# Weird connection from a dubios IP listening to open ports. Help me out please



## yecax (Apr 10, 2018)

The problem : I just noticed yesterday when looking in resource monitor that this IP is listening from port 80 to a port on my machine ( attached image 1.1). You can see that the image name in resource manager is svchost.exe 

As a first measure I added this  IP to my router IP filtering and set as discard. The connection was closed and then was gone from the list.

Today surprise I open the PC and the IP is back but this time the connection stayed on a port for a minute or so and then went to the next port etc ( attached image 1.3).
I used tcpview and see that the state of the connection is SYN_SENT ( attached image 1.1). I read a bit, does this mean that I was succesfull in blocking this IP from listening to ports on my machine? Or am I wrong in thinking this?
I also added the ip to the Windows Firewall but I could still see the connection in Resource Monitor.

The weird thing is that this is done through svchost. At this point I have no idea what this actually means. There is no running program or service that is doing something on my machine right? Is this the normal behaviour when someone attempts to open a connection to an IP? Will this always appear under svchost?

What can I do at this point? I am actually scared that my pc is compromised. Sometimes when I close it it used to hang a bit with a message : waiting for background process (without mentioning any name). I get some weird behaviour in online games sometimes like a weird lag / input lag not sure this is related though, but this is what prompted me to start looking around if maybe the LAN card is causing this

I scanned today with 2 tools against malware and nothing was found (only some minor stuff in firefox that was dealt with). I am using Nod32 ant- virus. I have a router that I connect to

What do you think of this, is the IP dangerous? If you search for it you can see that there are some complains from users that have the same problem as I do but at this point not sure who exactly is doing this and what they are doing

https://www.abuseipdb.com/check/93.184.220.29?page=5#report

* 93.184.220.29 was found in our database! *
This IP was reported *124* times. Confidence of Abuse is *18%*:
*ISP* EdgeCast NetBlk *Usage Type* Content Delivery Network *Domain Name* edgecast.com *Country*






 United States *City* Ashburn, Virginia

I am actually pretty scared at this point what do you advise me to do how can I overcome this and is my PC compromised already?

Btw captures 1.4 and 1.5 are from the router and windows firewall not sure if it helps do you think I am doing it right in trying to block activity from this IP?


----------



## CrAsHnBuRnXp (Apr 10, 2018)

svchost is a windows process. It's probably phoning home to microsoft


----------



## StefanM (Apr 10, 2018)

Here is the info from a whois query:


```
Using server whois.ripe.net.
Query string: "-V Md5.1 93.184.220.29"

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '93.184.220.0 - 93.184.223.255'

% Abuse contact for '93.184.220.0 - 93.184.223.255' is 'abuse@verizondigitalmedia.com'

inetnum:        93.184.220.0 - 93.184.223.255
netname:        EDGECAST-NETBLK-03
descr:          NETBLK-03-EU-93-184-220-0-22
country:        EU
admin-c:        DS7892-RIPE
tech-c:         DS7892-RIPE
status:         ASSIGNED PA
mnt-by:         MNT-EDGECAST
created:        2012-06-22T21:57:14Z
last-modified:  2012-06-22T21:57:14Z
source:         RIPE # Filtered

person:         Derrick Sawyer
address:        13031 W Jefferson Blvd #900, Los Angeles, CA 90094
phone:          +18773343236
nic-hdl:        DS7892-RIPE
created:        2010-08-25T18:44:19Z
last-modified:  2017-03-03T09:06:18Z
source:         RIPE
mnt-by:         MNT-EDGECAST

% This query was served by the RIPE Database Query Service version 1.91.1 (HEREFORD)
```


----------



## Space Lynx (Apr 10, 2018)

if it were me, I'd just change my DNS over to Cloudflare IPV4 and IPV6, then run a VPN like AIR VPN 24.7 through OPEN DNS, and only after a clean install of windows... but I am slightly paranoid, so


----------



## yecax (Apr 10, 2018)

CrAsHnBuRnXp said:


> svchost is a windows process. It's probably phoning home to microsoft



Hm so in fact my svchost is initiating the requests?


----------



## CrAsHnBuRnXp (Apr 10, 2018)

Do other devices in your network start with a 93.184.xxx.xxx ip address? if so, this is internal.


----------



## yecax (Apr 10, 2018)

CrAsHnBuRnXp said:


> Do other devices in your network start with a 93.184.xxx.xxx ip address? if so, this is internal.


