# Steam connecting to Chinanet port 80?



## P4-630 (May 18, 2019)

For a while now I'm using Glasswire and today I just happened to notice that Steam Client WebHelper or Steam Client Bootstrapper was connecting to 5 Chinese servers on port 80 ??

I did one whois:


----------



## SoNic67 (May 18, 2019)

I fired up my Wireshark and Steam and I didn't see any connections to 180.101...


----------



## EarthDog (May 18, 2019)

Looks like a hop hitting a backbone...yeah. 

Where is vinewood?


----------



## SoNic67 (May 18, 2019)

EarthDog said:


> Where is vinewood?


If is the one in KS, is strange to "hop" trough China... Maybe is something else on his system?


----------



## Solaris17 (May 18, 2019)

Is it still doing it? can you wireshark it and get a TCP dump so you can see what its actually passing?


----------



## P4-630 (May 18, 2019)

EarthDog said:


> Where is vinewood?


NL, Europe

(Vinewood, GTA V)



Solaris17 said:


> Is it still doing it?



I've just noticed it this morning, haven't seen it since.

I've installed wireshark but not sure how to use it.
If I see it again in Glasswire I will try wireshark.


----------



## SoNic67 (May 18, 2019)

On Wireshark, you select the connection that you want to monitor (Ethernet or WiFi, whatever you use) and it will start recording the packets. Recommend stopping other apps that run in taskbar, or you will be flooded with packets.
After some time you can press "Stop" and then search trough the recorded packets.


----------



## P4-630 (May 18, 2019)

SoNic67 said:


> On Wireshark, you select the connection that you want to monitor (Ethernet or WiFi, whatever you use) and it will start recording the packets. Recommend stopping other apps that run in taskbar, or you will be flooded with packets.
> After some time you can press "Stop" and then search trough the recorded packets.



Ok I see. Edit: just did a testrun, was pretty easy to do that.

I will keep an eye on Glasswire for now, when it happens again I'll check with Wireshark.


----------



## er557 (May 18, 2019)

just use peerblock with many extensive block lists available online, it blocks all unwanted ip's system wide, updates the lists automatically, filters all spyware/anti p2p etc. addresses on the interwho, also protects file sharing software.


----------



## P4-630 (May 18, 2019)

Ok so it just happened again....



EarthDog said:


> Looks like a hop hitting a backbone...yeah.



But still , I live in Europe.


----------



## Chomiq (May 18, 2019)

Have you tried getting in touch with steam?


----------



## FreedomEclipse (May 18, 2019)

I'm tempted to install glasswire myself now


----------



## Chomiq (May 18, 2019)

I've installed it, no China traffic with Steam active. Everything from steamwebhelper goes through 443 on my install.


----------



## FordGT90Concept (May 18, 2019)

P4-630 said:


> View attachment 123218
> 
> View attachment 123219


They all have a length of 0 so...basically it's like an envelope with nothing in it.


----------



## R-T-B (May 18, 2019)

FordGT90Concept said:


> They all have a length of 0 so...basically it's like an envelope with nothing in it.



Yeah.  It's odd for that reason alone, but I honestly don't see how it could be harmful with a 0 length either.


----------



## P4-630 (May 18, 2019)

I have created some firewall rules to block connections from and to 180.96.0.0 - 180.127.255.255 and 203.80.144.0 - 203.80.151.255.


----------



## W1zzard (May 18, 2019)

P4-630 said:


> Ok so it just happened again....


Grab process monitor, it will let you see exactly which process made a request, from/to which IP and port, and you can correlate that with filesystem activity, which might provide additional insights.


----------



## EarthDog (May 18, 2019)

P4-630 said:


> But still , I live in Europe


And? 

Shortest route to the server you are on may go through that backbone... I dont know.


----------



## FYFI13 (May 18, 2019)

Just a long shot, but perhaps one of your installed games phoning home once you launch Steam client? Shouldn't be happening though.


----------



## SoNic67 (May 19, 2019)

EarthDog said:


> Shortest route to the server you are on may go through that backbone... I dont know.


If it was a regular "hop" it won't be visible like that, could be found only with traceroute. What he is describing is a direct connection to that IP.
Note that the Steam bootstrapper will connect to various geographically varied servers.
The Steam client is mostly connected to Akamai servers and the steamstore.


----------



## eterniti (Sep 16, 2019)

steam.exe making connections on 203.80.149.66
                                                           180.101.192.198
                                                            203.80.149.65
                                                            180.101.192.197
those are tagged as suspicious connections (tagged as such by blackfog)
some China ips..,  it's a set of malicous/worrysome ips to blackfog (red skulls icons), but probably an fp, the thing is how much noise is made by those stupid gaming apps
all works fine if you stop those ips (you can with ipfire, pfsense, peerblock, blackfog and so on)


----------



## er557 (Sep 17, 2019)

+1 for peerblock, many lists available online, for me it blocks 2 billion ip's if i see correctly


----------

