS quite a bit!!  And as I showed in previous post svchost runs a bunch of stuff.. If your curious to what is talking - track that down specifically.  But there is really little reason to block outbound traffic from a machine, if you want to log it for curiosity sure..  If your really worried then run a IDS/IPS on your network to keep an eye out for bad/unwanted sort of traffic... Keep in mind these tools have a steep learning curve and the noise is going to take quite some effort to filter out.

 

What is the dest IP on these scans your seeing? "TCP port to 55000 to 60000."  Is that inbound to your public IP from where?  Or outbound from your machine to what IP?

[Alley Cat]

Outgoing TCP connection attempts, ports 49000 to 60000.  Along with Outgoing UDP connection attempts, ports 137 and 138.

 

Sometimes the connection destination is identified as Microsoft or Value Corporation (even when Steam is not running).  And other names show up in the TCP ranges of 49000 to 60000.

 

I know about drive-by. I have seen this behaviour after a clean install of Windows XP (back in the day) and with Win 7 when I use a browser to download antivirus, malwarebytes, etc.

[xendrome]

Sounds like normal activity to me... Steam runs services in the background I believe even if the app isn't running. See "Steam Client Service" also Microsoft services are constantly connecting to the internet, NTP, Windows Updates, etc. So your outgoing attempts sound normal, but someone else can chime in.

[+BudMan MVC]

Outbound udp on 137 and 138 and 139, also prob see tcp as well.  MS stupidity and failure to fix their OS for the internet..  When you connect to a server on the internet, yes windows will do a query for it its name via netbios if does not get a dns answer.. Do a simple tracert and when you don't get a PTR answer windows in its infinite wisdom will try a netbios query for it..

 

See - simple traceroute to neowin causes this.

 

 

Is that some security concern??

 

As to tcp to 49000 to 60000,  there are many applications that would do that...  Why don't you actually look at that traffic if you have concerns??  See above example..  You do understand that bad software is most likely going to hitch a ride on your browser and make connections to open ports like 80 and 443 that look like normal web traffic, etc..

 

You blocking outbound traffic sure and the hell not going to stop some drive by infection of your machine that is for damn sure..

 

[Alley Cat]

On Tuesday, January 12, 2016 at 4:37 PM, xendrome said:

SNTLKEYSSRVR.EXE  is for some type of hardware dongle for some piece of hardware/software you have installed.

I google'd that file name.    sntlkeyssrvr.exe uses ports 7001 and 7002

 

Not something I see in my firewall logs about those ports.  I suppose the Intel anti theft Management is the hardware dongle in question.

 

I know Windows in a flaming mountain of bad code. 

 

I am also aware of none of my blocking efforts will protect me 100 %, but I will sure try.  I had an unknown inflection about 2.5 years ago, it created a new user account and slowed my system to a crawl.  But no scareware screens or redirecting was going on.  So I am assume correctly, my firewall settings blocked the real payload of the malware.

[+BudMan MVC]

"So I am assume correctly, my firewall settings blocked the real payload of the malware"

 

Bad speculation on your part is more like it..  You have no idea what this infections purpose was..  Why do you assume its plan was redirecting your browser to scare screens?  It could of just been sending your info to some server via one of your browser connections..

 

What part do you not get about blocking outbound especially on the host making the connections via software is useless and always going to be TOO late, since the code trying to make the connections already ran on your machine.. And that no code written by anyone other than some stupid script kiddie would attempt access outbound on anything other than known ports.. They would attempt to hide their traffic inside your normal traffic like 80 and 443 to websites..  Doing anything other would just draw attention to themselves and vast majority of all traffic from any sort of company network where the vast population of machines are normally block unknown ports anyway be it at the corp firewall or the proxy.

 

Your doing nothing more than giving yourself a false sense of security and causing your self grief since you do not understand basic traffic flow and haven't even spent the time to configure your firewall/security software.