None, my PC starts with 192

Maybe I am reading the Resource Manager wrong as you can see in the images the Remote Address is the 93.184 but I am not sure who is initializing the connection


----------



## Assimilator (Apr 10, 2018)

First check: what is your PC's IP address? If it also starts with 93 then you are fine.

If not: since the info you've supplied shows it's your PC trying to connect (outbound connection) and not another PC trying to connect to you, you are probably okay. The fact that this IP may be compromised is not necessarily cause for alarm - you simply have a Windows service (SvcHost.exe = Windows services) that is trying to connect something on the Internet to do something completely normal and correct (e.g your Windows is trying to update itself by talking to Microsoft's servers).

However, your computer has an old/stale/malicious entry in its DNS cache. DNS is the system that maps hostnames (like techpowerup.com) which humans can understand, to IP addresses (like 168.235.67.115) which computers can understand. The end result is your PC is attempting to connect to a good hostname (e.g. windowsupdate.microsoft.com), but DNS is telling it that that hostname is at this 93.whatever IP that you are worried about, instead of the actual 157.56.77.153.

A simple way to double-check what's going on is to clear (flush) your PC's DNS records with this command (run from an Administrator command prompt):

ipconfig /flushdns

Once you have done that, you should no longer see any outbound connections to the bad IP.

If you still do, the DNS server that you're using may be compromised. You should be able to change what DNS your home network uses in your router's settings - by default it will be your ISP's server, but you can change it to 1.1.1.1, 4.4.4.4, or 8.8.8.8 (all of these are free, high-quality, extremely reliable and trustworthy DNS services hosted by large Internet companies). After you've done that, rerun the command I gave above.

If you change your DNS server and your PC continues to make outbound requests to the 93.whatever "bad" IP, one of the services on your machine is intentionally going to that IP directly. This may be valid, or (more likely) it may be malware - it's difficult if not impossible to distinguish which, so I would perhaps enlist some support from experts in fighting malware like the good people at Bleeping Computer.


----------



## CrAsHnBuRnXp (Apr 10, 2018)

yecax said:


> None, my PC starts with 192


That is your internal IP address for your home network. What is the external IP address?


----------



## yecax (Apr 10, 2018)

Assimilator said:


> First check: what is your PC's IP address? If it also starts with 93 then you are fine.
> 
> If not: since the info you've supplied shows it's your PC trying to connect (outbound connection) and not another PC trying to connect to you, you are probably okay. The fact that this IP may be compromised is not necessarily cause for alarm - you simply have a Windows service (SvcHost.exe = Windows services) that is trying to connect something on the Internet to do something completely normal and correct (e.g your Windows is trying to update itself by talking to Microsoft's servers).
> 
> ...



Thanks for the response. My IP starts with 192.168.

I have set as DNS in my router settings the same IP as the one set for the router LAN IP.

The Local Area Connection then obtains automatically an IP and DNS is set to obtain automatically

Do these settings make any sense ?

Router LAN IP Address      192.168.2.1

Subnet Mask                       255.255.255.0

DNS Server1 IP Address    192.168.2.1

Default Gateway                 192.168.2.1


DHCP Start IP Address       192.168.2.10
DHCP End IP Address         192.168.2.254


So you are saying that I should use a DNS server like 1.1.1.1? So I should just set this as the DNS Server1 IP Address? Instead of the one I use 192.168.2.1?
Sorry I know my way around on a PC but I am mainly clueless about networking



CrAsHnBuRnXp said:


> That is your internal IP address for your home network. What is the external IP address?



Yes indeed. I checked and it's not even close to that one


----------



## Kursah (Apr 10, 2018)

To to https://www.whatismyip.com/ and report back. That is your public IP address.

192.168 is a private address meant for LAN not WAN usage.

I agree with the above you should flush your DNS cache and consider using a non-ISP DNS like Google, OpenDNS, Quad9, etc.

If you are using 192.168.2.1 for DNS, then you're likely relying on your router for DNS if that is the router's IP address. So simply go onto your router and have it use one of those suggested DNS servers rather than the ISP's default ones. Then if it is the DHCP server as well (likely here) then any device that connects and uses the router for DNS will be using a better DNS service provider server than the ISP's.


----------



## yecax (Apr 10, 2018)

Kursah said:


> To to https://www.whatismyip.com/ and report back. That is your public IP address.
> 
> 192.168 is a private address meant for LAN not WAN usage.
> 
> ...



OK I set the new DNS but then going on the Status page of the Router I see the real DNS and it's the one of my internet provider hm
I have a checkbox called

Enable DHCP Server and this is checked, so basically it seems that the DNS I set is mainly ignored


----------



## Kursah (Apr 10, 2018)

If you set your router's DNS to manual, put in one of the suggested servers above (OpenDNS is 208.67.222.222 and 208.67.220.220), Quad9 (9.9.9.9), Google (8.8.8.8), etc.  If your DHCP server on the router is set to default and in-use, it should automatically set DHCP to the gateway (192.168.2.1), and DNS as well. So it won't change your local DNS, but it will route DNS requests to the appropriate forwarder when it can't answer the query. 

Another option in the router is to set the DNS servers that DHCP gives out from the default, many home grade routers allow this. 

To bypass this and confirm if that's the issue you can also manually set the DNS on your NIC/WiFi adapter in Network & Sharing Center, then Changer Adapter Settings, then right click on the active network device and select properties, choose Internet Protocol Version 4 (TCP/IPv4), choose Properties, change Obtain DNS server automatically to Use the following DNS server addresses. Enter in your preferred and alternate DNS servers.

Either way I would run CMD as admin, and type *ipconfig /flushdns* just to make sure your DNS cache is cleared out.


----------



## yecax (Apr 10, 2018)

Kursah said:


> If you set your router's DNS to manual, put in one of the suggested servers above (OpenDNS is 208.67.222.222 and 208.67.220.220), Quad9 (9.9.9.9), Google (8.8.8.8), etc.  If your DHCP server on the router is set to default and in-use, it should automatically set DHCP to the gateway (192.168.2.1), and DNS as well. So it won't change your local DNS, but it will route DNS requests to the appropriate forwarder when it can't answer the query.
> 
> Another option in the router is to set the DNS servers that DHCP gives out from the default, many home grade routers allow this.
> 
> ...


Edit: I think the new DNS settings are working now as long as they are set in the connection settings. Will see if that ip connection appears again.
Thanks for the help.



Yes I also set in the LAN settings

Why would the main settings page show this though?

DNS 193.231.252.1/213.154.124.1/0.0.0.0

It's like it's ignoring my settings entirely and uses the provider DNS address. I'm right no? It should display here one of the DNS IP I have set

I have this menu: Network - >  LAN -> DHCP Server

DNS Server1 IP Address 208.67.222.222
DNS Server2 IP Address 208.67.220.220

Above a checkbox (not checked) Assign IspDns


The WAN and WLAN submenus have nothing about the DNS Server so I suppose the only place I can set that is in the menu above


----------



## Kursah (Apr 10, 2018)

So those DNS (193 and 213) are likely your ISP DNS servers. To change those there is a setting or a checkbox to allow you to manually set your DNS servers...though your router's current firmware could be missing that feature for various reasons. It is rare, and I haven't seen a router in years that didn't let you set this.

Good that you set your DHCP server though, that way if DNS is broken on the ISP's DNS servers, and your router can't forward requests, you are totally bypassing that anyways.

WLAN I wouldn't worry about, that's Wireless LAN. WAN is Wide Area Network, that is the ISP's network zone, where LAN is your zone for reference. If it isn't in there, then what you did is the way to go.

Keep us posted.


----------



## remixedcat (Apr 23, 2018)

wireshark it.


----------



## Solaris17 (Apr 23, 2018)

do you have eset (anti virus) installed?

nvm re-read and see you have node32 (ESET) installed. it belongs to esets kernel firewall module IIRC. its harmless. Great detective work though. The IP will also probably change frequently since they are using a CDN to push defs .


----------



## FordGT90Concept (Apr 23, 2018)

I'm guessing you're a Verizon customer or have a Verizon phone connected to your network.  If this is the case, I wouldn't be worried about it.

If it concerns you that much, can always firewall it in your router and see if anything breaks.


----------



## DeathtoGnomes (Apr 23, 2018)

lynx29 said:


> if it were me, I'd just change my DNS over to Cloudflare IPV4 and IPV6, then run a VPN like AIR VPN 24.7 through OPEN DNS, and only after a clean install of windows... but I am slightly paranoid, so


why do all that when TinyWall works just fine for blocking processes.


----------

